1 | .\" $Id: attach.conf.5,v 1.2 1999-05-26 19:16:56 danw Exp $ |
---|
2 | .\" |
---|
3 | .\" Copyright 1997 by the Massachusetts Institute of Technology. |
---|
4 | .\" |
---|
5 | .\" Permission to use, copy, modify, and distribute this |
---|
6 | .\" software and its documentation for any purpose and without |
---|
7 | .\" fee is hereby granted, provided that the above copyright |
---|
8 | .\" notice appear in all copies and that both that copyright |
---|
9 | .\" notice and this permission notice appear in supporting |
---|
10 | .\" documentation, and that the name of M.I.T. not be used in |
---|
11 | .\" advertising or publicity pertaining to distribution of the |
---|
12 | .\" software without specific, written prior permission. |
---|
13 | .\" M.I.T. makes no representations about the suitability of |
---|
14 | .\" this software for any purpose. It is provided "as is" |
---|
15 | .\" without express or implied warranty. |
---|
16 | .\" |
---|
17 | .TH ATTACH.CONF 5 |
---|
18 | .SH NAME |
---|
19 | attach.conf \- attach configuration file |
---|
20 | .SH DESCRIPTION |
---|
21 | The behavior of |
---|
22 | .BR attach (1)\fP, |
---|
23 | .BR detach (1)\fP, |
---|
24 | and other programs using liblocker is controlled by attach.conf. These |
---|
25 | programs read /etc/athena/attach.conf when they start up, so the |
---|
26 | system administrator can customize their behavior without needing to |
---|
27 | recompile the programs. |
---|
28 | |
---|
29 | The format of attach.conf is line oriented, with one configuration |
---|
30 | option per line. Blank lines and lines which begin with a pound sign |
---|
31 | (#) are ignored as comments. The configuration keyword is the first |
---|
32 | whitespace-delimited string on the line, with its arguments following |
---|
33 | it, also delimited by whitespace. |
---|
34 | |
---|
35 | There are several different types of keywords, which determine what |
---|
36 | type of argument or arguments they require. |
---|
37 | .IP boolean |
---|
38 | Keywords of type boolean are typically options which can be |
---|
39 | enabled or disabled, as specified by their arguments. Legal arguments |
---|
40 | are |
---|
41 | .I on |
---|
42 | or |
---|
43 | .IR off . |
---|
44 | .IP string |
---|
45 | Keywords of type string are typically filenames. Any argument |
---|
46 | is legal; the configuration option is assigned the first |
---|
47 | argument following the keyword. |
---|
48 | .IP user-list |
---|
49 | Keywords of type user-list take one or more arguments, separated by |
---|
50 | spaces. Each argument may either be a username or a uid. |
---|
51 | .IP regexp-argument |
---|
52 | Keywords of type regexp-argument take the first argument as a regular |
---|
53 | expression. The remainder of the line is kept as a string which |
---|
54 | applies if the regular expression matches the filesystem being |
---|
55 | attached or detached. |
---|
56 | .IP regexp-list |
---|
57 | Keywords of type regexp-list take one or more space-separated |
---|
58 | arguments, which are regular expressions. All of the regexp-list |
---|
59 | keywords come in positive/negative pairs (e.g. |
---|
60 | .I mountpoint |
---|
61 | and |
---|
62 | .I nomountpoint\fP). |
---|
63 | When testing one of the conditions (such as whether or not the given |
---|
64 | mountpoint is allowed), each regexp is tested in series, in the order |
---|
65 | they appear in the config file. If a regexp on a line with the |
---|
66 | positive keyword matches first, the string is accepted. If it matches |
---|
67 | first on a line with the negative keyword, it is rejected. The default |
---|
68 | value for each keyword is noted below. |
---|
69 | .PP |
---|
70 | The following keywords are supported in attach.conf: |
---|
71 | .IP "ownercheck (type boolean) (default: off)" |
---|
72 | If this option is on, then only the user which attached a filesystem |
---|
73 | may detach it. |
---|
74 | .I Trusted users |
---|
75 | (as specified by the |
---|
76 | .B trusted |
---|
77 | keyword) may use the -override (-O) flag to forcibly detach a |
---|
78 | filesystem attached by another user. |
---|
79 | .IP "keep-mount (type boolean) (default: off)" |
---|
80 | If this option is on, then when a user attaches a filesystem |
---|
