[22531] | 1 | .\" $Id: attach.conf.5,v 1.5 2006-08-08 21:50:13 ghudson Exp $ |
---|
[12583] | 2 | .\" |
---|
| 3 | .\" Copyright 1997 by the Massachusetts Institute of Technology. |
---|
| 4 | .\" |
---|
| 5 | .\" Permission to use, copy, modify, and distribute this |
---|
| 6 | .\" software and its documentation for any purpose and without |
---|
| 7 | .\" fee is hereby granted, provided that the above copyright |
---|
| 8 | .\" notice appear in all copies and that both that copyright |
---|
| 9 | .\" notice and this permission notice appear in supporting |
---|
| 10 | .\" documentation, and that the name of M.I.T. not be used in |
---|
| 11 | .\" advertising or publicity pertaining to distribution of the |
---|
| 12 | .\" software without specific, written prior permission. |
---|
| 13 | .\" M.I.T. makes no representations about the suitability of |
---|
| 14 | .\" this software for any purpose. It is provided "as is" |
---|
| 15 | .\" without express or implied warranty. |
---|
| 16 | .\" |
---|
| 17 | .TH ATTACH.CONF 5 |
---|
| 18 | .SH NAME |
---|
| 19 | attach.conf \- attach configuration file |
---|
| 20 | .SH DESCRIPTION |
---|
| 21 | The behavior of |
---|
| 22 | .BR attach (1)\fP, |
---|
| 23 | .BR detach (1)\fP, |
---|
| 24 | and other programs using liblocker is controlled by attach.conf. These |
---|
| 25 | programs read /etc/athena/attach.conf when they start up, so the |
---|
| 26 | system administrator can customize their behavior without needing to |
---|
| 27 | recompile the programs. |
---|
| 28 | |
---|
| 29 | The format of attach.conf is line oriented, with one configuration |
---|
| 30 | option per line. Blank lines and lines which begin with a pound sign |
---|
| 31 | (#) are ignored as comments. The configuration keyword is the first |
---|
| 32 | whitespace-delimited string on the line, with its arguments following |
---|
| 33 | it, also delimited by whitespace. |
---|
| 34 | |
---|
| 35 | There are several different types of keywords, which determine what |
---|
| 36 | type of argument or arguments they require. |
---|
| 37 | .IP boolean |
---|
| 38 | Keywords of type boolean are typically options which can be |
---|
| 39 | enabled or disabled, as specified by their arguments. Legal arguments |
---|
| 40 | are |
---|
| 41 | .I on |
---|
| 42 | or |
---|
| 43 | .IR off . |
---|
| 44 | .IP string |
---|
| 45 | Keywords of type string are typically filenames. Any argument |
---|
| 46 | is legal; the configuration option is assigned the first |
---|
| 47 | argument following the keyword. |
---|
| 48 | .IP user-list |
---|
| 49 | Keywords of type user-list take one or more arguments, separated by |
---|
| 50 | spaces. Each argument may either be a username or a uid. |
---|
| 51 | .IP regexp-argument |
---|
| 52 | Keywords of type regexp-argument take the first argument as a regular |
---|
| 53 | expression. The remainder of the line is kept as a string which |
---|
| 54 | applies if the regular expression matches the filesystem being |
---|
| 55 | attached or detached. |
---|
| 56 | .IP regexp-list |
---|
| 57 | Keywords of type regexp-list take one or more space-separated |
---|
| 58 | arguments, which are regular expressions. All of the regexp-list |
---|
| 59 | keywords come in positive/negative pairs (e.g. |
---|
| 60 | .I mountpoint |
---|
| 61 | and |
---|
| 62 | .I nomountpoint\fP). |
---|
| 63 | When testing one of the conditions (such as whether or not the given |
---|
| 64 | mountpoint is allowed), each regexp is tested in series, in the order |
---|
| 65 | they appear in the config file. If a regexp on a line with the |
---|
| 66 | positive keyword matches first, the string is accepted. If it matches |
---|
| 67 | first on a line with the negative keyword, it is rejected. The default |
---|
| 68 | value for each keyword is noted below. |
---|
| 69 | .PP |
---|
| 70 | The following keywords are supported in attach.conf: |
---|
| 71 | .IP "ownercheck (type boolean) (default: off)" |
---|
| 72 | If this option is on, then only the user which attached a filesystem |
---|
| 73 | may detach it. |
---|
| 74 | .I Trusted users |
---|
| 75 | (as specified by the |
---|
| 76 | .B trusted |
---|
| 77 | keyword) may use the -override (-O) flag to forcibly detach a |
---|
| 78 | filesystem attached by another user. |
---|
| 79 | .IP "keep-mount (type boolean) (default: off)" |
---|
| 80 | If this option is on, then when a user attaches a filesystem |
---|
| 81 | which is already mounted but not in attachtab a flag is set so that |
---|
| 82 | when that filesystem is detached, its entry is removed from attachtab |
---|
| 83 | without unmounting it. This is useful to prevent users from being |
