SFSU DoIT | Help Desk | AFS - Directory & File Protections

AFS - Directory & File Protections

AFS files and directories with Access Rights
AFS file protections are very different than previous UNIX protections. Everyone's access to individual files within a directory are controlled by the owner protection (mode) bits of the file in combination with the directory's access control list.

You can control access to your directories by granting or denying access rights to individual users or groups specified in the directory's access control list (ACL).

If you, as the owner of the files within a directory, want to have read and write access to all those files, then the access rights you grant to another person (in the directory's access control list) will apply to all the files within that directory. For example, if you have write access to all the files and you want to grant write access to a specific file to a certain person, he will have write access to all the files in that directory. To achieve the desired result of granting write access to just one of the files, you must move that file to a separate directory or else set the protection (mode) bits of all the other files so that you (the owner) do not have write access to them.

This brief guide covers the seven types of access rights and how UNIX protection mode bits interact with these rights. For information on how to use access rights, read the brief guide AFS-Using ACLs.

The Seven Access Rights

ADMINISTER (a)

allows a user to
change the ACL on the specified directory

LOOKUP (l)

allows a user to
get a listing of the directory's entries
examine the ACL for the directory
access the directory's subdirectories

INSERT (i)

allows a user to
create new files or subdirectories within the specified directory

DELETE (d)

allows a user to
remove files or directories from within the specified directory
Note: Subdirectories are protected by their own ACLs. They inherit the ACL of their parent directory when they are created, but this can be overridden just as the ACL was set for the parent directory. Read the document Using ACLs for further information.

READ (r)

allows a user to
read the data in files in the directory

WRITE (w)

allows a user to
write data to files that exist in the directory
change the UNIX protection bits of files [using chmod].

LOCK (k)

allows a user to
apply an advisory lock on files in the directory with flock

Shorthand forms for common rights combinations AFS defines four special rights combinations to make setting access rights more intuitive. When defining an ACL, you can specify the individual letters for the rights above or use the following forms:

all

grant all seven access rights (i.e., wridlka)

none

remove this user or group's entry from the ACL

write

all rights but ADMINISTER

read

READ and LOOKUP

About the UNIX protection (mode) bits

AFS considers only the UNIX owner (protection) mode bits of the complete set of protection bits when deciding on read, write, and execute privileges for a particular file in a directory. (Note that the owner bits are the first three 'rwx' bits occurring to the right of the file type indicated in the ls -l command output.)

For example, even if the directory in which a file resides has the WRITE (w) right allowed, the file itself must have write permission for you to write in it. Consider the following example.

$ fs listacl mydir
Access list for mydir is
Normal rights: system:anyuser rl
ron rlidwk
$ ls -listacl mydir

total 1

drwxr-xr-x

2

ron

2048

Aug 12 13:03

.

drwxrwxrwx

19

ron

4096

Aug 12 08:57

..

-rw-r--r--

1

ron

99

Aug 12 13:03

file1

-r--r--r--

1

ron

237

Aug 12 13:03

file2

If your username is ron, you can modify file1 since the directory example has an ACL that allows ron to write files there. But, no one (including you) can modify file2, because the write (w) bit is turned off for that file (signified by the dash "-" in the eighth mode bit from the right).

This scheme holds true for the read and execute privileges as well.

Note: If a file is copied out of AFS file space to a directory on the local disk, or into a directory in a Network File System (NFS), all of the UNIX mode bits will apply. See the man page for chmod. Also, AFS does not support write-only files. Writeable files must also have read permission.

To learn more about this topic, consult the following references:

Brief Guide:

AFS-Using ACLs

AFS-Protection Groups

Man pages: pts(1), chmod(1), ls(1), flock(1)

(NOTE: This document was adapted from University of Pittsburgh's help sheets.)

TOP OF PAGE
HOME
Site Home | What We Do | Help Desk | Account Services | Software | Hardware | Network
Telephone Services | Training | Computer Labs | Web Publishing | Policies | Sitemap | Contact Us

Last Modified: 12 Dec 2001
doit@sfsu.edu

ADMINISTER (a)	allows a user to change the ACL on the specified directory
LOOKUP (l)	allows a user to get a listing of the directory's entries examine the ACL for the directory access the directory's subdirectories
INSERT (i)	allows a user to create new files or subdirectories within the specified directory
DELETE (d)	allows a user to remove files or directories from within the specified directory Note: Subdirectories are protected by their own ACLs. They inherit the ACL of their parent directory when they are created, but this can be overridden just as the ACL was set for the parent directory. Read the document Using ACLs for further information.
READ (r)	allows a user to read the data in files in the directory
WRITE (w)	allows a user to write data to files that exist in the directory change the UNIX protection bits of files [using chmod].
LOCK (k)	allows a user to apply an advisory lock on files in the directory with flock

all	grant all seven access rights (i.e., wridlka)
none	remove this user or group's entry from the ACL
write	all rights but ADMINISTER
read	READ and LOOKUP

total 1
drwxr-xr-x	2	ron	2048	Aug 12 13:03	.
drwxrwxrwx	19	ron	4096	Aug 12 08:57	..
-rw-r--r--	1	ron	99	Aug 12 13:03	file1
-r--r--r--	1	ron	237	Aug 12 13:03	file2