Server racks with light on

Dept of Computer Science

Technical Staff

How do I control access to my AFS files?

Last updated: July 31st, 2013 04:42 PM

Access to individual directories in your home directory by you and other users is managed under AFS by way of Access Control Lists (ACLs). ACLs are maintained for each directory in your volume and are under your control. Directories in your volume are still created with the UNIX "mkdir" command, but access is controlled via AFS. The ACL for a newly created directory inherits the ACL of the parent directory.

An ACL has two parts: a user or group name and the access control rights. The user/group name and the "rights" are separated by a space. The seven access rights are indicated by letters or, alternatively, one of four "shorthand" words used to represent more frequently used subsets of these rights:

Access Control Rights
                Shorthand Notation
r: read d: delete
                read = rl
l: lookup w: write
                write = rlidwk
i: insert k: lock
                all = rlidwka
a: administer
                none = removes entry

The AFS command used to set and modify ACLs is the "fs" command. Limited help is available on the man page for this command. A synopsis of these commands may be displayed by typing "fs -help", "fs listacl -help", and "fs setacl -help".

EXAMPLES:

  1. List ACL for current working directory:
                    fs listacl
  2. List ACL for the directory dir:
                    fs listacl dir
  3. Give user john all rights to dir:
                    fs setacl dir john all
  4. Revoke all rights to group system:anyuser (The following command should be used when creating a new mail directory.):
                    fs setacl Mail system:anyuser none
  5. Provide user john with write access and user jane with read access to all files in the current working directory:
                    fs setacl . john write jane read (or fs setacl . john rlidwk jane rl)