Share Files via AFS

There are situations where user A wishes to give other users, or a group(s) of other users, access to directories in A's AFS account. This is usually done so that other users can look at, or copy files from, A's account.

In order to accomplish this, A must explicitly grant other users the necessary permissions in the directory(ies) in which access is being granted. In order to do this, A must have AFS "administer (a)" rights in those directories, which is the case by default in every directory in A's home directory. More information is available at the IST AFS Permissions Page.

  • All operations noted below must be done on an AFS client machine.
  • Note that these procedures work because AFS is a single name-space to which all AFS clients have access.
Grant permissions to a single user

Check that the target user, say abc123, is a valid AFS user, by running user (/usr/ucs/bin/user):

user abc123

Grant the user the desired permissions in the target directory, using the fs command (/usr/afsws/bin/fs, except for Linux, where it is /usr/bin/fs). If the target directory is in your login directory tree ("~" is shorthand that the shell recognizes as your login, or home, directory), and that you wish to grant "rl" permissions, do this:

fs sa ~/<path.to.directory> abc123 rl

If there are directories already below ~/<path.to.directory>, the previous command will not give abc123 access to those directories; directories created in ~/<path.to.directory> after the previous command is given will give abc123 rl permissions in them, since they inherit the permissions of their parent directory.

In order to give the user permissions in ~/<path.to.directory>, that user must have at least "l (lookup)" permission in all directories in ~/<path.to.directory>. This means that you will have to issue the command, fs sa ~/<dir> abc123 l, for each directory (including ~) from ~ to the one immediately above the target directory.

At this point, abc123 has rl permissions in ~/<path.to.directory>

To undo permissions granted in the above steps, the simplest method is to run the program set.afs.perms.recur (/usr/ucs/bin/set.afs.perms.recur). When you run this program, make the appropriate selections to give abc123 the permissions "none" in the desired directories.

Grant permissions to several users

It is usually inconvenient to use the procedure for a single user multiple times when you wish to grant access to a directory or directories to several users. Instead, you can create an AFS group, add the desired users to that group, and give that group permissions in the target directory.

The command to create a group is:

pts creategroup <your.ucid>:<group.name>

<your.ucid> must be your UCID. pts is /usr/afsws/bin/pts, except for Linux, where it is /usr/bin/pts.

Example:

if your UCID is me29, and you want to create a group called "share1":

pts creategroup me29:share1

To add a member to a group:

pts adduser <ucid> <your.ucid>:<group.name>

To add multiple members to a group:

pts adduser -user <ucid1> <ucid2> .. <ucidN> -group <group.name>

Once a group is created it can be assigned permissions in a directory in exactly the same manner as is done for a single user. Likewise, those permissions can be removed in the same manner as for a single user.

To remove a user from a group:

pts removeuser <ucid> <your.ucid>:<group.name>

To remove multiple members from a group:

pts removeuser -user <ucid1> <ucid2> .. <ucidN> -group <group.name>

Last Updated: June 29, 2017