File protections under AFS

AFS offers considerably more flexibility in directory protections than regular UNIX. Unfortunately, though, protections currently can be set on files only in a limited way. Protections in AFS are enforced with access control lists instead of with bit fields as in regular UNIX. This means that in AFS it is possible, for example, to give one set of users read access to a directory, one set of users write access, and another set no access at all.

There are seven types of access that can be granted:

Read (r): Read access on a directory implies permission to read the contents of all the files in that directory. It has no implications about access to subdirectories.
Lookup (l): With lookup access on a directory, it is possible to look at the directory's access control list and to list the contents of the directory (i.e., what files and directories are in it). It does not imply read access to the files. If you do not have lookup access to a directory, no other form of access can be used.
Insert (i): Insert access on a directory implies permission to create files or subdirectories in the directory. It does not imply the ability to modify the files that are created, however. Insert access without write access is useful mainly for the case when you want to allow someone to create subdirectories in a given directory but not to modify files that are already there.
Delete (d): Delete access on a directory implies the ability to remove files or empty subdirectories from the directory. Like insert, delete access does not imply write access.
Write (w): Write access on a directory grants permission to modify files and subdirectories within a directory. It implies neither insert nor delete access to the directory.
Lock (k): A user with lock access on a directory can put advisory locks on files within the directory. This is typically useful only to applications programmers.
Administer (a): With administer access on a directory, it is possible to change the access control list of the directory. Administer access does not imply any other kind of access, and like all other types, is useless without lookup access. Administer access, contrary to some people's intuition, cannot be ``forced'' onto subdirectories. It only applies to the directory on which it is set, not that directory's subdirectories.

In addition, the user portion of a files UNIX mode bits (described in the File Protections section of this document) apply to all users, not just the owner of a file. That means that if a file's user mode bits show the file to be unreadable, the file will not be readable by anyone regardless of the access control list set on its parent directory. Likewise, if the user mode bits are set to give read, write, and execute access, then access to the file is determined completely by the AFS access control list on the directory. The group and other bits as well as the UNIX group of the file are currently ignored in AFS% latex2html id marker 1492
\setcounter{footnote}{6}\fnsymbol{footnote}. If you didn't understand that, ignore it.

The owner of a volume has automatic administer access to all directories in the volume. The owner of a directory has automatic administer rights to that directory.

Access can be granted to individual users or to groups. There are two special groups: system:anyuser and system:authuser. system:anyuser means all users whether or not they are known to the cell. system:authuser means any user who is registered with the cell and has been authenticated (i.e., anyone who has told AFS who they are).

Other groups can be one of two types: system groups or user groups. System groups have names that start with system:. They are controlled by the system administrators. User groups start with $<$user$>$:, where $<$user$>$ is the name of the user who created the group. It is possible for any user to create his or her own groups in AFS. Information about how to do this appears below.

An access control list on a directory contains a list of users and groups and the operations they are allowed to perform. To find out what the access control list on a directory is, you can use the command fs listacl <directory> where $<$directory$>$ is the name of the directory you are interested in. Note that fs la is short for fs listacl.

For example:
athena% attach sipb
sipb: AFS mounted /afs/ on /mit/sipb (read-only)
athena% fs la /mit/sipb
Access list for /mit/sipb is
Normal rights:
  system:gsipbbin rlidwka
  system:anyuser rl

This means that members of the system-controlled group system:gsipbbin have full access to /mit/sipb and all other users have read and lookup access only.

Here is another example:
athena% attach qjb
qjb: AFS mounted /afs/ on /mit/qjb (read-write)
athena% fs la /mit/qjb
Access list for /mit/qjb is
Normal rights:
  qjb:plorq rla
  qjb:all rlidwka
  system:anyuser rl

This means that the user-controlled group qjb:all has all access to /mit/qjb, the user-controlled group qjb:plorq has read, lookup, and administer access to /mit/qjb, and everyone else has read and lookup access only.

Luke Faraone 2012-01-11