Table of Contents
You started your own bank, and in a short time it is a big success.
Now it's not like managing a small business anymore; everything has changed. The most obvious is that you can not remember all your clients yourself. Even worse, you do not know if the people entering your bank are all clients, or if some are potential bank robbers.
As a wise man you felt the need and decided to hire a security specialist, someone who will allow only your clients into the bank. In the hiring process you found an interesting personality who claimed a wide variety of skills, from handwriting analysis to body language interpretation. In addition, she is flexible enough to learn any new skill as the need arises.
You instantly got her on board. Surprisingly, her performance is more than your expectations.
Meanwhile you are facing another minor challenge: arranging a place to talk to clients who come to your bank at short notice. It is required that these meetings must be arranged in private locations.
You suddenly remember of your security specialist. Why not give this job to your securtity specialist as well?
Obviously it will not take long to realize that this is not good arrangement, and I am not going to delve into details too much.
Give me a break and the story will continue a little later. So far this is about PAM and one of its modules, pam_mkhomedir. PAM is a security specialist for most Unix daemons. Linux daemons get help from this security specialist to check their clients. For example the IMAP server, which checks email users through PAM to allow them access to their mails.
These days, in more and more configurations, Unix user accounts are moved to LDAP and SQL, to keep them in one place and to reduce administrative overhead. Home directories are not created by default on the local system when user accounts are kept in a centralized database. But some daemons, for example SMTP servers, need home directories locally in order to work with clients. Since accounts are not created locally where these daemons are run, but are imported from the LDAP/SQL database which is in some other place, home directories do not exist already. In these situations pam_mkhomedir, one of the components of PAM, creates the home directories, while at the same time PAM is used for checking clients by daemons such as the IMAP server.
In reality creating home directories is not that simple. The way each daemon operates is different. So this model of creating home directories using PAM may not be an ideal solution. The best example is when an SMTP server has to store mail for users in their home directories. The SMTP server does not use PAM when mail is received for local delivery in most configurations.
Even more serious is the necessity to run as root in order for daemons to create home directories using PAM. Even those programs which are designed to be very secure are forced to stay as root until their clients are checked through PAM.
Then what is the solution?
Continuing the story, it is time to find a better solution for your business regarding a meeting place for clients.
But one more issue is that your downtown office space is quite expensive, and allocating this space is an additional overhead; also it is not expandable if your business grows even further.
So it is time to hire one more specialist to deal with this challenge.
The solution is to use virtual doors which are created on demand in any of the walls of your office as your clients appear, and are automatically removed when there is no need for them any more. Each virtual door takes you to a virtual private room where you can have meetings with your clients. Even more interesting is that these virtual private rooms do not exist at your downtown office premises in reality. The real location of these rooms can be anywhere, such as suburban areas, or even under the sea if you cannot find enough space on land! But your clients cannot tell the difference, and believe that they are really at your downtown office.
Now, coming back to reality, this space age specialist is Autodir for Linux.
Autodir creates home directories for daemons like IMAP and SSH, so that files belonging to clients for these daemons can be kept in a secure place.
In Autodir's default configuration, /home is the wall where the virtual doors are kept, i.e. where virtual user home directories are kept. Whenever a daemon needs a home directory for a client, it enters the client home directory without noticing any difference from normal. Autodir creates these virtual doors as daemons need them.
But as in the story, where are the real home directories kept?
This is up to the administrator. By default they are kept in the /autohome directory.
Getting Autodir up and running is quite easy. If you like to use rpm, then running Autodir is just two steps.
# rpm -ivh <autodir rpm pkg> # service autohome start
Load the Linux kernel module autofs4 first. Autodir uses this kernel module.
# modprobe autofs4
If you compile the package, you need to run autodir as:
# autodir -d /home \ -m /usr/lib/autodir/autohome.so
You specify the directory to keep the "virtual doors", or user home directories, with the -d option. In almost all configurations it is /home. Option -m is the location of the module for creating home directories. Autodir also supports other modules.
![[Note]](note.png) | Note |
|---|---|
Importing accounts from LDAP/SQL not explained here. It should be done before starting Autodir. | |
Autodir also supports a transparent backup feature whereby Autodir calls an external backup program whenever a home directory is not in use. Here is one more story to explain how it works.
There is a landlord who lives in a big house, and has a property manager to look after it. The manager is not honest in the way expected.
But what about the landlord?
He knows only the front door to his home, and he is so busy that he does not even care about any other doors. Each day he brings his hard-earned money home. As usual he knocks on the front door and waits for the manager to come and open it. Once he is in, he stores his money in the house, and the next morning leaves his home through front door.
When he leaves, the front door is locked by the manager after waiting for some time, and it is not opened again until the landlord returns.
But strange events start to happen once he leaves his home.
When the landlord leaves, the manager locks the front door after waiting for some time, and then waits a little longer to see if the landlord returns. After making sure that the landlord is not coming back, the manager calls a thief and lets him in through the back door.
The thief takes all the money that was brought by the landlord on the previous day, and leaves the house again through back door!
An interesting situation arises if the landlord returns before the thief finishes stealing his money. Here the manager has to handle the situation carefully so that the landlord does not begin to have any doubts. Firstly, the thief is informed of the landlord's arrival, and if the thief refuses to leave, he is kicked out forceably. Until the thief leaves, the front door is not opened.
Autodir acts as the property manager for the landlord. And the landlord is Linux daemon which put user data in user home directories. The front door is through /home and back door is through /autohome. The thief is nothing but a backup program!
As in the story there are two timings. First, how long to wait before closing the front door when the landlord leaves the house. With Autodir it is how long to wait after a daemon stops using the user's home directory before removing the home directory in /home.
The second timing is how long to wait after the door is closed before the thief is called. Here, with Autodir, it is how long to wait after the home directory is removed before calling the backup program.
The first is specified in seconds with the -t option, and the second is through option -w, again in seconds.
One more thing: the manager should know the exact address of the thief so that he can call him! Here the location of the backup program is given through the -b option with the full path to the backup program.
Here is an example to use backup feature with Autodir.
# autodir -d /home \ -m /usr/lib/autodir/autohome.so \ -t 600 \ -w 300 \ -b '/bin/tar cf /tmp/%N%F.tar %L'
This document, The story of landlord and thief, is copyrighted (c) 2005 by Venkata Ramana Enaganti. This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
