[Next] [Previous] [Up] [Top] [Contents] [Index]
Chapter 7: The AFS File System
File permissions work quite differently from those in standard UNIX, which are described in section 6.6.1. In AFS, you can use the chmod command just as you would in a standard UNIX file system. However, it behaves differently. Although in [Missing image]AFS all the permission bits on a file may be examined or changed, only the owner bits are actually used in AFS, and they apply to all users of the file (as permitted by users' ACL settings; see below). To turn off write access to a particular file by all users, including the owner, you just need to turn off the owner write bit of the file.
All other AFS permissions are done with Access Control Lists (ACLs) which take effect at the directory level only. Every directory has its own ACL that defines who can access the directory and its files. Each entry in an ACL consists of a username or an AFS protection group paired with a set of permissions (e.g., read, write). An AFS protection group is simply a list of usernames grouped to share a set of permissions in one or more ACLs. If a user is in two or more ACL entries (e.g., is a member of two groups listed in the ACL) with different permissions assigned, the user gets the union of the permissions.
The permissions granted in a directory's ACL represent the maximum permissions. If a file in the directory has more restrictive permissions set, the user is limited by the restrictions on the file. If a file has more lenient permissions set, the user is limited by his ACL entry.
ACL rights include:
l lookup rights (allows user to issue an ls command on files in the directory, examine the directory's ACL, and access the directory's subdirectories which are protected by their own ACLs)
i insert rights (allows user to create new files or copy files into the directory)
d delete rights (allows user to remove files or move them to other directories)
a administrator rights (allows user to change the ACL for a directory; note that you always have this right for your home directory even if you accidentally remove this ACL.)
r read rights (allows user to look at the directory's contents and to read the data in the files contained in the directory)
w write rights (allows user to modify the contents of the files in the directory and to change the UNIX mode bits with the command chmod)
k lock rights (allows user to run programs that need to flock files in this directory; see the man pages for flock)
Rights may also be referred to by special names that designate commonly-assigned combinations of rights. These are called combination rights. The defined combination rights are:
write all rights but a (i.e. lidrwk)
read l and r rights only
all all rights (i.e. lidarwk)
none no rights; this removes the group's or user's entry from the ACL entirely
Combination rights can be used in commands, as shown in the examples in section 7.6.2.
[Missing image]A couple of notes:
l) on the parent directory.
You can examine a directory's ACL rights with the command:
% fs listacl /path/to/directory
This returns a listing of all the users/groups that have any permissions on the directory, and what the permissions are. The directory path can be absolute (starting from root) or relative to the current working directory. For example, if you run the command:
% fs listacl /afs/fnal.gov/files/wwwdocs/cd/webwg/tools
The system returns information in the format:
Access list for /afs/fnal.gov/files/wwwdocs/cd/webwg/tools is
Normal rights:
lauram:www_cd_webwg_tools rlidwk
nicholls:www_cd rlidwk
hanson:newsmachine rlidwka
nicholls:wwwdocs rlidwka
system:administrators rlidwka
system:anyuser rl
The group lauram:www_cd_webwg_tools has read, list, insert, delete, write, and lock permissions in this directory (all but administer permissions), i.e. the group has write rights. Any member of that group has these permissions in this directory.
You can modify a directory's ACL for a particular AFS group or for an individual using the fs setacl command. The fs setacl command only changes the ACL for a single directory, not for a directory tree. The command syntax is:
% fs setacl -dir /path/to/directory -acl group permission(s)
where group is either a group or an individual username. When it is a group, it must be entered in the format {group_owner}:{group_name}.
[Missing image]We recommend that you generally define ACL entries for groups rather than individuals; it is much easier to maintain. When you need to add or remove permissions for an individual, it is easier to add/remove the user from one or more groups than to track down every directory for which the user appears in the ACL.
The directory path in the command can be absolute (starting from root) or relative to the current working directory. Any pre-existing permissions for the group or individual are invalidated; the specified permissions collectively become the new set of permissions. The permissions apply to all members of the specified group.
For example, to modify the ACL for the current directory (.) to include only read and lookup rights for any user (including unauthenticated users), enter:
% fs setacl -dir . -acl system:anyuser rl
or, using combination rights syntax:
% fs setacl -dir . -acl system:anyuser read
See the combination rights (e.g., read) in section 7.6.2. The group system:anyuser is described in section 7.7.
[Missing image]A note for Web page providers: set the permissions for system:anyuser to rl on directories containing files that you want to make accessible via a Web browser.
To remove all permissions in an ACL for a particular group (or individual), issue the fs setacl command with no permissions, e.g.,
% fs setacl -dir /path/to/directory -acl group ""
or, using combination rights syntax:
% fs setacl -dir /path/to/directory -acl group none
[Missing image]See man fs_listacl and man fs_setacl for further information. (Note the underscores in the man command.)