[OpenAFS] File searching in openafs space

Dan Pritts danno@internet2.edu
Mon, 20 Jun 2005 12:27:37 -0400

On Mon, Jun 20, 2005 at 10:21:07AM +0200, Dirk Heinrichs wrote:
> Am Montag, 20. Juni 2005 08:49 schrieb ext Christophe BERNARD:
> > I was wondering if there exists a tool like slocate which can run on
> > openafs partitions.
> In most standard installations of slocate, indexing any network filesystems 
> is just switched off in the configuration file.
> Just edit /etc/updatedb.conf and remove "afs" from the PRUNEFS variable, 
> then run updatedb.
> However, it may be a good idea to recompile slocate so that it puts it's 
> database into AFS. This way, updatedb can be run on one machine, but the 
> database can be accessed from all clients.

It isn't as simple as that.

First, don't just remove afs from PRUNEFS if you are using a global
CellServDB, or else you will try to index the entire global AFS 
space.  Not what you want to do.  

Presumably it shouldn't be too tough to restrict updatedb to doing
only your cell.

The other tricky thing that comes to mind is that on a normal local
filesystem, updatedb runs as root, and can read everything.  then when
a user runs slocate, it checks file permissions to make sure that
you have read access to a file before it displays it to you (so other
users cannot see the names of your files).

To duplicate this behavior under AFS may require modifying slocate to
understand ACLs, and would require running the updatedb process with
afs system administrator access.  Finally, slocate assumes that only
the slocate binary (or anything setgid to slocate's group) can read the
database (again, so people can't see what file names other people have).
If you want to assure that behavior continues you'll need to figure out
how to give slocate access to a directory containing the database without
giving the user running it that access.  Which I think is possible but
my brain is a little slow this morning so i can't think of how.

if you just want a "locate" and not a "secure locate" it should be good
enough to index everything with system admin access, and make the database
readable by everyone.  

dan pritts - systems administrator - internet2
734/352-4953 office        734/834-7224 mobile