On Jun 14, 3:59pm, Brandon S. Allbery KF8NH wrote:
> Subject: Re: AFS home directories and vacillating ACL levels in subdirecto
> On 06/14/00 15:37:57 -0400 Morris Strongson <[EMAIL PROTECTED]> wrote:
> +-----
> | Several of our users have expressed interest in having their home
> | directories point to their AFS areas. What we are afraid of is the fact
> | that they would be world-readable and that sensitive files would
> | be visible and dangerous.
> +--->8
>
> Our solution is:
>
> ~ is system:authuser rl system:anyuser rl
> ~/Private is system:authuser none system:anyuser none
> security-critical files are symlinked under ~/Private
Actually I think a better solution that I have seen is:
~ is system:authuser none, system:anyuser l
~/public is system:anyuser rl
Then all the .cshrc, .login, .bashrc, etc. (basically any file that needs
to be read w/o a token, ie. login process) is placed in ~/public and a symlink
is created from ~ to the ~/public directory for each of these files.
This has a benefit from the above in that any subdir that a user creates
in their home directory is not readable by system:anyuser. Otherwise users
have to change the ACL every time they create a subdir if they want it
private (which most users don't know or think about that).
AT NCSA we have been using home directory space in AFS since moving to AFS
for over 7 years w/o a problem. And we run AFS on around 6 different
platforms.
--
James J. Barlow <[EMAIL PROTECTED]>
Senior System Engineer
National Center for Supercomputing Applications
605 East Springfield Avenue Voice : (217)244-6403
Champaign, IL 61820 Cell : (217)840-0601
http://www.ncsa.uiuc.edu/People/jbarlow Fax : (217)244-1987
