Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Unix
PTS Groups & Setting Protections
Using pts Groups
Protection Rights
Protection Groups
File Protection Using CHMOD
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Education & Outreach
Support & Repair
Information Security Office (ISO)

Protection groups

A protection group is a collection of users or groups who have the same access rights to a directory. You may belong to a group created by another user or you may create your own groups of users for certain directories (see the protection-groups help file for details).

There are two major protection groups in the AFS distributed file system:

  • system:anyuser - anyone using the system.
  • system:authuser - a user with a valid token. (For more information, see the How Authentication Works section below.)

How Authentication Works

Membership for AFS groups is decided on the basis of authentication (except system:anyuser, where anyone using the system has access). When you log in, a cache manager checks your password to verify that you are a valid AFS user. You then receive a set of tokens allowing you access to AFS files and directories (you are accepted into the group system:authuser).

Access Control Lists: Seeing the Protections on a Directory

The fs la command shows you the protections for a directory. At the system prompt, type:

fs la


directoryname

This command (or the fs listacl command) shows you an access control list (ACL), a list of users and protection groups who have access rights to a specified directory.

You can see the protections on your home directory by typing the fs la command followed by the tilde (~) as an abbreviation for your home directory pathname:


fs la ~

If you are already in your home directory, you do not need to include the tilde; without a directory pathname, AFS will default to the directory you are currently in. See the section on default protections for examples of access control lists for several different directories.

The fs (file system interface) command does not work by itself. It must be followed by a parameter, like la, to make it perform a specific action. See the fs help file for more command options.

Default Protections

When your Andrew account is created, it comes with several default directories including your home directory, private, or public. Default protections are set for each of these directories.

The following is a list of the commands you can use to see the default protections on each of your default directories, and what the protections should look like:

Home Directory

% fs la ~


Normal rights:


system:anyuser l


<your user ID> rlidwka

This indicates that any user on the Andrew system can lookup any file in your home directory but cannot read any files. Therefore, be careful about the type of material you keep in your home directory. You, as the owner, have all possible rights.

Private

% fs la ~/private


Normal rights:


<your user ID> rlidwka

This indicates that you have exclusive rights to this directory. No other user can see files or subdirectories listed in this directory.

Public

% fs la ~/public


Normal rights:


system:anyuser rl


<your user ID> rlidwka

This gives all Andrew users read and lookup rights to files in your public directory. You have all rights.

Last Updated: 6/27/05