Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

AFS ACLs

About

AFS uses access control lists (ACLs) to determine permissions for accessing data. An ACL is a set of Kerberos instances, IP addresses, and/or AFS groups along with an associated AFS permission. For example, the ACL for the directory /afs/cs.cmu.edu/user/bovik has entries for:
   wwwsrv:http-ftp rl
   system:anyuser rl
   bovik rlidwka
The above ACL gives just "read" and "lookup" rights to the special groups wwwsrv:http-ftp and system:anyuser, and all AFS ACL permissions to the user "bovik".

ACLs allow very flexible control over who may access data in AFS. Some features of ACLs and AFS access permissions are:

  • ACLs apply only to directories in AFS, not to files.
  • AFS ignores standard Unix permissions (the ones you set with the chmod command), with the exception of the file owner mode bits (see the section below on protecting individual files for details).
  • The owner of a directory can always change the ACL on that directory. no matter what the ACL is (so you can fix things if you accidentally remove yourself from the ACL of a directory you own).
  • When you create a directory, it automaticaly inherits the ACL of its parent directory.
  • In order to access a subdirectory, one must have "l" (lookup) permissions on all parent directories.

Important note: Because top-level AFS user directories in SCS are created by default with fairly liberal ACLs, you may need to take special precautions to protect confidential information in AFS. For example, the "mbox" file created by some Unix mail programs and Emacs "shell.CKP" files will not be protected by the standard Unix permissions if they are created in AFS. You should make sure that directories that are used to store e-mail and other sensitive files have appropriate ACLs.

AFS permissions and their meaning

There are seven standard AFS permissions, each referred to by one of the letters r, l, i, d, w, k and a. The lida permissions apply to directories and the rwk permissions apply to files.

Directory permissions

l (lookup)
Allows one to list the contents of a directory. It does not allow the reading of files.
i (insert)
Allows one to create new files in a directory or copy new files to a directory.
d (delete)
Allows one to remove files and sub-directories from a directory.
a (administer)
Allows one to change a directory's ACL. The owner of a directory can always change the ACL of a directory that s/he owns, along with the ACLs of any subdirectories in that directory.

File permissions

r (read)
Allows one to read the contents of file in the directory.
w (write)
Allows one to modify the contents of files in a directory and use chmod on them.
k (lock)
Allows programs to lock files in a directory.

Normal and negative AFS permissions

An ACL can be either "normal" or "negative". Normal rights grant the specified access permissions, while negative rights allow one to cancel specific permissions for a user or group on an ACL.

How to list and change AFS ACLs

The fs command (which should be in /usr/local/bin on Facilitized Unix hosts) is used to list and change ACLs. When specifying directory rights using fs, the following shortcuts may be used:

all
Means the same as rlidwka (all rights).
read
Means the same as rl (read and lookup rights).
write
Means the same as rlidwk (all rights except the ability to change the ACL).
none
Removes the entry from the ACL (removing both any positive and negative rights that may exist).

How to list an ACL

The command fs listacl <directory-name> will list the ACL of a directory ("listacl" is usually abbreviated to "la"). For example:
   fs la /afs/cs/user/bovik
will produce the output:
   Access list for /afs/cs/user/bovik is
   Normal rights:
     wwwsrv:http-ftp rl
     system:anyuser rl
     bovik rlidwka
You can use the command fs help listacl to list the complete set of options.

How to add a user or group to an ACL

The command fs setacl -dir <directory> -acl <acl entries> will add the given ACLs to the given directory. For example:
   fs setacl -dir /afs/cs/user/bovik -acl jsmith rl 
will give the user "jsmith" read and lookup rights on the directory /afs/cs/user/bovik. As a shortcut, you can abbreviate "setacl" to "sa" and/or leave out the "-dir" and "-acl" as long as you maintain the arguments in the order given in the above example:
   fs sa /afs/cs/user/bovik  jsmith rl 
is the same command as the previous example, but using abbreviated syntax.

You can also use the "-clear" switch on a fs setacl command to completely clear the previous ACL when setting new entries. Be careful not to remove your own administrative rights when doing so.

How to remove a user or group from an ACL

To remove a user or group from an ACL, give, assign the user or group the access permission "none". For example:
   fs setacl -dir /afs/cs/user/bovik -acl jsmith none
would remove the user "jsmith" from the access list for /afs/cs/user/bovik.

How to set negative ACL entries

To set negative ACL entry, use the -negative switch to the appropriate fs command. For example:
   fs setacl -dir /afs/cs/user/bovik -acl jsmith rl -negative
would set negative read and lookup rights for user "jsmith".

How to copy ACLs

To copy an ACL for dir1 to dir2 use the command:
   fs copyacl -fromdir <dir1> -todir <dir2>
This command will copy all ACL entries from dir1 to dir2, overwriting those on dir2 that already exist and keeping the ones that don't conflict with ACL entries on dir1. You can use the "-clear" switch to completely replace the ACL of dir2.

How to change the ACLs of directory tree in AFS

If you want to set an ACL for a directory in AFS and all of its sub-directories, you can use one of the following commands:

   find <directoryname> -type d -exec fs sa -acl <acl> -dir '{}' ';'
or
   find <directoryname> -type d -print | xargs fs sa -acl <acl> -dir
For example, the commands:
   find /afs/cs.cmu.edu/user/bovik/public -type d -exec fs sa -acl system:anyuser rl -dir '{}' ';'
and
   find /afs/cs.cmu.edu/user/bovik/public -type d -print | xargs fs sa -acl system:anyuser rl -dir

would both do the same thing -- add the acl system:anyuser rl to the directory /afs/cs.cmu.edu/user/bovik/public and all of its subdirectories. Be careful that the directory you give is not a symlink, since the find program will not follow symlinks by default. The second version of the command may be faster for large directory trees.

How to protect individual files

AFS ignores all but the owner Unix mode bits on files. Turning off the "r" bit removes read access to a file for everyone, including the owner. Turning off the "w" bit removes write access to a file for everyone, including the owner. Turning off the "x" bit disallows execution of a file for everyone, including the owner.

How to make an AFS directory private

To make an AFS directory so that only you can read & administer the contents, you should remove all entries ACLs except one for you. A quick way to do this is with the command: fs setacl; <directory> your-username all&nbsp-clear. For example:
   fs setacl /afs/cs/user/bovik/private bovik all -clear

Note that this command will remove all access for others to all subdirectories of the given directory. If you want others to access subdirectories, but still prevent reading of files in the top-level directory, you should add "l" access for selected users or groups to the top-level directory's ACL.

How to make a "drop box" directory

A "drop box" directory is a directory that people can copy files to but not read, delete, or write to files that are already in the directory. For example, if one were teaching a class one could use such a directory as an upload area for homeworks. To create such a directory, create a private directory and then add "il" only rights for the pts group or user that should have rights to create files in that directory.

Additional information

The following links will open in a new browser window:
OpenAFS documentation on protecting files & directories
Comprehensive information on using AFS ACLs