AFS offers considerably more flexibility in directory protections than regular UNIX. Unfortunately, though, protections currently can be set on files only in a limited way. Protections in AFS are enforced with access control lists instead of with bit fields as in regular UNIX. This means that in AFS it is possible, for example, to give one set of users read access to a directory, one set of users write access, and another set no access at all.
There are seven types of access that can be granted:
In addition, the user portion of a files UNIX mode bits (described in the File Protections section of this document) apply to all users, not just the owner of a file. That means that if a file's user mode bits show the file to be unreadable, the file will not be readable by anyone regardless of the access control list set on its parent directory. Likewise, if the user mode bits are set to give read, write, and execute access, then access to the file is determined completely by the AFS access control list on the directory. The group and other bits as well as the UNIX group of the file are currently ignored in AFS. If you didn't understand that, ignore it.
The owner of a volume has automatic administer access to all directories in the volume. The owner of a directory has automatic administer rights to that directory.
Access can be granted to individual users or to groups. There are two special groups: system:anyuser and system:authuser. system:anyuser means all users whether or not they are known to the cell. system:authuser means any user who is registered with the cell and has been authenticated (i.e., anyone who has told AFS who they are).
Other groups can be one of two types: system groups or user groups. System groups have names that start with system:. They are controlled by the system administrators. User groups start with user:, where user is the name of the user who created the group. It is possible for any user to create his or her own groups in AFS. Information about how to do this appears below.
An access control list on a directory contains a list of users and groups and the operations they are allowed to perform. To find out what the access control list on a directory is, you can use the command fs listacl <directory> where directory is the name of the directory you are interested in. Note that fs la is short for fs listacl.
athena% attach sipb sipb: AFS mounted /afs/sipb.mit.edu/project/sipb on /mit/sipb (read-only) athena% fs la /mit/sipb Access list for /mit/sipb is Normal rights: system:gsipbbin rlidwka system:anyuser rl
This means that members of the system-controlled group system:gsipbbin have full access to /mit/sipb and all other users have read and lookup access only.
athena% attach qjb qjb: AFS mounted /afs/sipb.mit.edu/user/qjb on /mit/qjb (read-write) athena% fs la /mit/qjb Access list for /mit/qjb is Normal rights: qjb:plorq rla qjb:all rlidwka system:anyuser rl
This means that the user-controlled group qjb:all has all access to /mit/qjb, the user-controlled group qjb:plorq has read, lookup, and administer access to /mit/qjb, and everyone else has read and lookup access only.
Luke Faraone 2012-01-11