|
|
||
|
Using Access Control Lists
This brief guide explains how to set protections for files and directories in the Andrew File System (AFS).
What are ACLs in AFS?
In the Andrew File System (AFS), protections for files and directories are handled differently than in the Unix File System. Protections in AFS are defined by access control lists (ACLs) which are applied to a given directory and not to individual files. Every directory has an ACL which contains one or more access control entries. The entries in an ACL defined for a given directory determine access to all files in that directory. Files will retain protection bits as in Unix; however, their meaning is different than in Unix. Consult the brief guide on "File and Directory Protections in AFS" for further explanation.
What are Access Rights?
There are seven access rights which you can grant to users or groups. These rights, represented by the following letters (rlidwka), are read (r), lookup (l), insert (i), delete (d), write (w), lock (k), and administer (a). Additionally, there are four shorthand forms which can be used to grant common combinations of rights.
write
all rights except administer (i.e. rlidwk)
read
read and lookup rights (rl)
all
all seven rights (rlidwka)
none
no rights, completely removes the entry
Also, read the brief guide on "AFS-Directory and File Protections" for additional explanation of these rights.
Defining users and groups.
As in other systems, the term user indicates an individual username. Additionally, in AFS you may define groups in which you place one or more users. This is convenient when many users are working on the same project and require access to files in the same directory. See the brief guide "AFS-Protection Groups" for further explanation of groups.
How do you set ACLs in AFS?
ACLs can be set using two different syntaxes, depending on whether you wish to set the ACL for your current working directory (CWD) or for a directory you will explicitly name on the command line.
If the directory on which the ACLs are to be set is also the current working directory, use the following syntax:% fs setacl . user/group access_right(s)
Example:
To give user ron read and lookup access to your proj1 subdirectory, you would cd to that subdirectory and type the following:% fs setacl . ron rl
Notice the fs setacl command is followed by a "." indicating that the ACL is to be set for the current directory, proj1. This is followed by the username, and then the read and lookup rights respectively.
If the directory on which the ACL is to be set is another "named" directory, use the following syntax:% fs setacl directory user/group access_right(s)
You may set ACLs on multiple directories and grant access to multiple users and groups on the same command line as in the following example.
Example:
To give users ron and bjbo1 read, lookup, and write access and the group system:anyuser read and lookup access to the subdirectories, proj1 and proj2, use the following syntax:% fs setacl -dir proj1 proj2 -acl ron rlw bjbo1 rlw
system:anyuser rlNote: When setting ACLs for multiple directories the -dir switch must be used, otherwise every directory after the first on the command line will be interpreted as an ACL. Also notice that each user or group's access rights must immediately follow the username or group specification in order to be valid, even if some are granted identical access rights. Hint: In this example, you may wish to create a group containing ron and bjbo1 since they have the same access rights.
How do you see (list) ACLs?
To see who has access to a directory you may list the ACL for that directory. It is also a good practice to list an ACL before changing it. Again, the syntax differs depending on whether you are listing the ACL for your current working directory or another "named" directory.
To list the ACLs for your current directory use the following syntax:% fs listacl
Example:
While in the proj1 subdirectory you may list that directory's ACLs as follows:% fs listacl
Access list for . is
Normal rights:
system:anyuser rl
bjbo1 rlidwkaTo list the ACL for any "named" directory use the following:
% fs listacl directory
Example:
% fs listacl proj1
Access list for proj1 is
Normal rights:
system:anyuser rl
ron rlidwkaMultiple directories may be listed with one command.
% fs listacl -dir private Alessandro
Access list for private is Normal rights: ron rlidwka bjbo1 rlw
Access list for Alessandro is Normal rights: ron rlidwka bjbo1 rlidwkNormal Rights and Negative Rights
In the previous examples, the term Normal rights appeared when listing ACLs. In addition to Normal rights, you may also set Negative rights on directories. To deny a user access to a directory, you may either remove that user from the Normal rights list or add the user to the Negative rights list. This is useful when you wish to restrict a given member of a group's access while not affecting the whole group. An entry in the Negative rights list overrides any rights a user may have been granted in the Normal rights list.
Example:
User ron is a member of group bjbo1:letter_writers and while the group has all access on the sub-directory proj1, ron is not supposed to have idka access. This can be accomplished with the following commands: % fs setacl -dir proj1 -acl bjbo1:letter_writers all and % fs setacl -negative -dir proj1 -acl ron idka To learn more about this topic, consult the following references:
Brief Guides:
- AFS-Directory and File Protections,
- AFS-Protection
Groups
Man pages: fs(1) and pts(1)
(NOTE: This document was adapted from University of Pittsburgh's help sheets.)
HOME
Site Home | What We Do | Help Desk | Account Services | Software | Hardware | Network
Telephone Services | Training | Computer Labs | Web Publishing | Policies | Sitemap | Contact Us
Last Modified: 1 Jul 1996
doit@sfsu.edu