source: trunk/athena/lib/locker/man/attach.conf.5 @ 13112

Revision 13112, 9.8 KB checked in by danw, 26 years ago (diff)
add some missing .nf/.fi pairs
Line 
1.\" $Id: attach.conf.5,v 1.2 1999-05-26 19:16:56 danw Exp $
2.\"
3.\" Copyright 1997 by the Massachusetts Institute of Technology.
4.\"
5.\" Permission to use, copy, modify, and distribute this
6.\" software and its documentation for any purpose and without
7.\" fee is hereby granted, provided that the above copyright
8.\" notice appear in all copies and that both that copyright
9.\" notice and this permission notice appear in supporting
10.\" documentation, and that the name of M.I.T. not be used in
11.\" advertising or publicity pertaining to distribution of the
12.\" software without specific, written prior permission.
13.\" M.I.T. makes no representations about the suitability of
14.\" this software for any purpose.  It is provided "as is"
15.\" without express or implied warranty.
16.\"
17.TH ATTACH.CONF 5
18.SH NAME
19attach.conf \- attach configuration file
20.SH DESCRIPTION
21The behavior of
22.BR attach (1)\fP,
23.BR detach (1)\fP,
24and other programs using liblocker is controlled by attach.conf. These
25programs read /etc/athena/attach.conf when they start up, so the
26system administrator can customize their behavior without needing to
27recompile the programs.
28
29The format of attach.conf is line oriented, with one configuration
30option per line.  Blank lines and lines which begin with a pound sign
31(#) are ignored as comments.  The configuration keyword is the first
32whitespace-delimited string on the line, with its arguments following
33it, also delimited by whitespace.
34
35There are several different types of keywords, which determine what
36type of argument or arguments they require.
37.IP boolean
38Keywords of type boolean are typically options which can be
39enabled or disabled, as specified by their arguments.  Legal arguments
40are
41.I on
42or
43.IR off .
44.IP string
45Keywords of type string are typically filenames.  Any argument
46is legal; the configuration option is assigned the first
47argument following the keyword.
48.IP user-list
49Keywords of type user-list take one or more arguments, separated by
50spaces. Each argument may either be a username or a uid.
51.IP regexp-argument
52Keywords of type regexp-argument take the first argument as a regular
53expression.  The remainder of the line is kept as a string which
54applies if the regular expression matches the filesystem being
55attached or detached. 
56.IP regexp-list
57Keywords of type regexp-list take one or more space-separated
58arguments, which are regular expressions. All of the regexp-list
59keywords come in positive/negative pairs (e.g.
60.I mountpoint
61and
62.I nomountpoint\fP).
63When testing one of the conditions (such as whether or not the given
64mountpoint is allowed), each regexp is tested in series, in the order
65they appear in the config file. If a regexp on a line with the
66positive keyword matches first, the string is accepted. If it matches
67first on a line with the negative keyword, it is rejected. The default
68value for each keyword is noted below.
69.PP
70The following keywords are supported in attach.conf:
71.IP "ownercheck (type boolean) (default: off)"
72If this option is on, then only the user which attached a filesystem
73may detach it. 
74.I Trusted users
75(as specified by the
76.B trusted
77keyword) may use the -override (-O) flag to forcibly detach a
78filesystem attached by another user.
79.IP "keep-mount (type boolean) (default: off)"
80If this option is on, then when a user attaches a filesystem
81which is already mounted but not in attachtab a flag is set so that
82when that filesystem is detached, its entry is removed from attachtab
83without unmounting it.  This is useful to prevent users from being
84able to forcibly unmount partitions by attaching them and then
85detaching them.
86.IP "nfs-root-hack (type boolean) (default: on)"
87This option affects the construction of the default mount point for
88explicit NFS attaches.  The default mount point is constructed by
89appending the value of
90.I nfs-mount-dir
91followed by the hostname of the NFS server, followed by the remotely
92mounted directory.  If
93.I nfs-root-hack
94is on, then if the remotely mounted directory is the root (/), it is
95replaced by ``/root'' for the purposes of contructing the default
96mount point.
97.IP "nfs-mount-dir (type string) (default: /)"
98This option affects the construction of the default mount point for
99explicit NFS attaches.  See the description for
100.I nfs-root-hack
101above.
102.IP "attachtab (type string) (default: /var/athena/attachtab)"
103This option specifies the location of the
104.I attachtab(5)
105directory.  It is generally located in /var/athena.
106.IP "trusted (type user-list) (default: root)"
107This option allows the system administrator to specify a list of
108trusted users who are allowed to use certain restricted options found
109in
110.I attach(1)
111and
112.IR detach(1) .
113This includes the ability to detach a filesystem owned by another user
114(if ownercheck is enabled) and the ability to force a filesystem to be
115mounted without the nosuid mount option.
116.IP "nosetuid or nosuid (type regexp-list)"
117Filesystems which match the regular expresions listed as arguments are
118mounted with the nosuid flag.  This instructs the operating system to
119disregard set-uid flags found on files in the mounted filesystem.
