Allowing Access to Files in AFS
There are two situations in which you will need to grant access to files:
- When other users are working with shared files in your Home directory in AFS.
- When you have administrative control over another AFS directory
The first level of security for your own files and those to which you have been granted administrative access is your Unity password. Be sure to safeguard it and change it regularly. For more on this important topic, see Unity Credentials.
Access control list (ACL)
NC State's AFS software protects files by providing an access control list (ACL) for each directory. It is good practice, especially in your Home directory in AFS, to create a new subdirectory and place in it those files to which you want to grant access. You can then create an ACL for that subdirectory, granting each user a tailored combination of privileges to provide only the access needed. This prevents access to the other files in the main directory.
An ACL can contain a maximum of 20 entries. If you need to make a directory accessible to 20 or fewer users, then you can add them to the directory's ACL as individuals. However, you can also add groups to an ACL. To create and manage groups of users, see the PTS Group page.
Directory access versus file access
Keep in mind that:
- All access privileges offer protection at the directory level only, not at the file level, even though some privileges (listed below) allow direct manipulation of files.
- You can interact with a file only if you can access the directory containing it.
- Whatever directory access privileges you grant to an individual or group will apply to every file in that directory.
There are seven access privileges, which can be divided into two groups — those that apply to the directory itself and those that apply to files within the directory.
- lookup (l) - Allows listing and examining the directory, and accessing subdirectories within it. You must have lookup privileges in order for the other privileges to work properly.
- insert (i) - Allows adding files to the directory (creating new files or copying or moving existing files into it).
- delete (d) - Allows removing or moving files and subdirectories within the directory.
- administer (a) - Allows changing the directory's ACL.
- read (r) - Allows reading (looking at but not changing) the contents of the directory's files.
- write (w) - Allows writing (modifying, including deleting) the contents of any file in the directory.
- lock (k) - Allows running programs that need to lock files in the directory.
- From a Unix or Linux command line, change to the directory whose ACL you want to list by typing:
where path is the full AFS path to the directory. Example:
You may need to obtain this path from the information technology personnel in your office or department.
- To see the ACL for that directory, type: fs la .
The dot in this command refers to the current directory. For example, if you were user jddoe and you were in your Home directory in AFS, you would get a message similar to this:
[sparc03]...jddoe>fs la .
Access list for . is
In this example, only jddoe and the Unity system administrators can access this directory, and each has full privileges.
NOTE: Be careful not to change either the system administrator privileges or your own administrative privileges for a directory. Otherwise, you may not be able to access your files.
Setting Access Privileges
- Make sure that you have administrative privileges for every directory whose ACL you'll need to modify. You automatically have them for your Home directory in AFS, and you will need to obtain them for each of the others.
- From a Unix or Linux command line, change to the directory by typing:
where path is the full AFS path to the directory. You may need to obtain this path from the information technology personnel in your office or department. Example:
- Once you are in the desired directory, type the following command, making the two replacements indicated (the dot in this command refers to the current directory):
fs sa . userid privileges
userid with the Unity ID of the person or the designation of the PTS group whose privileges you wish to change.
privileges with the letter(s) representing the specific privilege(s) you wish to give the user.
NOTE: To access any subdirectory a user must have at least "lookup" access to all the directories that contain it.
To allow the individual user ksmith to "read" and "list" the files in the directory (but not write to them):
fs sa . ksmith rl
To allow the PTS group named econweb:study1 to "read" and "list" the files in the directory as well as modify them ("write"):
fs sa . econweb:study1 rlw
To allow anyone "read" and "lookup" access to the directory:
fs sa . system:anyuser rl
- To verify the changes you have made, use the fs la . command (see above).
Removing Access Privileges
To remove an individual user or group from an ACL.
- From a Unix or Linux command line, change to the directory whose ACL you need to modify by typing:
where path is the full AFS path to the directory. You may need to obtain this path from the information technology personnel in your office or department.
Example: cd afs/unity.ncsu.edu/www/ncsu/dept1/OIT_work/
- Once you are in the desired directory, type the following command, making the indicated replacement (the dot in this command refers to the current directory):
fs sa . userid none
Replace useridwith the Unity ID of the person or the designation of the PTS group whose privileges you wish to change.
Example: To remove all access privileges to the directory for the PTS group named econweb:study1:
fs sa . econweb:study1 none
- To verify the changes you have made, use the fs la . command, as indicated in Listing Access Privileges (above).