Excerpts from mail: 6-Nov-92 Re: AFS home directory perm..
[EMAIL PROTECTED] (1075)
> lcd> 2. Protect the top level directory with system:anyuser l permissions
> lcd> only. Everything is still unreadable, and the user can create
> lcd> a public subdirectory if he/she wants to.
> lcd> However, this means that many files now expected to be readable
> lcd> by root are unreadable. Specifically,
> lcd> .forward - sendmail expects to read this
> lcd> .plan - finger expects to read this
> lcd> calendar
> lcd> .rhosts
> lcd> and I've probably missed a few here.
> lcd> And if you 'rlogin' rather than 'telnet' from one of our trusted
> lcd> machines, you come in without a token and can't even read your
> lcd> .login. [Side question - since rsh machine csh -i carries your
> lcd> token along, has anyone modified an rlogin to do the same?]
> The default setup for a user's home volume in umich.edu is to have the
> top level with system:anyuser l (mainly to prevent world-readable
> files for those who are unfamiliar with acls). All, or nearly all, the
> dotfiles are symlinks into ~/Public, which has system:anyuser rl. This
> setup seems to be working fine.
This does work fine, except for HP/UX, which refuses to use a ~/.rhosts
file that is a symlink. And it's documented, so it's a feature.
Keith Gorlen
National Institutes of Health
Bethesda, MD 20892
Phone: (301) 496-1111
FAX: (301) 402-2867
Internet: [EMAIL PROTECTED]
