[42] in Info-AFS_Redistribution
Re: Setting up AFS -- beware
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Fri Jan 11 10:56:12 1991
Date: Fri, 11 Jan 1991 10:29:15 -0500 (EST)
From: Kris Olander <kriso@northstar.dartmouth.edu>
To: info-afs@transarc.com, bernerus@cs.chalmers.se
In-Reply-To: <cbXLn0O1408LQFLoFO@cs.chalmers.se>
Excerpts from Info-AFS: 11-Jan-91 Setting up AFS -- beware
bernerus@cs.chalmers.se (1398+0)
> I've just finished setting up AFS on my first server and I also made
> some other cells available.
> One thing I didn't see in the installation instructions was a warning
> for what can happen when typical cron jobs get scheduled.
> One job we schedule here every night is to go through the whole
> filesystem tree looking for core files etc.
> When /afs was installed, these jobs wasn't changed which resulted in
> that our cron job also went through all /afs cells. Fortunately, only
> transarc.com was known to afsd at the time (hope you didn't lose
> anything folks).
> Another job runs weekly builds the find database in the same spitit.
> Gee what a database I'd have half a year later or so when the job would
> eventually be done if I'd set up all the afs cells available in
> CellServDB!!
Shouldn't make any difference. Generally these cron jobs are run by
root which
usually isn't authenticated for access (especially delete/write) in the
/afs tree. Also,
even if root did get authenticated to traverse and delete files within
your cell, it
wouldn't have in any other cell. Please!!!, if anyone can prove this to
be an incorrect
statement, let me know!
Root is definitely restricted in AFS. This is a security feature that
has saved me
from myself a few times. However, there are a few UNIX niceties
(like building a find database) which are pretty much broken in an AFS
environment.
You have to give system:anyuser read privileges on all directories that
you want
listed in the find database -- not a recommended thing to do for
security conscious
folks.
Has anyone thought of a reasonable method for getting a find database
built for their
cell?
One of the other areas where root access is necessary is in mail
delivery (if your cell
uses standard sendmail ) . With AFS file spaceused as a spooling
ground for mail,
some games have to be played to allow sendmail to function properly.
-Kris Olander