120(See mount(8) for more information.) This is the default.
121.IP "setuid or suid (type regexp-list)"
122Filesystems which match the regular expresions listed as arguments are
123mounted without the nosuid flag.
124.IP "allow (type regexp-list)"
125Filesystems which match the regular expresions listed as arguments may
126be mounted with attach. This is the default.
127.IP "noallow (type regexp-list)"
128Filesystems which match the regular expresions listed as arguments may
129not be mounted with attach.  This prohibition can be bypassed with the
130-override (-O) flag, if the user is one of the ``trusted users.''
131.IP "mountpoint (type regexp-list)"
132Mountpoint which match one of the regular expressions listed as
133arguments are allowed. This is the default.
134.IP "nomountpoint (type regexp-list)"
135Mountpoint which match one of the regular expressions listed as
136arguments are not allowed.   This prohibition can be bypassed with the
137-override (-O) flag, if the user is one of the ``trusted users.''
138.IP "filesystem (type string-argument)"
139This keyword allows the system administrator to give a filesystem
140definition for a filesystem.  Definitions in attach.conf take
141precedence over Hesiod(3) definitions..
142.IP "defoptions (type regexp-argument)"
143Filesystems which match the regular expressions listed as arguments are
144mounted with the specified argument as default mount options. This is
145particularly useful in forcing the default NFS packet size to
146something which can be handled by local gateways. This can be done
147including the following line in attach.conf:
148.IP
149defoptions {nfs}:.*     rsize=1024,wsize=1024
150.IP "options (type regexp-argument)"
151Filesystems which match the regular expressions listed are mounted
152with the specified argument as mount options which cannot be
153overridden by the user.
154.IP "allowoptions (type regexp-argument)"
155The argument is a comma-delimited list of mount options which the user
156may specify (using the -o flag to attach) when mounting filesystems
157which match the regular expression. Any user-specified options which
158do not appear in this list will be ignored.
159.PP
160.SH "FILESYSTEM DEFINITIONS"
161Filesystem definitions are used by attach to determine how a named
162filesystem should be attached.  These definitions can be found either
163in attach.conf or by performing Hesiod(3) lookup.  In general, the
164definition consists of a filesystem type (NFS, AFS, etc.)
165followed by information specific to that fileststem type.  Here are
166some typical filesystem definitions, as would be found in
167attach.conf (in Hesiod, the first two fields would be absent and the
168definition would be keyed to a filesystem name):
169
170.nf
171filesystem zip          UFS /dev/sd1a w /zip
172filesystem priam:slush  NFS /slush priam w /priam/slush
173filesystem user.d       AFS /afs/athena/user/d w /mit/user.d
174filesystem games        ERR Sorry, the games filesystem is not available
175.fi
176.SH "EXTENSIONS TO REGULAR EXPRESSIONS"
177Regular expressions in an attach.conf file can be prefixed by a
178.IR type-delimiter ,
179an optional string delimited by curly braces and followed a colon.  If
180this string is present, it consists of a list of filesystem types
181separated by commas.  The regular expression is matched against the
182filesystem only if the filesystem type matches one of the filesystem
183types listed in the
184.IR type-delimiter .
185The
186.I type-delimiter
187may be prefixed by a caret (^), which reverses the
188.I type-delimiter
189check.  That is, the regular expression is considered only if the
190filesystem type is
191.I not
192one listed in the
193.IR type-delimiter .
194The
195.I type-delimiter
196may be further optionally prefixed with either a plus (+) or minus (-) sign.
197If present, the plus sign indicates that the regular expression should
198be considered only if the filesystem was explicitly defined on the
199command line.  Likewise, the minus sign indicates that the regular
200expression should be considered only if the filesystem was not
201explicitly defined. (The plus or minus must come before the caret if
202both are present.)
203.SH EXAMPLES
204.IP
205.nf
206nomountpoint            ^/mit/[^/]*/.
207mountpoint              ^/mit/
208nomountpoint            ^/mit
209.fi
210.PP
211This will allow lockers to be attached in /mit, but not on /mit
212itself, or subdirectories of /mit. The first line prohibits
213mountpoints that have `/mit/', some text, and then a `/' with at least
214one character following it. That prohibits mounting in subdirectories
215of /mit. The second line allows anything underneath /mit that the
216first line didn't prohibit. The final line prohibits attaching a
217locker to /mit itself.
218.IP
219.nf
220options {nfs}:.*        nodev
221noallow {-}:r$ {^afs} games
222.fi
223.PP
224The first line specifies that all NFS lockers must be mounted with the
225'nodev' mount option. The second line states that untrusted users will
226not be allowed to attach Hesiod or attach.conf-defined lockers whose
227names end with the letter `r', or any non-AFS lockers, or the games
228locker.
229.SH FILES
230/etc/athena/attach.conf
231.SH SEE ALSO
232attach(1), attachtab(5)
Note: See TracBrowser for help on using the repository browser.