[Next] [Previous] [Up] [Top] [Contents] [Index]
Chapter 7: The AFS File System
The implementation of security in our Fermilab AFS cell is based on the notion that sharing information is more important than trying to protect it. Therefore, in most cases, the default has been to set ACLs to have the least security that is still reasonable. As currently implemented, all user home directories come with their ACL set so that system:anyuser has rl (read and lookup) permissions. A Mail subdirectory (used by the MH mail readers) is provided with more secure permissions.
The practical implication of this is that anyone on the internet running an AFS client can read your files, unless you change the ACL. Home directories are writable only by their owners (that is, the owner has rldiwka permission), but the world can read them. This is probably fine in many cases, but you should be aware of it and protect your files as you see fit, according to the guidelines presented below.
You can protect any single directory by changing its ACL to turn off permission for system:anyuser as well as for other users or groups that should be denied permissions. For example, if you use the mail reader pine, you may want to protect the message subdirectory mail. To make it completely inaccessible by system:anyuser, you'd issue this command:
% fs setacl $HOME/mail system:anyuser none
On the other hand, if you need to allow others to write into any of your directories, the default permission is too constraining. Say you are in a collaborative effort with user mrchips. You could allow him full permission in your shared directory by issuing the command:
% fs setacl $HOME/shared mrchips all
[Missing image]Recall from section 7.6.2 that if a user is in two or more groups that have different permissions on a directory, the user gets the union of the permissions.
Also, recall from section 7.6.2 that the fs setacl command only changes the permission for a single directory. If you have a directory hierarchy on which you want to change permissions, you'll have to use a UNIX command that traverses down the tree and changes all the directories as it goes. The find command can be used (see section 6.4.1), but it must be used judiciously in the AFS environment! [Missing image]This is not recommended for inexperienced UNIX users (see section 7.11.2). As an extension of the above example, say you had a directory hierarchy under shared to which you wanted to allow mrchips full access. The find command could be used instead of fs setacl, as follows:
% find $HOME/shared -type d -print -exec fs setacl -dir {} -acl mrchips all \;
This would traverse down from the shared directory, changing the ACL for each of the directories it finds. The -print argument causes the system to print out all the directories the command encounters, allowing you to monitor the progress.
We strongly recommend that you make your home directory world readable, and simply keep your private files in protected subdirectories. That said, ... |
[Missing image]We do not recommend that you set the ACL on your home directory such that system:anyuser has no permissions (i.e. combination rights none) in order to keep your top level directory private. There are at least a couple of undesirable consequences:
.login, .profile) would be unreadable by unauthenticated system processes, which could cause them to break. For example, if system:anyuser does not have at least rl permissions on your home directory, the sendmail program will not be able to read your .forward file, and your mail forwarding will break.
If for some reason you really want to protect your home directory, you can do so to the extent that only l (lookup) permission is granted. However, you must make sure that any files that must be world readable, such as your .forward file, remain accessible. [Missing image]Be aware that it is not always obvious which files must remain world readable in order to preserve the behavior of your environment. You can protect your home directory as follows (Proceed with caution!):
public. Move the files that must remain world readable into this directory.
public, create a symbolic link in your home directory to the file in the public directory. Use the same filename.
l (lookup) on your home directory.
Note that you must leave the l permission turned on or programs won't be able to find the file in public via the symbolic link.
Here is a sample session, assuming the only file that must remain world readable is .forward (there would actually be many files). It would be run from the user's home directory:
% mv .forward public/.forward % ln -s public/.forward .forward % fs setacl . system:anyuser l