|
|
|
|
|
|
|
|
  |
|||||||
|
|
||||||
|
       |
||||||
|
|||||||
|
            
|
||||||
|
|||||||
|
 |
||||||
|
AFS Permissions
|
||||||
AFS Subtopics in this Guide
AFS Overview (main)
AFS Permissions
AFS PTS Groups
AFS on Windows
AFS File Sharing (in Guide, PDF)
fs Summary
Display the access control list (ACL) of the current directory:
fs la
Set user access to a directory:
fs sa dir userid access
Show directory quota:
fs lq dir
Locate user volume:
fs whereis
Help on fs commands:
fs help
You set permissions for directory access in the access control list (ACL), which lists the rights that users and groups have to use the files in that directory, specifically, r Read, l Look, i Insert, d Delete, w Write, k Lock, and a Administer. The owner of a directory (and anyone who has administer rights) can set and manipulate the ACLs for a directory.
| Access | Meaning |
| r | read (and copy) the contents of files in the directory. |
| l | look to list (ls) directory and look at the ACL. You must have l access to use other access rights, e.g., to read you must have rl. |
| i | insert files or subdirectories (create new files, move existing ones). |
| d | delete files or subdirectories from the directory. |
| w | write or edit the contents of files in the directory. |
| k | lock. Sets an advisory lock on a file. |
| a | administer to change access in the ACL. Owner has administer rights. |
Aliases have also been set up for common levels of access, i.e., read, write and administer. These can be used in place of the letter abbreviations.
| Alias | Access | Meaning |
| read | rl | read and look |
| write | rlidwk | all rights but administer |
| all | rlidwka | full administrative rights |
| none | remove all rights |
Once again, individual files do not have access permissions associated
with them. Using a file depends on the permissions that have been set
for the directory the file is in. As a result, if a file is moved to
a directory where the access permissions are different, the file will
inherit those new settings.
Listing ACL Permissions
There are two general types of AFS commands: file server (fs) commands and directory protection commands (pts), see AFS PTS Groups. To look at the access rights on your home directory (type cd to return to your home directory), type the file server command, fs la (file server list acl). By default, this command shows you the access control list for the current ( . ) directory, e.g.,
eos% fs la
Access list for . is
Normal rights:
system:administrators rlidwka
mcdaniel rlidwka
or
fs la path-to-directory
The output above tells you that the system administrators pts group has full rights to administer your directory, just as you do as the individual owner of the directory (your username would replace mcdaniel): r Read, l Look, i Insert, d Delete, w Write, k Lock, and a Administer. Only you and the system administrators are allowed to change these settings.
Few people have system administrator privileges, and they are carefully screened, full-time employees of the university computing staff. It is necessary for them to have access in order to assist you if you have problems with your account. It is not a good idea to change or remove the administrators' permissions on your directories, although you can.
Setting ACL Permissions
To grant someone access to a directory of yours, you must set access to it with the fs sa command (file server set acl):
fs sa directory userid access
where directory is the name or path to the directory to which access is being granted, username is the login name of the person to whom you are granting access, and access is the permission being granted to username.
For example, if jqpublic wants to give joeuser "write" access to his ~/bin directory, he would type the following at the prompt, if his current working directory is ~/bin (~ is the symbol for your home directory).
fs sa . joeuser rlidwk
or
fs sa ~/bin joeuser rlidwk
Or, he could use the alias write for rlidwk:
fs sa . joeuser write
or
fs sa ~/bin joeuser write
Fewer rights can be given than these. If jqpublic wants joeuser to be able to read and copy files but nothing else, he would set rl or "read" permission on the directory (you have to grant l access before any of the other settings will work), e.g.,
fs sa . joeuser rl
Or, he could use the alias read for rl:
fs sa . joeuser read
To take away or remove these rights, jqpublic would use the command
fs sa . joeuser none
IMPORTANT! Remember that when you grant access to a directory, you also grant the same access to all new subdirectories created under it. New subdirectories inherit the ACL of the parent directory. However, already existing subdirectories do not inherit the parent directoy's ACL if it is changed. As a result, existing directory ACLs must be changed one by one. Or, use the following command to change all the subdirectory ACLs at once.
find . -type d -exec fs sa {} username access >>&
/dev/null \;
e.g.,
find . -type d -exec fs sa {} joeuser read >>&
/dev/null \;
Reminder: All parent directories above the subdirectory to which you are granting access must have l (look) access. Nothing can happen without l in the directory above.
WARNING! If you accidentally remove your own rights to your home directory (~):
fs sa ~ youruserid none
then
attach youruserid
cd /ncsu/youruserid
fs sa . youruserid all
Related Resources
Definitions
see also
![< to Top]](../Media/graphics/footer_links/top_arrow.gif){kind=icon}
![[ ENGR Template ]](../Interface/images/banner.gif){kind=small}