AFS Permissions
AFS Permissions
AFS Permissions
Seven rights are predefined by AFS: four control access to a directory and three to all of the files in a directory.
The four directory rights are:
The three rights that affect all of the files in a directory are:
Notes:
Files:
Directories:
A user can set any AFS permissions:
The syntax to set AFS permissions is:
fs setacl <directory> <username> <perms>
To set permissions in the working directory:
fs sa . <username> <perms>
sa is shorthand for setacl
username is any user with an account in the AFS system, plus special users, which includes system:anyuser.
The AFS permissions that can be set are:
The following are shortcuts:
Examples: {C}
fs sa ~/public_html abc89 rlid
- gives user abc89 rlid rights in your public_html directory.
fs sa . system:anyuser rl
- gives the user system:anyuser rl rights in the current directory.
fs sa ~ system:anyuser rl
- gives the user system:anyuser rl rights in your login directory.
fs sa ~/public_html abc1234
none - removes all rights for user "abc1234" in your public_html directory.
To see what permissions are in effect in a directory:
fs listacl <path_to_directory>
or
fs la <path_to_directory>
Examples:
List the permissions in the current directory:
fs la
List the permissions in your login directory:
fs la ~
List the permissions in your public_html directory:
fs la ~/public_html
AFS "system:anyuser" Permissions
The AFS permission in a directory, system:anyuser rl, permits any user who is logged in to an NJIT AFS'd machine to look at (read) any file in that directory (provided that user has at least l permission up to the directory in question.
To see the AFS permissions on a directory: fs la <dir_name>
To keep everyone from reading files in a directory, do this in a directory you want to be private: From anywhere in your login directory tree, including your login directory (~) ): mkdir priv.stuff (priv.stuff can be any name)
fs sa priv.stuff system:anyuser none
When the above is done, no file in priv.stuff can be read by anyone but the owner of priv.stuff -- i.e., you.
Note: If you have given other users access to directories in your account, make sure that they do not have rights in priv.stuff (fs la priv.stuff will show who has rights there ). Remove rights for other users by fs sa priv.stuff <other_user> none
To reset AFS permissions in an entire directory tree, the following program can be used :
/usr/ucs/bin/set.afs.perms.recur
Check AFS Permissions in Home Directories
Users sometimes inadvertently set AFS permissions in directories in their AFS account that allow anyone logged into an NJIT AFS client machine to read (and copy) any file in those directories.
Users can check and set the permissions in any directory in their account the AFS "fs" command (How to Set AFS Permissions).
Some users may find using a program to check and set AFS permissions to be easier than the "fs" command. The following program is available to do that : /usr/ucs/bin/check.afs.perms.ksh
This program deals only with the user's home directory (not any of its subdirectories), and can do only a small subset of what the "fs" command can do. It can be run from any Unix/Linux AFS client.
AFS calculates file access based on two factors: the ACL (access control list) entries of the given directory, and the Unix owner mode bits.
Users can use the Unix chmod command to set mode bits on their directories and files -- remember, AFS cares only about the owner bits. The user must have write (w) and lookup (l) rights on a directory to change the mode bits of a file in that directory.
How to give web.njit.edu write permission in your public_html directory
In order for directories in a user's home directory tree, or anywhere else under /afs, to be written into using PHP or CGI scripts running on the web servers on web.njit.edu, permission to do so has to be given to the user under which that Web server runs. This user is "http".
For example, to allow http to write into the "public_html/some.dir" directory in a user's home directory, the user should enter the following command:
fs setacl ~/public_html/some.dir http write