Chapter�4.�Protecting Your Directories and Files

Table of Contents

Access Control Lists
Directory Level Access Control
The AFS ACL Permissions
The Four Directory Permissions
The Three File Permissions
The Eight Auxiliary Permissions
Shorthand Notation for Sets of Permissions
About Normal and Negative Permissions
Setting DFS ACLs
Dropbox Permissions
Using the System Groups on ACLs
Enabling Access to Subdirectories
Extending Access to Service Processes
Extending Access to Users from Foreign Cells
Displaying an ACL
To display an ACL
Example: Displaying the ACL on One Directory
Example: Displaying the ACLs on Multiple Directories
Changing an ACL
To Add, Remove, or Edit Normal ACL Permissions
Example: Adding a Single ACL Entry
Example: Setting Several ACL Entries on One Directory
To Add, Remove, or Edit Negative ACL Permissions
Example: Setting an Entry in the Negative Permissions Section
Example: Restoring Access by Removing an Entry from the Negative Permissions Section
Completely Replacing an ACL
To Replace an ACL Completely
Example: Replacing an ACL
Copying ACLs Between Directories
To Copy an ACL Between Directories
Example: Copying an ACL from One Directory to Another
How AFS Uses the UNIX Mode Bits
Example: Disabling Write Access for a File

This chapter explains how to protect AFS files and directories by defining permissions on an access control list.

Access Control Lists

AFS augments and refines the standard UNIX scheme for controlling access to files and directories. Instead of using mode bits to define access permissions for individual files, as UNIX does, AFS stores an access control list (ACL) with each directory. It defines which users and groups can access the directory and the files it contains, and in what manner. An ACL can store up to about 20 entries, each of which pairs a user or group and a set of permissions. AFS defines seven permissions rather than the three that UNIX uses.

Another refinement to the standard UNIX protection scheme is that users can define their own protection groups and then place the groups on ACLs as though they were individual users. A group can include both users and machines. Each user who belongs to a group inherits all of the permissions granted to the group on the ACL. Similarly, all users who are logged into a machine that belongs to a group inherits all of the permissions granted to the group. You can create groups to place on ACLs and also use groups that other users have created. To learn more about group creation, see Using Groups.

In addition, AFS defines two system groups called system:anyuser and system:authuser. By placing them on ACLs, you can grant access to large numbers of users at once. See Using the System Groups on ACLs.

Although AFS uses ACLs to protect files and directories, it also uses the UNIX mode bits to a limited extent. See How AFS Uses the UNIX Mode Bits.

Directory Level Access Control

As noted, AFS associates an ACL with each directory, and it applies to all of the files stored in the directory. Files do not have separate ACLs. Defining access at the directory level has several consequences:

  • The permissions on a directory's ACL apply to all of the files in the directory. When you move a file to a different directory, you effectively change its permissions to those on its new directory's ACL. Changing a directory's ACL changes the protection on all the files in it.

  • When you create a subdirectory, it inherits the current ACL of its parent directory. You can then set the subdirectory's ACL to be different from its parent's. However, do not make the ACL on the parent directory more restrictive than on a subdirectory, because that can prevent users from accessing the subdirectory even when they have the necessary permissions on its ACL. Specifically, a user must have the l (lookup) permission (defined in The AFS ACL Permissions) on the parent directory to reach its subdirectories.

As a general rule, it makes sense to grant fairly liberal access to your home directory. If you need to protect certain files more closely, place them in subdirectories that have more restrictive ACLs.