|
|
||
|
AFS - Internet Account Information
This document explains in simple terms how to manage the access permissions of your SFSU AFS (Andrew File System) Internet (E-mail) account.
If you are one of our users who use their AFS Internet account in the following ways:
- Use Eudora, MS Outlook, Outlook Express or any other POP E-mail program for ALL E-mail or forward ALL mail to another account
- Never store sensitive files in your AFS account
- Never export, save, ftp, or otherwise place files in your AFS account
- Use the AFS account for Internet access using PPP
you do not need this document. However, if you use your AFS account for PINE, ELM, mail, web publishing or ftp please read on...
There is a big difference in access permissions between the NFS Unix system and the AFS login servers (apollo & libra) as explained in the AFS documents.
First of all, we would like to reassure you that other AFS users cannot read your E-mail messages stored in your mail and Mail directories. Your account's permissions however, are set to allow other users on our system (represented as system:anyuser) to access (read/copy) files and directories placed in the top (home directory) level of your account. The permissions are set this way to allow SFSU web publishing, access to bbs conferences, and so that .forward and .plan files will function.
AFS permissions are set using access control lists (ACL) as opposed to the chmod command used on NFS Unix systems (mercury). AFS permissions affect entire directories whereas Unix permissions can be set on individual files. The chmod command can still be used under AFS but it does NOT accomplish the security you may expect - in fact it does very little under AFS. You must instead create a private directory to store your personal files.
Knowing files stored in your home directory and in any unrestricted directories can be accessed by other users, you need to take necessary steps to place files and directories that you deem 'private' in a private subdirectory. This also means, that messages exported (command e) and attached files saved from PINE, are readable by others unless they are exported or saved to a directory with an ACL that excludes system:anyuser.
Here is how to create a secure directory called private that other users cannot access:
*Note: The name directory name 'private' is not required, it is an example of a directory name.
Command to type at an AFS prompt:
apollo% or libra%Result of typing command
cd
go to the top level of your account
mkdir private
creates a directory called private
fs listacl private
shows the ACL for private directory
Example:
Access list for private is
Normal rights:
system:administrators rlidwka
system:anyuser rl
userid rlidwka
(your account name should appear instead of userid)
fs setacl private system:anyuser none
sets the ACL to exclude system:anyuser (all other AFS users)
fs listacl private
check the ACL for private was changed
Example:
Access list for private is
Normal rights:
system:administrators rlidwka
userid rlidwka
(your account name should appear instead of userid)
ls -al
lists contents of current directory
Now, whenever you wish to save or export a message to your private directory include the prefix "private/" before typing in the filename.
Once you have created a secure directory you should move any sensitive files and/or directories to the private directory. Here are some examples of how to use the mv (move) command:
mv filename private
Move the file named "filename" to subdirectory "private"
mv directory1 private
Move the directory named "directory1" to the subdirectory "private"
For more information:
- Please read other AFS documentation available on this site.- Send E-mail to helpdesk@sfsu.edu
- Call our telephone helpdesk (415) 338-1420 between Monday - Thursday, 8-6 PM and Friday, 8-5PM.
HOME
Site Home | What We Do | Help Desk | Account Services | Software | Hardware | Network
Telephone Services | Training | Computer Labs | Web Publishing | Policies | Sitemap | Contact Us
Last Modified: 17 Feb 2004
doit@sfsu.edu