---|
| 84 | able to forcibly unmount partitions by attaching them and then |
---|
| 85 | detaching them. |
---|
| 86 | .IP "nfs-root-hack (type boolean) (default: on)" |
---|
| 87 | This option affects the construction of the default mount point for |
---|
| 88 | explicit NFS attaches. The default mount point is constructed by |
---|
| 89 | appending the value of |
---|
| 90 | .I nfs-mount-dir |
---|
| 91 | followed by the hostname of the NFS server, followed by the remotely |
---|
| 92 | mounted directory. If |
---|
| 93 | .I nfs-root-hack |
---|
| 94 | is on, then if the remotely mounted directory is the root (/), it is |
---|
| 95 | replaced by ``/root'' for the purposes of contructing the default |
---|
| 96 | mount point. |
---|
[22531] | 97 | .IP "use-krb4 (type boolean) (default: off)" |
---|
| 98 | The default mode of AFS cell authentication uses a Kerberos V5 ticket |
---|
| 99 | natively via the ``rxkad 2b'' mechanism of newer AFS implementations. If |
---|
| 100 | .I use-krb4 |
---|
| 101 | is on, then a V4 ticket obtained from krb524d will be used instead. |
---|
[12583] | 102 | .IP "nfs-mount-dir (type string) (default: /)" |
---|
| 103 | This option affects the construction of the default mount point for |
---|
| 104 | explicit NFS attaches. See the description for |
---|
| 105 | .I nfs-root-hack |
---|
| 106 | above. |
---|
[22841] | 107 | .IP "attachtab (type string) (default: /var/run/attachtab)" |
---|
[12583] | 108 | This option specifies the location of the |
---|
| 109 | .I attachtab(5) |
---|
| 110 | directory. It is generally located in /var/athena. |
---|
[17985] | 111 | .IP "local-dir" |
---|
| 112 | This option specifies the location of the validated local lockers |
---|
| 113 | directory. It is generally located in /var/athena. |
---|
[12583] | 114 | .IP "trusted (type user-list) (default: root)" |
---|
| 115 | This option allows the system administrator to specify a list of |
---|
| 116 | trusted users who are allowed to use certain restricted options found |
---|
| 117 | in |
---|
| 118 | .I attach(1) |
---|
| 119 | and |
---|
| 120 | .IR detach(1) . |
---|
| 121 | This includes the ability to detach a filesystem owned by another user |
---|
| 122 | (if ownercheck is enabled) and the ability to force a filesystem to be |
---|
| 123 | mounted without the nosuid mount option. |
---|
| 124 | .IP "nosetuid or nosuid (type regexp-list)" |
---|
| 125 | Filesystems which match the regular expresions listed as arguments are |
---|
| 126 | mounted with the nosuid flag. This instructs the operating system to |
---|
| 127 | disregard set-uid flags found on files in the mounted filesystem. |
---|
| 128 | (See mount(8) for more information.) This is the default. |
---|
| 129 | .IP "setuid or suid (type regexp-list)" |
---|
| 130 | Filesystems which match the regular expresions listed as arguments are |
---|
| 131 | mounted without the nosuid flag. |
---|
| 132 | .IP "allow (type regexp-list)" |
---|
| 133 | Filesystems which match the regular expresions listed as arguments may |
---|
| 134 | be mounted with attach. This is the default. |
---|
| 135 | .IP "noallow (type regexp-list)" |
---|
| 136 | Filesystems which match the regular expresions listed as arguments may |
---|
| 137 | not be mounted with attach. This prohibition can be bypassed with the |
---|
| 138 | -override (-O) flag, if the user is one of the ``trusted users.'' |
---|
| 139 | .IP "mountpoint (type regexp-list)" |
---|
| 140 | Mountpoint which match one of the regular expressions listed as |
---|
| 141 | arguments are allowed. This is the default. |
---|
| 142 | .IP "nomountpoint (type regexp-list)" |
---|
| 143 | Mountpoint which match one of the regular expressions listed as |
---|
| 144 | arguments are not allowed. This prohibition can be bypassed with the |
---|
| 145 | -override (-O) flag, if the user is one of the ``trusted users.'' |
---|
| 146 | .IP "filesystem (type string-argument)" |
---|
| 147 | This keyword allows the system administrator to give a filesystem |
---|
| 148 | definition for a filesystem. Definitions in attach.conf take |
---|
| 149 | precedence over Hesiod(3) definitions.. |
---|
| 150 | .IP "defoptions (type regexp-argument)" |
---|
| 151 | Filesystems which match the regular expressions listed as arguments are |
---|
| 152 | mounted with the specified argument as default mount options. This is |
---|
| 153 | particularly useful in forcing the default NFS packet size to |
---|
| 154 | something which can be handled by local gateways. This can be done |
---|
| 155 | including the following line in attach.conf: |
---|
| 156 | .IP |
---|
