AboutAFS uses access control lists (ACLs) to determine permissions for accessing data. An ACL is a set of Kerberos instances, IP addresses, and/or AFS groups along with an associated AFS permission. For example, the ACL for the directory
/afs/cs.cmu.edu/user/bovikhas entries for:
wwwsrv:http-ftp rl system:anyuser rl bovik rlidwkaThe above ACL gives just "read" and "lookup" rights to the special groups wwwsrv:http-ftp and system:anyuser, and all AFS ACL permissions to the user "bovik".
ACLs allow very flexible control over who may access data in AFS. Some features of ACLs and AFS access permissions are:
- ACLs apply only to directories in AFS, not to files.
- AFS ignores standard Unix permissions (the ones you set with the chmod command), with the exception of the file owner mode bits (see the section below on protecting individual files for details).
- The owner of a directory can always change the ACL on that directory. no matter what the ACL is (so you can fix things if you accidentally remove yourself from the ACL of a directory you own).
- When you create a directory, it automaticaly inherits the ACL of its parent directory.
- In order to access a subdirectory, one must have "l" (lookup) permissions on all parent directories.
Important note: Because top-level AFS user directories in SCS are created by default with fairly liberal ACLs, you may need to take special precautions to protect confidential information in AFS. For example, the "mbox" file created by some Unix mail programs and Emacs "shell.CKP" files will not be protected by the standard Unix permissions if they are created in AFS. You should make sure that directories that are used to store e-mail and other sensitive files have appropriate ACLs.
There are seven standard AFS permissions, each referred to by one of the letters r, l, i, d, w, k and a. The lida permissions apply to directories and the rwk permissions apply to files.
- l (lookup)
- Allows one to list the contents of a directory. It does not allow the reading of files.
- i (insert)
- Allows one to create new files in a directory or copy new files to a directory.
- d (delete)
- Allows one to remove files and sub-directories from a directory.
- a (administer)
- Allows one to change a directory's ACL. The owner of a directory can always change the ACL of a directory that s/he owns, along with the ACLs of any subdirectories in that directory.
- r (read)
- Allows one to read the contents of file in the directory.
- w (write)
- Allows one to modify the contents of files in a directory and use chmod on them.
- k (lock)
- Allows programs to lock files in a directory.
Normal and negative AFS permissions
An ACL can be either "normal" or "negative". Normal rights grant the specified access permissions, while negative rights allow one to cancel specific permissions for a user or group on an ACL.
How to list and change AFS ACLs
The fs command (which should be in /usr/local/bin on Facilitized Unix hosts) is used to list and change ACLs. When specifying directory rights using fs, the following shortcuts may be used:
- Means the same as rlidwka (all rights).
- Means the same as rl (read and lookup rights).
- Means the same as rlidwk (all rights except the ability to change the ACL).
- Removes the entry from the ACL (removing both any positive and negative rights that may exist).
How to list an ACLThe command fs listacl <directory-name> will list the ACL of a directory ("listacl" is usually abbreviated to "la"). For example:
fs la /afs/cs/user/bovikwill produce the output:
Access list for /afs/cs/user/bovik is Normal rights: wwwsrv:http-ftp rl system:anyuser rl bovik rlidwkaYou can use the command fs help listacl to list the complete set of options.
How to add a user or group to an ACLThe command fs setacl -dir <directory> -acl <acl entries> will add the given ACLs to the given directory. For example:
fs setacl -dir /afs/cs/user/bovik -acl jsmith rlwill give the user "jsmith" read and lookup rights on the directory /afs/cs/user/bovik. As a shortcut, you can abbreviate "setacl" to "sa" and/or leave out the "-dir" and "-acl" as long as you maintain the arguments in the order given in the above example:
fs sa /afs/cs/user/bovik jsmith rlis the same command as the previous example, but using abbreviated syntax.
You can also use the "-clear" switch on a fs setacl command to completely clear the previous ACL when setting new entries. Be careful not to remove your own administrative rights when doing so.
How to remove a user or group from an ACLTo remove a user or group from an ACL, give, assign the user or group the access permission "none". For example:
fs setacl -dir /afs/cs/user/bovik -acl jsmith nonewould remove the user "jsmith" from the access list for /afs/cs/user/bovik.
How to set negative ACL entriesTo set negative ACL entry, use the -negative switch to the appropriate fs command. For example:
fs setacl -dir /afs/cs/user/bovik -acl jsmith rl -negativewould set negative read and lookup rights for user "jsmith".
How to copy ACLsTo copy an ACL for dir1 to dir2 use the command:
fs copyacl -fromdir <dir1> -todir <dir2>This command will copy all ACL entries from dir1 to dir2, overwriting those on dir2 that already exist and keeping the ones that don't conflict with ACL entries on dir1. You can use the "-clear" switch to completely replace the ACL of dir2.
If you want to set an ACL for a directory in AFS and all of its sub-directories, you can use the fsr command. The fsr command uses the same syntax as the fs command for listing and changing AFS ACLs. Unlike fs, fsr operates on the specified folder and all subfolders.
fsr setacl /afs/cs.cmu.edu/user/example/public -acl system:anyuser rl
The above command would add the acl system:anyuser rl to the directory /afs/cs.cmu.edu/user/example/public and all of its subdirectories.
AFS ignores all but the owner Unix mode bits on files. Turning off the "r" bit removes read access to a file for everyone, including the owner. Turning off the "w" bit removes write access to a file for everyone, including the owner. Turning off the "x" bit disallows execution of a file for everyone, including the owner.
fs setacl /afs/cs/user/bovik/private bovik all -clear
Note that this command will remove all access for others to all subdirectories of the given directory. If you want others to access subdirectories, but still prevent reading of files in the top-level directory, you should add "l" access for selected users or groups to the top-level directory's ACL.
A "drop box" directory is a directory that people can copy files to but not read, delete, or write to files that are already in the directory. For example, if one were teaching a class one could use such a directory as an upload area for homeworks. To create such a directory, create a private directory and then add "il" only rights for the pts group or user that should have rights to create files in that directory.
Additional informationThe following links will open in a new browser window:
- OpenAFS documentation on protecting files & directories
- Comprehensive information on using AFS ACLs