AFS Permissions

University Computing Systems

AFS Permissions

Seven rights are predefined by AFS: four control access to a directory and three to all of the files in a directory.

The four directory rights are:

lookup (l)

Use ls to list files and directories within the given directory
Examine the ACL (access control list) of the directory
Access the directory's subdirectories (which are protected by their own ACLs)

insert (i)

add files to a directory, either by creating new files or copying existing files
create new subdirectories

delete (d)

remove files from the directory or move files to another directory (where the user has the right to do so)
remove subdirectories from directories where the user has the insert right

administer (a) -- modify the ACL

The three rights that affect all of the files in a directory are:

read (r) -- read file content and query file status
write (w) -- write file content and change the Unix permission modes
lock (k) -- use full-file advisory locks

Notes

Files

A single ACL (access control list) on a directory controls directory access and access to all files in the directory
The Unix group and world permission bits are completely ignored
The Unix user permission bits are the final modifiers of access to the file for any user who is permitted access by the ACL; the Unix r bit gives anyone with an ACL containing rl the right to read the file.
The Unix user w bit gives anyone with an ACL containing wl the right to write to a file; without the Unix w bit set, no one may write to a file.
The Unix user x bit gives anyone with with an ACL containing rl the right to execute a file; without the Unix x bit set, no one may execute a file.

Directories

For directories, all nine Unix permission bits, as well as the owner and group name, are completely ignored; only the four AFS ACL rights (lida) are used.

How to Set AFS Permissions

A user can set any AFS permissions:

anywhere in his/her login directory tree
anywhere in the directory tree of a directory he/she has created

The syntax for setting AFS permissions is:

fs setacl <directory> <username> <perms>

To set permissions in the working directory:

fs sa . <username> <perms>

sa is shorthand for setacl
username is any user with an account in the AFS system, plus special users, which includes system:anyuser.

The AFS permissions that can be set are:

read (r) : read file content and query file status
lookup (l) : list the contents of a directory
insert (i) : add files or subdirectories to a directory
delete (d) : delete entries from a directory
write (w) : write file content and change Unix permission modes
lock (k) : use full-file advisory locks
administer (a) : modify the ACL (access control list)

The following are shortcuts:

all : gives all rights - rlidwka
write : gives rlidwk rights
read : gives rl rights
none : removes all rights

Examples:

fs sa ~/public_html abc89 rlid

gives user abc89 rlid rights in your public_html directory

fs sa . system:anyuser rl

gives the user system:anyuser rl rights in the current directory

fs sa ~ system:anyuser rl

gives the user system:anyuser rl rights in your login directory

fs sa ~/public_html abc1234 none

removes all rights for user "abc1234" in your public_html directory

To see what permissions are in effect in a directory:

fs listacl <path_to_directory>

fs la <path_to_directory>

Examples:
List the permissions in the current directory

fs la

List the permissions in your login directory

fs la ~

List the permissions in your public_html directory

fs la ~/public_html

AFS system:anyuser Permissions

The AFS permission in a directory

system:anyuser rl

permits any user who is logged in to an NJIT AFS'd machine to look at (read) any file in that directory (provided that user has at least l permussion up to the directory in question.

To see the AFS permissions on a directory:

fs la <dir_name>

To keep everyone from reading files in a directory, do this in a directory you want to be private: From anywhere in your login directory tree, including your login directory (~) ):

mkdir priv.stuff

(priv.stuff can be any name)

fs sa priv.stuff system:anyuser none

When the above is done, no file in priv.stuff can be read by anyone but the owner of priv.stuff -- i.e., you
[ If you have given other users access to directories in your account, make sure that they do not have rights in priv.stuff (fs la priv.stuff will show who has rights there ). Remove rights for other users by fs sa priv.stuff <other_user> none ]

Resetting Permissions

To reset AFS permissions in an endire directory tree, the following program can be used :

/usr/ucs/bin/set.afs.perms.recur