| 157 | defoptions {nfs}:.* rsize=1024,wsize=1024 |
---|
| 158 | .IP "options (type regexp-argument)" |
---|
| 159 | Filesystems which match the regular expressions listed are mounted |
---|
| 160 | with the specified argument as mount options which cannot be |
---|
| 161 | overridden by the user. |
---|
| 162 | .IP "allowoptions (type regexp-argument)" |
---|
| 163 | The argument is a comma-delimited list of mount options which the user |
---|
| 164 | may specify (using the -o flag to attach) when mounting filesystems |
---|
| 165 | which match the regular expression. Any user-specified options which |
---|
| 166 | do not appear in this list will be ignored. |
---|
| 167 | .PP |
---|
| 168 | .SH "FILESYSTEM DEFINITIONS" |
---|
| 169 | Filesystem definitions are used by attach to determine how a named |
---|
| 170 | filesystem should be attached. These definitions can be found either |
---|
| 171 | in attach.conf or by performing Hesiod(3) lookup. In general, the |
---|
| 172 | definition consists of a filesystem type (NFS, AFS, etc.) |
---|
| 173 | followed by information specific to that fileststem type. Here are |
---|
| 174 | some typical filesystem definitions, as would be found in |
---|
| 175 | attach.conf (in Hesiod, the first two fields would be absent and the |
---|
| 176 | definition would be keyed to a filesystem name): |
---|
| 177 | |
---|
| 178 | .nf |
---|
| 179 | filesystem zip UFS /dev/sd1a w /zip |
---|
| 180 | filesystem priam:slush NFS /slush priam w /priam/slush |
---|
| 181 | filesystem user.d AFS /afs/athena/user/d w /mit/user.d |
---|
| 182 | filesystem games ERR Sorry, the games filesystem is not available |
---|
| 183 | .fi |
---|
| 184 | .SH "EXTENSIONS TO REGULAR EXPRESSIONS" |
---|
| 185 | Regular expressions in an attach.conf file can be prefixed by a |
---|
| 186 | .IR type-delimiter , |
---|
| 187 | an optional string delimited by curly braces and followed a colon. If |
---|
| 188 | this string is present, it consists of a list of filesystem types |
---|
| 189 | separated by commas. The regular expression is matched against the |
---|
| 190 | filesystem only if the filesystem type matches one of the filesystem |
---|
| 191 | types listed in the |
---|
| 192 | .IR type-delimiter . |
---|
| 193 | The |
---|
| 194 | .I type-delimiter |
---|
| 195 | may be prefixed by a caret (^), which reverses the |
---|
| 196 | .I type-delimiter |
---|
| 197 | check. That is, the regular expression is considered only if the |
---|
| 198 | filesystem type is |
---|
| 199 | .I not |
---|
| 200 | one listed in the |
---|
| 201 | .IR type-delimiter . |
---|
| 202 | The |
---|
| 203 | .I type-delimiter |
---|
| 204 | may be further optionally prefixed with either a plus (+) or minus (-) sign. |
---|
| 205 | If present, the plus sign indicates that the regular expression should |
---|
| 206 | be considered only if the filesystem was explicitly defined on the |
---|
| 207 | command line. Likewise, the minus sign indicates that the regular |
---|
| 208 | expression should be considered only if the filesystem was not |
---|
| 209 | explicitly defined. (The plus or minus must come before the caret if |
---|
| 210 | both are present.) |
---|
| 211 | .SH EXAMPLES |
---|
| 212 | .IP |
---|
[13112] | 213 | .nf |
---|
[12583] | 214 | nomountpoint ^/mit/[^/]*/. |
---|
| 215 | mountpoint ^/mit/ |
---|
| 216 | nomountpoint ^/mit |
---|
[13112] | 217 | .fi |
---|
[12583] | 218 | .PP |
---|
| 219 | This will allow lockers to be attached in /mit, but not on /mit |
---|
| 220 | itself, or subdirectories of /mit. The first line prohibits |
---|
| 221 | mountpoints that have `/mit/', some text, and then a `/' with at least |
---|
| 222 | one character following it. That prohibits mounting in subdirectories |
---|
| 223 | of /mit. The second line allows anything underneath /mit that the |
---|
| 224 | first line didn't prohibit. The final line prohibits attaching a |
---|
| 225 | locker to /mit itself. |
---|
| 226 | .IP |
---|
[13112] | 227 | .nf |
---|
[12583] | 228 | options {nfs}:.* nodev |
---|
| 229 | noallow {-}:r$ {^afs} games |
---|
[13112] | 230 | .fi |
---|
[12583] | 231 | .PP |
---|
| 232 | The first line specifies that all NFS lockers must be mounted with the |
---|
[14813] | 233 | `nodev' mount option. The second line states that untrusted users will |
---|
[12583] | 234 | not be allowed to attach Hesiod or attach.conf-defined lockers whose |
---|
| 235 | names end with the letter `r', or any non-AFS lockers, or the games |
---|
| 236 | locker. |
---|
| 237 | .SH FILES |
---|
| 238 | /etc/athena/attach.conf |
---|
| 239 | .SH SEE ALSO |
---|
| 240 | attach(1), attachtab(5) |
---|