81 | which is already mounted but not in attachtab a flag is set so that |
---|
82 | when that filesystem is detached, its entry is removed from attachtab |
---|
83 | without unmounting it. This is useful to prevent users from being |
---|
84 | able to forcibly unmount partitions by attaching them and then |
---|
85 | detaching them. |
---|
86 | .IP "nfs-root-hack (type boolean) (default: on)" |
---|
87 | This option affects the construction of the default mount point for |
---|
88 | explicit NFS attaches. The default mount point is constructed by |
---|
89 | appending the value of |
---|
90 | .I nfs-mount-dir |
---|
91 | followed by the hostname of the NFS server, followed by the remotely |
---|
92 | mounted directory. If |
---|
93 | .I nfs-root-hack |
---|
94 | is on, then if the remotely mounted directory is the root (/), it is |
---|
95 | replaced by ``/root'' for the purposes of contructing the default |
---|
96 | mount point. |
---|
97 | .IP "nfs-mount-dir (type string) (default: /)" |
---|
98 | This option affects the construction of the default mount point for |
---|
99 | explicit NFS attaches. See the description for |
---|
100 | .I nfs-root-hack |
---|
101 | above. |
---|
102 | .IP "attachtab (type string) (default: /var/athena/attachtab)" |
---|
103 | This option specifies the location of the |
---|
104 | .I attachtab(5) |
---|
105 | directory. It is generally located in /var/athena. |
---|
106 | .IP "trusted (type user-list) (default: root)" |
---|
107 | This option allows the system administrator to specify a list of |
---|
108 | trusted users who are allowed to use certain restricted options found |
---|
109 | in |
---|
110 | .I attach(1) |
---|
111 | and |
---|
112 | .IR detach(1) . |
---|
113 | This includes the ability to detach a filesystem owned by another user |
---|
114 | (if ownercheck is enabled) and the ability to force a filesystem to be |
---|
115 | mounted without the nosuid mount option. |
---|
116 | .IP "nosetuid or nosuid (type regexp-list)" |
---|
117 | Filesystems which match the regular expresions listed as arguments are |
---|
118 | mounted with the nosuid flag. This instructs the operating system to |
---|
119 | disregard set-uid flags found on files in the mounted filesystem. |
---|
120 | (See mount(8) for more information.) This is the default. |
---|
121 | .IP "setuid or suid (type regexp-list)" |
---|
122 | Filesystems which match the regular expresions listed as arguments are |
---|
123 | mounted without the nosuid flag. |
---|
124 | .IP "allow (type regexp-list)" |
---|
125 | Filesystems which match the regular expresions listed as arguments may |
---|
126 | be mounted with attach. This is the default. |
---|
127 | .IP "noallow (type regexp-list)" |
---|
128 | Filesystems which match the regular expresions listed as arguments may |
---|
129 | not be mounted with attach. This prohibition can be bypassed with the |
---|
130 | -override (-O) flag, if the user is one of the ``trusted users.'' |
---|
131 | .IP "mountpoint (type regexp-list)" |
---|
132 | Mountpoint which match one of the regular expressions listed as |
---|
133 | arguments are allowed. This is the default. |
---|
134 | .IP "nomountpoint (type regexp-list)" |
---|
135 | Mountpoint which match one of the regular expressions listed as |
---|
136 | arguments are not allowed. This prohibition can be bypassed with the |
---|
137 | -override (-O) flag, if the user is one of the ``trusted users.'' |
---|
138 | .IP "filesystem (type string-argument)" |
---|
139 | This keyword allows the system administrator to give a filesystem |
---|
140 | definition for a filesystem. Definitions in attach.conf take |
---|
141 | precedence over Hesiod(3) definitions.. |
---|
142 | .IP "defoptions (type regexp-argument)" |
---|
143 | Filesystems which match the regular expressions listed as arguments are |
---|
144 | mounted with the specified argument as default mount options. This is |
---|
145 | particularly useful in forcing the default NFS packet size to |
---|
146 | something which can be handled by local gateways. This can be done |
---|
147 | including the following line in attach.conf: |
---|
148 | .IP |
---|
149 | defoptions {nfs}:.* rsize=1024,wsize=1024 |
---|
150 | .IP "options (type regexp-argument)" |
---|
