Umich home directories get created by a template that is set from
/afs/umich.edu/user/g/e/generic
(anyone can look at this directory:)
acl's get munged as follows:
map generic(=29048) UID
give files owned by anything else to UID
delete system:anyuser from acl's
delete admin from acl's
delete system:administrators from acl's
map itd.umich:hd.anyuser(=-1376) to system:anyuser
That ensures that anyone can look any files or permissions in the
template area but not in the actual resulting home directories.
The directory is actually dumped into a file on the home directory
server, then a special program reads the dump & changes the acl's and
ownership in a pipeline that is passed to "vos restore"; this ensures
we can create home directories in about 10-20 seconds "on request";
most often that request comes from the actual user running a friendly
macintosh front-end that uses kerberos to send a request to the home
directory server, although there is also an http interface that
can be used from kerberized mosaic & lynx. Currently, the home directory
handles about 80 requests per day without any human attention - at the
start of term the numbers were closer to about a thousand a day.
Long long ago, directories were permitted differently; system:anyuser rl
at the top level and no symlinks -- so if you look at directories
created before sometime in 1992, that's most often what you'll find.
Also, of course, people are free to change them as they wish,
so older directories are more likely to be individually customized.
-Marcus Watts
UM ITD RS Umich Systems Group
