AFS directory and file permissions

• Introduction
• ACLs and UNIX permissions
• Available permissions
• Groups
• Viewing permissions
• Setting permissions

Introduction

In AFS, Access Control Lists (ACLs) grant permissions on a per user and group basis. Each directory has an ACL that controls the directory and the files it contains.

There are seven permissions that may be granted, to either groups of users or individuals. Some system-defined groups exist, but you can define your own groups. ACLs always are applied to directories rather than to individual files. Some of the seven permission bits control access to the directory and some control access to the files within that directory.

Files are governed by the ACL on their directory. If you move a file, it gets the access rights of its new directory. If you change the ACL on a directory, access to all of its files changes. Subdirectories inherit the ACLs of their parent directory.

AFS ACLs and UNIX permissions

AFS ACLs work in conjunction with the standard Unix "owner" permissions. Only the owner permissions have an effect on AFS file access; Unix permissions for "group" and "other" do not affect AFS file access.

These rules apply. A user with appropriate AFS permissions can:

• read a file only if the UNIX "owner read" mode is set.
• write to a file only if the UNIX owner "read" and "write" modes are set.
• execute a file only if the UNIX owner "read" and "execute" modes are set.

Suppose, for example, that an AFS file is to be readable by anyone in the world. Then it must have Unix permissions "owner read" and an AFS ACL "system:anyuser r", which gives read access to anyone in the world.

Suppose that a file is to be readable only by you and your friend. Then the Unix permission must still be set to "owner read", but the AFS ACL should contain
"your-username r" and "friend-username r", (see below for descriptions of AFS permissions) with NO access given to system:anyuser.

Available permissions

The following ACL permissions can be granted:

• Lookup (l), which allows a user to list the contents of the AFS directory, examine the ACL associated with the directory and access subdirectories.
• Insert (i), which allows a user to add new files or subdirectories to the directory.
• Delete (d), which allows a user to remove files and subdirectories from the directory.
• Administer (a), which allows a user to change the ACL for the directory. Users always have this right on their home directory, even if they accidentally remove themselves from the ACL.

Permissions that affect files and subdirectories include:

• Read (r), which allows a user to look at the contents of files in a directory and list files in subdirectories. Files that are to be granted read access to any user, including the owner, need to have the standard UNIX "owner read" permission set. This can be done with the command chmod o+r filename.
• Write (w), which allows a user to modify files in a directory. Files that are to be granted write access to any user, including the owner, need to have the standard UNIX "owner write" permission set. This can be done with the chmod o+w filename command.
• Lock (k), which allows the processor to run programs that need to "flock" files in the directory. See the UNIX man page for "flock" for more details.

Access groups

An AFS group is a defined list of users. You can grant the same access to many individuals at once by creating your own group and giving the group access through an ACL.

You can define AFS groups with the pts command.

Three system-defined groups exist:

• system:anyuser includes everyone in the world who can gain access to your cell. This is a very broad group, and caution should always be used when granting any access to system:anyuser.
• system:authuser includes everyone who is currently authenticated in your cell
• system:administrators includes only a few users in the cell who have been designated as AFS system administrators
• usgrp includes members of the User Services staff and enables them to access your files during a consulting session.

Viewing the permissions of a directory

To display the ACL of a specific directory, type the command:

    fs listacl directory-name

or

    fs la directory-name

You will get information similar to the following:

    Access list for mydir is
    Normal rights:
    system:anyuser rl
    admin rl
    lsmith rlidwka

This output indicates that:

• the group system:anyuser has Read and Lookup permissions
• user admin has Read and Lookup permission,
• user lsmith has all permissions.

Setting permissions

To set an ACL, use the fs setacl command:

    fs setacl directory user rights

where:

• directory is the directory whose protections are to be changed. In particular, directory can be ".", the current directory.
• user normally specifies the name of the user, or group, to be given access.
• rights is a list of AFS permissions or a standard mnemonic. Recall that the permissions are any of the letters "rlidwka". There are several shorthand forms for common combinations of rights:
  • write, all rights except Administer
  • read, read and Lookup rights
  • all, all seven rights
  • none, no rights, which can be used to remove permissions.

To give user brown read and lookup access to your current directory, for example, you would use the command:

    fs setacl . brown rl

User brown will be added to the "normal rights" portion of the ACL. You can remove these rights by specifying permissions of "none" as follows:

    fs setacl . brown none 

You can use the -clear flag on the setacl command to erase an acl, but make sure to grant yourself all seven rights at the same time. This insures that you can access your own directory. The command format is:

    fs setacl -clear directory your_user_name all 

fs supplies online help for its various commands.