AFS/IFS From a UNIX Workstation:

Access Control Lists

Step-by-step S4111 — November 1992

 

Information on getting an IFS home directory can be found in Institutional File System User Overview, Reference R1070. This Step-by-step assumes you are familiar with basic UNIX file manipulation commands and have AFS software installed on your UNIX workstation.

 

AFS is a UNIX-based file system that allows widely distributed UNIX machines to share a common file space. IFS is an extension to AFS that allows AFS file serving software to run on mainframe computers in addition to UNIX workstations, and allows Macintosh and IBM PC and compatible computers to connect to the worldwide AFS system. IFS login names are uniqnames with Kerberos passwords. AFS system login names may or may not be uniqnames and may or may not make use of Kerberos passwords— contact your AFS system administrator for more information.

 

Access Control Lists (ACLs)

IFS users arrange files in directories and subdirectories to make them more manageable. To share your data in a particular directory, you can give the directory a list of users and the rights they have in that directory. This list is called an Access Control List (ACL). An ACL is a list of uniqnames (login names) and/or protection groups (a collection of uniqnames) paired with their access rights. ACLs are the main means of file protection under AFS and are separate from the mode bits associated with each file in the UNIX file system. There are seven basic access rights (the underlined portion of each access right listed below is the form used when issuing a command):

 

lookup The user or group with lookup rights can list the names of files and subdirectories in the directory but not read their contents. Before a user can read the contents of the file, he or she also needs read access (see below). A user or group must have lookup access rights in order to use any other rights. If you assigned read rights to the group system:anyuser but did not assign lookup access rights, no one from that group could either see a list of files in that directory or choose a file in order to read its contents.

 

insert The user or group with insert rights can add new files to the directory, copy an existing file to make a new file, or create new subdirectories. The user with insert rights can put a file in one of your directories.

 

delete The user or group with delete rights can remove files and subdirectories or move them into other directories (if the user has insert access rights on the other directory).

 

admin The user or group with admin rights can change the privileges for that directory. Users always have this right on their home directories and any directories they create within their home directories.

 

read The user or group with read (and lookup) rights can open and examine the contents of any of the files in a specified directory. The user can also list the files in any subdirectory in the specified directory.

 

write The user or group with write (and lookup) rights can make changes in any file in the specified directory.

 

lock The user or group with lock (and lookup) rights can place read or write limitations on any file in the directory. Lock, a rarely used ACL, allows users to lock a file while they are updating it so that no other user can alter it until the lock is released.

 

There are four shorthand rights that are useful for assigning common combinations of the above rights. They are:

 

write All rights except admin (rlidwk)

all All seven rights (rlidwka)

 

read Read and lookup rights (rl)

none No rights

 

Default ACLs

Users who received an IFS home directory before July 1992 have a default home directory ACL that gives read and lookup access to system:anyuser (system:anyuser is a protection group consisting of all users in the system, including guests from other AFS cells). The default ACL for users who received an IFS home directory after July 1992 allows only lookup access to system:anyuser. Additionally, four subdirectories are provided with the following defaults (system:authuser is a group consisting of all users authenticated in the cell):

 

Subdirectory Rights Group

Public rl system:anyuser

Private none system:anyuser

Shared rl system:authuser

Drop Box liw system:authuser

 

Because the home directory is now lookup only, all of the dot (.) files needed by a UNIX workstation on startup should be symbolic links to the Public directory (the dot files actually reside in the Public directory). For example, to do this for the .cshrc file, the user would copy the file to Public and then use the following command while the working directory is his/her home directory:

 

ln -s Public/.cshrc .cshrc

 

Sample ACLs: users to Whom These ACLs Might Be Assigned

r l i d w k a All seven ACLs are assigned by default to the directory owner.

 

r l w You assign read, write, and lookup rights to users who have your permission to read and make changes in the files in one of your directories. For example, a writer might assign these ACLs to another writer to facilitate the editing process.

