<div dir="ltr">So how can we restrict access to our home directories so that not
everyone on the Internet can list the contents? My recollection is that
"l" is required on ~. Can AFS mounting be restricted to authenticated
users only? That would seem to be a reasonable limitation. <br>
<br>Thanks.<br><br><div class="gmail_quote">On Tue, Sep 9, 2008 at 7:29 AM, Adam Chlipala <span dir="ltr"><<a href="mailto:adamc@hcoop.net">adamc@hcoop.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
We use the Andrew File System as our default mode of storage for member<br>
home directories and other important data. We make it convenient for<br>
members to mount this filesystem locally, letting them access their<br>
files as if they were on local disk.<br>
<br>
You may be used to leaving some world-readable files on normal UNIX<br>
systems, where you must accept that all other users of the system can<br>
read those files, but generally other people can't get to them<br>
directly. With AFS, anyone with Internet access can mount our file<br>
system and take any actions that are authorized for "system:anyuser."<br>
For instance, by default, the permissions set on member home directories<br>
will allow anyone on the Internet to list their contents, but not view<br>
file contents. You may have extended the permissions in some<br>
directories so that anyone can even read those files, but you would have<br>
had to take explicit action.<br>
<br>
A member recently pointed out that the web site of a company<br>
specializing in AFS has exposed our /afs/<a href="http://hcoop.net" target="_blank">hcoop.net</a> tree over the web, so<br>
that Google has now indexed all accessible HCoop member home<br>
directories. To avoid this for particular subdirectories of your home<br>
directory, run:<br>
fs sa ~/subdirectory system:anyuser none<br>
<br>
It is important that you not run this command on your base home<br>
directory, since some utility processes need to be able to list the<br>
contents of your home directory to get to your ~/.public directory,<br>
which contains important contents like (possibly) a mail .forward file<br>
and Domtool configuration.<br>
<br>
_______________________________________________<br>
HCoop-Announce mailing list<br>
<a href="mailto:HCoop-Announce@lists.hcoop.net">HCoop-Announce@lists.hcoop.net</a><br>
<a href="https://lists.hcoop.net/listinfo/hcoop-announce" target="_blank">https://lists.hcoop.net/listinfo/hcoop-announce</a><br>
</blockquote></div><br></div>