AFS Permissions
AFS Permissions
- AFS Permissions
- How to Set AFS Permissions
- AFS "system:anyuser" Permissions
- Reset Permissions
- Check AFS Permissions in Home Directories
- Unix Mode Access Bits
- How to give web.njit.edu write permission in your public_html directory
Seven rights are predefined by AFS: four control access to a directory and three to all of the files in a directory.
The four directory rights are:
- lookup (l)
- Use ls to list files and directories within the given directory.
- Examine the ACL (access control list) of the directory.
- Access the directory's subdirectories (which are protected by their own ACLs).
- insert (i)
- add files to a directory, either by creating new files or copying existing files.
- create new subdirectories.
- delete (d)
- remove files from the directory or move files to another directory (where the user has the right to do so).
- remove subdirectories from directories where the user has the insert right.
- administer (a) -- modify the ACL
The three rights that affect all of the files in a directory are:
- read (r) -- read file content and query file status.
- write (w) -- write file content and change the Unix permission modes.
- lock (k) -- use full-file advisory locks.
Notes:
Files:
- A single ACL (access control list) on a directory controls directory access and access to all files in the directory.
- The Unix group and world permission bits are completely ignored.
- The Unix user permission bits are the final modifiers of access to the file for any user who is permitted access by the ACL; the Unix r bit gives anyone with an ACL that contains rl the right to read the file.
- The Unix user w bit gives anyone with an ACL that contains wl the right to write to a file; without the Unix w bit set, no one may write to a file.
- The Unix user x bit gives anyone with with an ACL that contains rl the right to execute a file; without the Unix x bit set, no one may execute a file.
Directories:
- For directories, all nine Unix permission bits, as well as the owner and group name, are completely ignored; only the four AFS ACL rights (lida) are used.
A user can set any AFS permissions:
- anywhere in his/her login directory tree
- anywhere in the directory tree of a directory he/she has created
The syntax to set AFS permissions is:
fs setacl <directory> <username> <perms>
To set permissions in the working directory:
fs sa . <username> <perms>
sa is shorthand for setacl
username is any user with an account in the AFS system, plus special users, which includes system:anyuser.
The AFS permissions that can be set are:
- read (r) : read file content and query file status
- lookup (l) : list the contents of a directory
- insert (i) : add files or subdirectories to a directory
- delete (d) : delete entries from a directory
- write (w) : write file content and change Unix permission modes
- lock (k) : use full-file advisory locks
- administer (a) : modify the ACL (access control list)
The following are shortcuts:
- all : gives all rights - rlidwka
- write : gives rlidwk rights
- read : gives rl rights
- none : removes all rights
Examples: {C}
fs sa ~/public_html abc89 rlid
- gives user abc89 rlid rights in your public_html directory.
fs sa . system:anyuser rl
- gives the user system:anyuser rl rights in the current directory.
fs sa ~ system:anyuser rl
- gives the user system:anyuser rl rights in your login directory.
fs sa ~/public_html abc1234
none - removes all rights for user "abc1234" in your public_html directory.
To see what permissions are in effect in a directory:
fs listacl <path_to_directory>
or
fs la <path_to_directory>
Examples:
List the permissions in the current directory:
fs la
List the permissions in your login directory:
fs la ~
List the permissions in your public_html directory:
fs la ~/public_html
AFS "system:anyuser" Permissions
The AFS permission in a directory, system:anyuser rl, permits any user who is logged in to an NJIT AFS'd machine to look at (read) any file in that directory (provided that user has at least l permission up to the directory in question.
To see the AFS permissions on a directory: fs la <dir_name>
To keep everyone from reading files in a directory, do this in a directory you want to be private: From anywhere in your login directory tree, including your login directory (~) ): mkdir priv.stuff (priv.stuff can be any name)
fs sa priv.stuff system:anyuser none
When the above is done, no file in priv.stuff can be read by anyone but the owner of priv.stuff -- i.e., you.
Note: If you have given other users access to directories in your account, make sure that they do not have rights in priv.stuff (fs la priv.stuff will show who has rights there ). Remove rights for other users by fs sa priv.stuff <other_user> none
To reset AFS permissions in an entire directory tree, the following program can be used :
/usr/ucs/bin/set.afs.perms.recur
Check AFS Permissions in Home Directories
Users sometimes inadvertently set AFS permissions in directories in their AFS account that allow anyone logged into an NJIT AFS client machine to read (and copy) any file in those directories.
Users can check and set the permissions in any directory in their account the AFS "fs" command (How to Set AFS Permissions).
Some users may find using a program to check and set AFS permissions to be easier than the "fs" command. The following program is available to do that : /usr/ucs/bin/check.afs.perms.ksh
This program deals only with the user's home directory (not any of its subdirectories), and can do only a small subset of what the "fs" command can do. It can be run from any Unix/Linux AFS client.
AFS calculates file access based on two factors: the ACL (access control list) entries of the given directory, and the Unix owner mode bits.
- ACL entries: A user may access a file only according to the ACL that user possesses in that directory, either as the user directly, or as a member of an AFS group. If the owner bits on a file or directory forbid a specific type of access (e.g., write to the file, execute the file), no one may access the file in that way no matter what their ACL access rights are.
- Unix owner mode bits: AFS ignores the group and other mode bits, and looks only at the owner mode bits.
- A user with appropriate AFS rights can read a file only if the the Unix owner "r" bit is turned on.
- A user with appropriate AFS rights can write to a file only if the Unix owner "w" bit is turned on.
- A user with appropriate AFS rights can execute a file only if the Unix owner "x" bit is turned on.
-
Users can use the Unix chmod command to set mode bits on their directories and files -- remember, AFS cares only about the owner bits. The user must have write (w) and lookup (l) rights on a directory to change the mode bits of a file in that directory.
How to give web.njit.edu write permission in your public_html directory
In order for directories in a user's home directory tree, or anywhere else under /afs, to be written into using PHP or CGI scripts running on the web servers on web.njit.edu, permission to do so has to be given to the user under which that Web server runs. This user is "http".
For example, to allow http to write into the "public_html/some.dir" directory in a user's home directory, the user should enter the following command:
fs setacl ~/public_html/some.dir http write