[HCoop-Discuss] [HCoop-Announce] Reminder about AFS permissions

Daniel Margolis dan at hcoop.net
Tue Sep 9 12:40:10 EDT 2008


So how can we restrict access to our home directories so that not everyone
on the Internet can list the contents? My recollection is that "l" is
required on ~. Can AFS mounting be restricted to authenticated users only?
That would seem to be a reasonable limitation.

Thanks.

On Tue, Sep 9, 2008 at 7:29 AM, Adam Chlipala <adamc at hcoop.net> wrote:

> We use the Andrew File System as our default mode of storage for member
> home directories and other important data.  We make it convenient for
> members to mount this filesystem locally, letting them access their
> files as if they were on local disk.
>
> You may be used to leaving some world-readable files on normal UNIX
> systems, where you must accept that all other users of the system can
> read those files, but generally other people can't get to them
> directly.  With AFS, anyone with Internet access can mount our file
> system and take any actions that are authorized for "system:anyuser."
> For instance, by default, the permissions set on member home directories
> will allow anyone on the Internet to list their contents, but not view
> file contents.  You may have extended the permissions in some
> directories so that anyone can even read those files, but you would have
> had to take explicit action.
>
> A member recently pointed out that the web site of a company
> specializing in AFS has exposed our /afs/hcoop.net tree over the web, so
> that Google has now indexed all accessible HCoop member home
> directories.  To avoid this for particular subdirectories of your home
> directory, run:
>    fs sa ~/subdirectory system:anyuser none
>
> It is important that you not run this command on your base home
> directory, since some utility processes need to be able to list the
> contents of your home directory to get to your ~/.public directory,
> which contains important contents like (possibly) a mail .forward file
> and Domtool configuration.
>
> _______________________________________________
> HCoop-Announce mailing list
> HCoop-Announce at lists.hcoop.net
> https://lists.hcoop.net/listinfo/hcoop-announce
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hcoop.net/pipermail/hcoop-discuss/attachments/20080909/6ef1f5fe/attachment.htm 


More information about the HCoop-Discuss mailing list