[204] in The Cryptographic File System users list
Re: using cfs with /home
daemon@ATHENA.MIT.EDU (Ravikant K.Rao)
Tue Oct 17 00:30:38 2000
From owner-cfs-users@crypto.com Tue Oct 17 04:30:37 2000
Return-Path: <owner-cfs-users@crypto.com>
Delivered-To: cfs-mtg@CHARON.MIT.EDU
Received: (qmail 4793 invoked from network); 17 Oct 2000 04:30:36 -0000
Received: from mx.crypto.com (207.140.168.138)
by charon.mit.edu with SMTP; 17 Oct 2000 04:30:36 -0000
Received: (from majordomo@localhost)
by MultiHostMXServer (8.9.3/8.9.x4) id AAA12325
for cfs-users-list; Tue, 17 Oct 2000 00:27:42 -0400 (EDT)
X-Authentication-Warning: mx.crypto.com: majordomo set sender to owner-cfs-users@crypto.com using -f
Received: from nsa.research.att.com (H-135-207-24-155.research.att.com [135.207.24.155])
by MultiHostMXServer (8.9.3/8.9.x4) with ESMTP id AAA12204
for <cfs-users@crypto.com>; Tue, 17 Oct 2000 00:27:41 -0400 (EDT)
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id AAA07812 for <cfs-users@nsa.research.att.com>; Tue, 17 Oct 2000 00:27:39 -0400 (EDT)
Received: by mail-blue.research.att.com (Postfix)
id 2E67A4CE49; Tue, 17 Oct 2000 00:27:41 -0400 (EDT)
Delivered-To: cfs-users@research.att.com
Received: from symonds.net (adsl-63-194-20-32.dsl.lsan03.pacbell.net [63.194.20.32])
by mail-blue.research.att.com (Postfix) with ESMTP id 49B344CE46
for <cfs-users@research.att.com>; Tue, 17 Oct 2000 00:27:40 -0400 (EDT)
Received: from ravi by symonds.net with local (Exim 3.12 #1 (Debian))
id 13lOLE-0008QU-00; Mon, 16 Oct 2000 21:27:08 -0700
Date: Mon, 16 Oct 2000 21:27:08 -0700
From: "Ravikant K.Rao" <ravi@symonds.net>
To: Robert Stampfli <res@colnet.cmhnet.org>
Cc: cfs-users@research.att.com
Subject: Re: using cfs with /home
Message-ID: <20001016212708.B32299@symonds.net>
References: <200010170153.VAA00668@colnet.cmhnet.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/1.0.1i
In-Reply-To: <200010170153.VAA00668@colnet.cmhnet.org>; from res@colnet.cmhnet.org on Mon, Oct 16, 2000 at 09:53:25PM -0400
Sender: owner-cfs-users@crypto.com
Precedence: bulk
Hi,
On Mon, Oct 16, 2000 at 09:53:25PM -0400, Robert Stampfli wrote:
> For what it's worth, here is the .profile I am currently using to protect
Thanks.
> several accounts. It's not exactly what you want: Each user has to
Actually, it *was* infact what I wanted.
> However, encrypted home directory and subdirectories (each user's acct)
> is truly isolated and secured by cfs. I've noticed a few anomalies along
Kinda meets my requirements. Will check it out over the rest of
today.
Thanks.
BTW, I had a buncha scripts going, which I couldn't debug because
I am not as good at scripting as I thought I was. Maybe you might find
this useful.
-ravi
--
# To enable CFS, putting these six lines in an rc2.d script:
portmap
rpc.mountd -P 894 # mountd should bind to port 894
cfsd 895 # cfsd should bind to port 895
rm -rf /tmp/.tmp
mount -o port=895,intr localhost:/tmp/.tmp /home
--
# Put this entry into /etc/exports:
/tmp/.tmp localhost
--
This starts the sunrpc mountdaemon.
Now, we need to get the following going : if a user logs on, the system
has to check if he';s already logged on, to decide whether to decrypt the
users' $HOME directory. The users /home/user directory doesn't exist (even
if it would, because of mount command lines above would make it
nonexistent), so the uyuser's HOME variable is set to '/' , the root
directory. The his login shell is started which looks for start
scripts. And thats where the hooks come in.
For bash, the file /.profile is created like so:
cattach /crypt/$USER $USER || exit 0
export HOME=/home/$USER
cd $HOME
if test -f $HOME/.profile; then
. $HOME/.profile
fi
--
When a user logs on the first time, this script will be executed. The user
has to enter the password for his crypted home directory, and after this,
his correct HOME variable is set and the normal ;login profile is read and
done. If a user doesn't know his passphrase for his crypted home
directory, he is logged out.
But we need to remove the decrypted home directory after the user logs out
This script should be clever because a user may be logged on several times
at once, and it should only be removed, when the last login shell exits.
Creating a /home/user/.bash_logout:
# if the number of user's login shells are > 3, then this is the last.
shells=`ps xu | grep -- "$USER .* S .* -[^ ]*sh" | wc -l`
test $shells -lt 3 || exit 0
export HOME=/
cd /
cdetach $USER
---
I do not remember where I got this script - found it lying around
someplace online.