 

l i (w) Insert and lookup rights are assigned to users who have your permission to put files into one of your directories. These two permissions are commonly assigned to a directory in which other users can deposit files for you to look at. Because of the way the Macintosh operating system works, Macintosh users will also need write permission in directories where you’d like them to be able to place files.

 

Subdirectories inherit ACLs from their parent directories (directories in which they are created). When you create a subdirectory in one of your directories, it automatically gets the same ACLs as its parent directory. You must reassign rights to subdirectories if they are to have different rights from the parent directory. If you later change the ACLs of the parent directory, the ACLs of any subdirectories in the parent directory will not automatically change to match the parent directory. If your home directory has lookup and read permissions to system:anyuser, anyone who can access IFS anywhere in the world can list the names and examine the contents of your files. To ensure security, set permissions on each subdirectory within your home directory to protect your files.

 

Useful AFS ACL Commands

fs listacl Lists access privileges for the current or specified directory. la is an acceptable alias for the listacl command.

 

fs setacl Sets access rights for a specified directory. These rights include the access and shorthand rights listed above, and can be assigned to specified users and protection groups. For example:

 

fs setacl labwork ren rlidwka

 

gives the user ren full access to a directory named labwork. Using the shorthand ACL all below gives the same results:

 

fs setacl labwork ren all

 

To remove all access from any user to the labwork directory, use:

 

fs setacl labwork system:anyuser none

 

sa is an acceptable alias for the setacl command. Using this, the above command can be shortened to:

 

fs sa labwork system:anyuser none

To set ACLs on multiple directories at once, add the switches -dir and -acl to the command. The command below removes access to the tmp, usr, and bin directories for any user.

 

fs sa -dir tmp usr bin -acl system:anyuser none

 

It’s possible that you may want to grant access to all members of a protection group, except for an individual or two. Up to now the examples have only used normal ACLs, which grant rights. To deny rights you need negative ACLs.

 

fs setacl work class:eecs434 all

fs setacl -negative work generic all

 

The commands above grant all access in the work directory to members of the group class:eecs434, excepting the user generic (who is also a member of that protection group). When using negative ACLs, you should specify the list of rights you want to deny the user. To restore access to the user generic, you must clear the negative ACL by issuing:

 

fs setacl -negative work generic none

 

The -clear flag erases both the normal and negative rights part of an ACL. The rights you then specify go onto the newly cleared list. The command below clears the normal and negative ACLs from the work directory and assigns new permissions (rwli) to the class:eecs434 group.

 

fs setacl -clear work class:eecs434 rwli

 

fs help Provides a brief help description of the specified command. If no command is specified, brief help will be provided on all fs commands. The command fs help setacl will provide help on the fs setacl command.

 

UNIX Mode Bits in AFS

UNIX file protection is based on the nine mode bits associated with each file. AFS uses only the first three or user mode bits. An ls -l listing on a directory owned by the user generic is shown below. The first character shows the type of the element listed (- for a file, d for a directory, or l for a link). The next three characters are the user mode bits. If the r mode bit is present ("r" instead of a hyphen), anyone with read and lookup rights in the ACL for that directory may examine that file’s contents. If the r mode bit is absent, then no one (including the directory owner) may examine the contents of the file, regardless of what permissions exist in the directory ACL. This is also true for write (w) and execute (x) permissions, although there is no ACL permission that directly corresponds to the x bit. AFS does not support write-only files.

 

The directory owner may change any of the mode bits using the UNIX chmod command, although only the first three mode bits are utilized by AFS.

 

drwxrwxrwx 2 generic system 2048 Jun 30 12:05 .AppleDouble
-rw------- 1 generic system 10752 Jun 30 12:05 Walrus
-rw------- 1 generic system 64000 Jun 30 11:56 csmf-faq.txt
drwx------ 3 generic system 2048 Jun 30 11:57 new
drwx------ 3 generic system 2048 Jun 30 12:05 sounds1