Akkaya Consulting GmbH  AC-STB     
HOME | PUBLICATIONS | SOFTWARE | LINKS | BLOGS
 

Intro

Today is the day, I am going to start a project which I've been thinking about for some time: a PAM module which pulls the user's home directory from a subversion server at session start time and commits them when the session is closed. I recently had to restore my personal laptop from backup (as a security professional I'm sort of obliged to make backups ;). Since I make weekly backups of my personal laptop I almost recovered all of my data (most of my data is also on servers: IMAP, SVN, ...); however, I did loose a couple (not yet backed up) files.

Concept

The primary goal is to provide users with (nearly) transparent versioning (and thus a backup) of their home directory, but it also closes a feature gap of UNIX: Windows allows user profiles to be stored on a server, they're copied to the working system at login time and copied back at logoff time. In the UNIX world NFS is commonly used to provide environment-wide access to home directories, but this doesn't allow users access their data on disconnected systems (like laptops). While rsync helps to some degree (and we've actually set up our Linux laptops like that), it's somehow not really all that beautiful. In a company environment I would forsee this module to be used in combination with NFS for stationary systems (the workstation type) and without on mobile systems.

Another feature of this module I see strong potential in is the ability to configure different repository "views" for different systems/environments:
  • you would like to check out only certain directories on your linux laptop because you really don't have the disk space for everything
  • you might like to use different file sets in different environments (your default system, the development systems, testing, ...)
  • ...
All of these can easily be set up by using svn:external references (click here to find out about them) in your subversion repository like so:
  • home
    • jpabel
      • development
        • files/...
        • tools/...
      • testing
        • files/...
        • tools/...
      • misc
        • mp3s/...
        • downloads/...
      • ...
  • system
    • workstation
      • home
        • jpabel
          • development [svn:external -> https://svnserver/subversion/jpabel/development/]
          • testing [svn:external -> https://svnserver/subversion/home/jpabel/testing/]
          • misc [svn:external -> https://svnserver/subversion/home/jpabel/misc/]
    • laptop
      • home
        • jpabel
          • misc [svn:external -> https://svnserver/subversion/home/jpabel/misc]
In this scenario, I would check out https://svnserver/subversion/system/workstation/home/jpabel for my home directory on my workstation - the actual directories with content are than pulled in via the corresponding svn:external references. Naturally, one can set up just about any behaviour with svn:external as far as subversion repository/working copy layout is concerned - go wild.

Technical stuff

There are a few limitations and design aspects to be aware of:
  • the subversion server is configured as part of the pam configuration, the user is not able to supply a freely chosen subversion server (or path within the server repository)
    • though they may reference other subversion repositories via the aforementioned svn:external approach as part of their home directory
    • the idea is to enforce some standard home directory base structure, which is initialized as part of the user creation procedure
  • PAM applications seem to open the session context earlier than one would imagine (ie: before ssh/kdm/... change to the user's context via set[gu]id())
    • the system will therefore fork() the process and exec() a helper tool which will do the checking out and also do the same for checking in at the end of the session
  • (for now) the login credentials to the subversion server must match the supplied login credentials
    • a future version might be able to ask the user for other credentials or do some sort of processing on the supplied credentials (on the username, most likely)
  • (for now) the login credentials are stored in the PAM'ified process you're using (login, ssh, kde, ...) in order to use them automatically at logoff time
    • a future version might make this configurable and ask the user for credentials

Source code

As of right now there's none (I'm working on it) - I've just started on this and will publish as soon as I have a working version. The sources will be GPL licensed and it's very likely that this project will be hosted on SF once I've gotten to the point of publishing. If you want to contact, send me an email - the mailbox is jpabel, the domain is akkaya and the tld is de.
Top of page Recommend page Print version Contact  Accessible Version  Imprint