151 | Filesystems which match the regular expressions listed are mounted |
---|
152 | with the specified argument as mount options which cannot be |
---|
153 | overridden by the user. |
---|
154 | .IP "allowoptions (type regexp-argument)" |
---|
155 | The argument is a comma-delimited list of mount options which the user |
---|
156 | may specify (using the -o flag to attach) when mounting filesystems |
---|
157 | which match the regular expression. Any user-specified options which |
---|
158 | do not appear in this list will be ignored. |
---|
159 | .PP |
---|
160 | .SH "FILESYSTEM DEFINITIONS" |
---|
161 | Filesystem definitions are used by attach to determine how a named |
---|
162 | filesystem should be attached. These definitions can be found either |
---|
163 | in attach.conf or by performing Hesiod(3) lookup. In general, the |
---|
164 | definition consists of a filesystem type (NFS, AFS, etc.) |
---|
165 | followed by information specific to that fileststem type. Here are |
---|
166 | some typical filesystem definitions, as would be found in |
---|
167 | attach.conf (in Hesiod, the first two fields would be absent and the |
---|
168 | definition would be keyed to a filesystem name): |
---|
169 | |
---|
170 | .nf |
---|
171 | filesystem zip UFS /dev/sd1a w /zip |
---|
172 | filesystem priam:slush NFS /slush priam w /priam/slush |
---|
173 | filesystem user.d AFS /afs/athena/user/d w /mit/user.d |
---|
174 | filesystem games ERR Sorry, the games filesystem is not available |
---|
175 | .fi |
---|
176 | .SH "EXTENSIONS TO REGULAR EXPRESSIONS" |
---|
177 | Regular expressions in an attach.conf file can be prefixed by a |
---|
178 | .IR type-delimiter , |
---|
179 | an optional string delimited by curly braces and followed a colon. If |
---|
180 | this string is present, it consists of a list of filesystem types |
---|
181 | separated by commas. The regular expression is matched against the |
---|
182 | filesystem only if the filesystem type matches one of the filesystem |
---|
183 | types listed in the |
---|
184 | .IR type-delimiter . |
---|
185 | The |
---|
186 | .I type-delimiter |
---|
187 | may be prefixed by a caret (^), which reverses the |
---|
188 | .I type-delimiter |
---|
189 | check. That is, the regular expression is considered only if the |
---|
190 | filesystem type is |
---|
191 | .I not |
---|
192 | one listed in the |
---|
193 | .IR type-delimiter . |
---|
194 | The |
---|
195 | .I type-delimiter |
---|
196 | may be further optionally prefixed with either a plus (+) or minus (-) sign. |
---|
197 | If present, the plus sign indicates that the regular expression should |
---|
198 | be considered only if the filesystem was explicitly defined on the |
---|
199 | command line. Likewise, the minus sign indicates that the regular |
---|
200 | expression should be considered only if the filesystem was not |
---|
201 | explicitly defined. (The plus or minus must come before the caret if |
---|
202 | both are present.) |
---|
203 | .SH EXAMPLES |
---|
204 | .IP |
---|
205 | .nf |
---|
206 | nomountpoint ^/mit/[^/]*/. |
---|
207 | mountpoint ^/mit/ |
---|
208 | nomountpoint ^/mit |
---|
209 | .fi |
---|
210 | .PP |
---|
211 | This will allow lockers to be attached in /mit, but not on /mit |
---|
212 | itself, or subdirectories of /mit. The first line prohibits |
---|
213 | mountpoints that have `/mit/', some text, and then a `/' with at least |
---|
214 | one character following it. That prohibits mounting in subdirectories |
---|
215 | of /mit. The second line allows anything underneath /mit that the |
---|
216 | first line didn't prohibit. The final line prohibits attaching a |
---|
217 | locker to /mit itself. |
---|
218 | .IP |
---|
219 | .nf |
---|
220 | options {nfs}:.* nodev |
---|
221 | noallow {-}:r$ {^afs} games |
---|
222 | .fi |
---|
223 | .PP |
---|
224 | The first line specifies that all NFS lockers must be mounted with the |
---|
225 | 'nodev' mount option. The second line states that untrusted users will |
---|
226 | not be allowed to attach Hesiod or attach.conf-defined lockers whose |
---|
227 | names end with the letter `r', or any non-AFS lockers, or the games |
---|
228 | locker. |
---|
229 | .SH FILES |
---|
230 | /etc/athena/attach.conf |
---|
231 | .SH SEE ALSO |
---|
232 | attach(1), attachtab(5) |
---|