AFS Home Directory

AFS Home Directory

User home directories in the CSAIL AFS cell are mounted under /afs/, where JRN is the user’s login name and J is the first letter thereof. (This is done to improve access speed and reduce thrashing of the AFS cache when users touch the parent of their home directory.)

Each home directory is located in its own AFS volume, with a standard quota of 20 GB. The volume is named u.JRN, but nobody should need to know that.

Home directories are created with the following ACL:

   JRN all
   system:anyuser l

This allows anyone in the universe to see the names of files in the directory but not read them. This is required to allow public access to other subdirectories. Only the user and system administrators may do anything else in the top level directory. This is essential for security, because many UNIX programs assume file-based access control, whereas AFS’s is directory-based; a strict ACL on home directories ensures that mailboxes, application preferences, crypto keys, Web caches, and other things that applications tend to dump in a user’s home directory are protected. The user is set up as the owner of the home directory; even though ACLs in AFS obviate the need for file ownership, the owner of the root directory of an AFS volume is magic.

There are three directories which are created by default with looser permissions: ~/public, ~/public_html, and ~/.ssh. The ~/.ssh directory must be world-readable to allow certain kinds of remote logins, so it should not be used to store private keys (which should be deposited in ~/.ssh/private instead). The ~/public_html directory is automatically mapped via the CSAIL home-page Web server as (A secure server is also available at the same location.)

Finally, a snapshot of every AFS volume is taken nightly. In addition to being used to take consistent backups of the volume, this snapshot can be used to recover files which have been accidentally deleted over the course of the day. The snapshot volume should be mounted at ~/.snapshot.