AFS Permissions - Access Control Lists
AFS uses Access Control Lists (ACLs) to determine permissions for accessing data. An ACL is a set of Kerberos instances, IP addresses, and/or AFS Groups along with an associated AFS permission.
For example, the ACL for the directory /afs/cs.cmu.edu/user/example has entries for:
wwwsrv:http-ftp rl
system:anyuser rl
example rlidwka
The above ACL gives just "read" and "lookup" rights to the special groups wwwsrv:http-ftp and system:anyuser, and all AFS ACL permissions to the user "example".
ACLs allow very flexible control over who may access data in AFS. Some features of ACLs and AFS access permissions are:
- ACLs apply only to directories in AFS, not to files.
- AFS ignores standard Unix permissions (the ones you set with the
chmodcommand), with the exception of the file owner mode bits (see the section below on protecting individual files for details). - The owner of a directory can always change the ACL on that directory, no matter what the ACL is (so you can fix things if you accidentally remove yourself from the ACL of a directory you own).
- When you create a directory, it automatically inherits the ACL of its parent directory.
- In order to access a subdirectory, one must have "l" (lookup) permissions on all parent directories.
Important note: Because top-level AFS user directories in SCS are created by default with fairly liberal ACLs, you may need to take special precautions to protect confidential information in AFS. For example, the "mbox" file created by some Unix mail programs and Emacs "shell.CKP" files will not be protected by the standard Unix permissions if they are created in AFS. You should make sure that directories that are used to store email and other sensitive files have appropriate ACLs.
AFS permissions and their meaning
There are seven standard AFS permissions, each referred to by one of the letters r, l, i, d, w, k and a. The lida permissions apply to directories and the rwk permissions apply to files.
Directory permissions
| ACL | Permissions |
|---|---|
| l (lookup) | Allows one to list the contents of a directory. It does not allow the reading of files. |
| i (insert) | Allows one to create new files in a directory or copy new files to a directory. |
| d (delete) | Allows one to remove files and sub-directories from a directory. |
| a (administer) |
Allows one to change a directory's ACL. The owner of a directory can always change |
File permissions
| ACL | Permissions |
|---|---|
| r (read) | Allows one to read the contents of file in the directory. |
| w (write) | Allows one to modify the contents of files in a directory and use chmod on them. |
| k (lock) | Allows programs to lock files in a directory. |
Normal and negative AFS permissions
An ACL can be either "normal" or "negative". Normal rights grant the specified access permissions, while negative rights allow one to cancel specific permissions for a user or group on an ACL.
How to list and change AFS ACLs
The fs command (which should be in /usr/local/bin on Facilitized Unix hosts) is used to list and change ACLs.
When specifying directory rights using fs, the following shortcuts may be used:
| Shortcut | Permissions |
|---|---|
| all | rlidwka |
| read | rl |
| write | rlidwk |
| none | removes all entries |
How to list an ACL
The command fs listacl <directory-name> will list the ACL of a directory. You can abbreviate "listacl" to "la" for the same result.
fs la /afs/cs/user/example
will produce the output:
Access list for /afs/cs/user/example is
Normal rights:
wwwsrv:http-ftp rl
system:anyuser rl
example rlidwka
You can use the command fs help listacl to list the complete set of options.
How to add a user or group to an ACL
The command fs setacl -dir <directory> -acl <acl entries> will add the given ACLs to the given directory.
fs setacl -dir /afs/cs/user/example -acl jsmith rl
The example above will give the user "jsmith" read and lookup rights on the directory /afs/cs/user/example.
As a shortcut, you can abbreviate "setacl" to "sa" and/or leave out the "-dir" and "-acl" as long as you maintain the arguments in the order given
fs sa /afs/cs/user/example jsmith rl
You can also use the "-clear" switch on a fs setacl command to completely clear the previous ACL when setting new entries. Be careful not to remove your own administrative rights when doing so.
How to remove a user or group from an ACL
To remove a user or group from an ACL, give, assign the user or group the access permission "none".
fs setacl -dir /afs/cs/user/example -acl jsmith none
The example above would remove the user "jsmith" from the access list for /afs/cs/user/example.
How to set negative ACL entries
To set negative ACL entry, use the -negative switch to the appropriate fs command.
fs setacl -dir /afs/cs/user/example -acl jsmith rl -negative
The example above would set negative read and lookup rights for user "jsmith".
How to copy ACLs
To copy an ACL for dir1 to dir2 use the command:
fs copyacl -fromdir <dir1> -todir <dir2>
This command will copy all ACL entries from dir1 to dir2, overwriting those on dir2 that already exist and keeping the ones that don't conflict with ACL entries on dir1. You can use the "-clear" switch to completely replace the ACL of dir2.
How to change the ACLs of directory tree in AFS
If you want to set an ACL for a directory in AFS and all of its sub-directories, you can use the fsr command. The fsr command uses the same syntax as the fs command for listing and changing AFS ACLs. Unlike fs, fsr operates on the specified folder and all subfolders.
fsr setacl /afs/cs.cmu.edu/user/example/public -acl system:anyuser rl
The above command would add the acl system:anyuser rl to the directory /afs/cs.cmu.edu/user/example/public and all of its subdirectories.
How to protect individual files
AFS ignores all but the owner Unix mode bits on files. Turning off the "r" bit removes read access to a file for everyone, including the owner. Turning off the "w" bit removes write access to a file for everyone, including the owner. Turning off the "x" bit disallows execution of a file for everyone, including the owner.
How to make an AFS directory private
To make an AFS directory so that only you can read and administer the contents, you should remove all entries ACLs except one for you. A quick way to do this is with the command:
fs setacl; <directory> your-username all -clear
fs setacl /afs/cs/user/example/private example all -clear
Note the example command above will remove all access for others to all subdirectories of the given directory. If you want others to access subdirectories, but still prevent reading of files in the top-level directory, you should add "l" access for selected users or groups to the top-level directory's ACL.
How to make a "drop box" directory
A "drop box" directory is a directory that people can copy files to but not read, delete, or write to files that are already in the directory. For example, if one were teaching a class one could use such a directory as an upload area for homework. To create such a directory, create a private directory and then add "il" only rights for the pts group or user that should have rights to create files in that directory.
Was this page helpful?
Use this box to give us feedback on this webpage and its content. If you need a response, please include your Andrew ID.
Need technical support? Submit a ticket