|
Note: Information about files on AFS file servers are at
the bottom.
Starting the AFS Permissions Tool
To use the AFS permissions tool, enter afs-script. This
will bring up the Main menu from which you can make
choices.
Overview
Every user on a UNIX system has a unique username and is a member of at
least one group (the primary group for that user). This group information is
held in the password file (/etc/passwd). A user can also be a
member of one or more other groups. The auxiliary group information is held in
the file /etc/group. Only the administrator can create new groups or add/delete
group members (one of the shortcomings of the system).
Every directory and file on the system has an owner and an associated group.
It also has a set of permission flags that specify separate read, write, and
execute permissions for the user (owner),
group, and other (everyone else with an
account on the computer). The ls command shows the permissions
and group associated with files when used with the -l option.
On some systems (e.g., Coos), the -g option is also needed to
see the group information.
An example of the output produced by ls -l is shown
below.
drwx------ 2 richard staff 2048 Jan 2 1997
private
drwxrws--- 2 richard staff 2048 Jan 2 1997 admin
-rw-rw---- 2 richard staff 12040 Aug 20 1996 admin/userinfo
drwxr-xr-x 3 richard user 2048 May 13 09:27 public
Understanding how to read this output is useful
to all UNIX users, but especially those using group access
permissions.
Field 1: A set of ten permission flags.
Field 2: Link count (don't worry about this).
Field 3: Owner of the file.
Field 4: Associated group for the file.
Field 5: Size in bytes.
Field 6-8: Date of last modification (format varies, but there is always three
fields).
Field 9: Name of the file (possibly with path, depending on how
ls was called).
The permission flags are read as follows (left to right):
|
Position
|
Meaning
|
|
1
|
Directory flag, d if a directory, - if a
normal file; something else occasionally may appear here for special
devices.
|
|
2,3,4
|
Read, write, and execute permission for a User (Owner) of the file.
|
|
5,6,7
|
Read, write, and execute permission for a Group.
|
|
8,9,10
|
Read, write, and execute permission for Other.
|
|
Value
|
Meaning
|
|
-
|
In any position, it means that flag is not set.
|
|
r
|
File is readable by the Owner, Group, or Other.
|
|
w
|
File is writeable. On a directory, write access means you can add or delete
files.
|
|
x
|
File is executable (only for programs and shell scripts; not useful for data
files). Execute permission on a directory means you can list the files in that
directory.
|
|
s
|
In the place where x would normally go is called the
set-UID or set-groupID flag.
|
On an executable program with set-UID or set-groupID, that program runs with
the effective permissions of its owner or group.
For a directory, the set-groupID flag means all files created inside that
directory will inherit the group of the directory. Without this flag, a file
takes on the primary group of the user creating the file. This property is
important to people trying to maintain a directory as group accessible. The
subdirectories also inherit the set-groupID property.
Default File Permissions (Umask)
Each user has a default set of permissions that apply to all files created
by that user, unless the software explicitly sets something else. This is often
called the umask, after the command used to change it. It is
inherited from the login process or set in the .cshrc or .login file that
configures an individual account, or it can be run manually.
Typically, the default configuration is equivalent to entering
umask 22, which produces permissions of:
-rw-r--r-- for regular files, or
drwxr-xr-x for directories
In other words, the user has full access, everyone else (Group and Other)
has read access to files, and lookup access to directories.
When working with group access files and directories, it is common to use
umask 2, which produces permissions of:
-rw-rw-r-- for regular files, or
drwxrwxr-x for directories
For private work, use umask 77 which produces
permissions:
-rw------- for regular files, or
drwx------ for directories
The logic behind the number given to umask is not intuitive.
The command to change the permission flags is chmod. Only
the owner of a file can change its permissions.
The command to change the group of a file is chgrp. Only
the owner of a file can change its group, and can only change it to a group of
which he is a member.
See the online manual pages for details of these commands
on any particular system (e.g., man chmod).
Examples of typical usage are given below:
- chmod g+w myfile: Gives group write permission to
myfile, leaving all other permission flags alone.
- chmod g-rw myfile: Removes read and write access to
myfile, leaving all other permission flags alone.
- chmod g+rwxs mydir: Gives full group read/write
access to the directory mydir, also setting the
set-groupID flag so that directories created inside it inherit
the group.
- chmod u=rw,go= privatefile: Explicitly gives
the user read/write access, and revokes all group and other access to the
file privatefile.
- chmod -R g+rw .: Gives group read/write access to this
directory, and everything inside it (-R = recursive).
- chgrp -R medi .: Change the ownership of this
directory to group medi and everything inside it (-R
= recursive). The person issuing this command must own all the files or it will
fail.
Warnings
Putting umask 2 into a startup file (.login or .cshrc) will
make these settings apply to everything you do unless manually changed. This
can lead to giving group access to files such as saved e-mail in your home
directory, which is generally not desirable.
Making a file group read/write without checking what its group is can lead
to accidentally giving access to almost everyone on the system. Normally, all
users are members of some default group such as users, as well
as being members of specific project-oriented groups. Don't give group access
to users when you intended some other group.
Remember that to read a file, you need execute access to the directory it is
in and read access to the file itself. To write a file, you
need execute access to the directory and write access to the
file. To create new files or delete files, you need write access to the
directory. You also need execute access to all parent directories back to the
root. Group access will break if a parent directory is made completely
private.
AFS Access Control Lists (ACLs)
Files on the central AFS file servers all have the traditional
UNIX permissions as explained above, but they are also controlled by
Access Control Lists (ACL) that take precedence. They provide access levels
more flexible than the user/group/other attribute bits, but
they work on the level of complete directories, not files. The command to set
and list ACLs is fs. Fs is a big ugly command
that does lots of things related to AFS filesystems, depending on the arguments
you call it with.
For details, see the man pages for
fs_setacl, fs_listacl,
fs_cleanacl, and fs_copyacl.
For brief help, use the command fs help setacl.
The default is to give the same permissions to a new directory as are on the
parent directory. In practice, this is usually to give complete rights to the
owner of the directory, and lookup rights to any other user (equivalent to
execute attribute on a directory).
To render a directory private, the simplest
command is fs setacl -d DIRNAME -clear -a MYNAME all. Replace
DIRNAME with the appropriate directory name
(or "." for the current directory and
MYNAME with your login name).
Check it with fs listacl
DIRNAME.
It should reply with:
Access list for DIRNAME is
Normal rights:
USERNAME rlidwka
(For a description of the flags
rlidwka., use man
fs_setacl.
To explicitly give public read/lookup access, use fs setacl -d
DIRNAME -a system:anyuser read. This can be abbreviated to fs
sa DIRNAME system:anyuser read.
If fs is not found or the man pages are
not found, your paths are not set up correctly. I recommend you run
/usr/local/bin/mknewdotfiles to fix the problem.
|
