Protection (pts) Groups-Computing Services - Carnegie Mellon University

AFS Directory Access Rights

A protection group is a collection of users or groups who have the same access rights to a directory. You may belong to a group created by another user or you may create your own groups of users for certain directories.

There are two major protection groups in the AFS distributed file system:

  • system:anyuser - anyone using the system.
  • system:authuser - a user with a valid token

For related information, see Protection Groups and Protection Rights.

How Authentication Works

Membership for AFS groups is decided on the basis of authentication (except system:anyuser). When you log in, a cache manager checks your password to verify that you are a valid AFS user. You then receive a set of tokens allowing you access to AFS files and directories (you are accepted into the group system:authuser).

Note: system:anyuser is anyone using any of the cells listed in the /afs directory, e.g., any AFS user anywhere in the world.

Access Control Lists: Viewing Protections on a Directory

The fs la command shows you the protections for a directory. At the system prompt, type:

fs la

This command (or the fs listacl command) shows you an access control list (ACL), a list of users and protection groups who have access rights to a specified directory.

You can see the protections on your home directory by typing the fs la command followed by the tilde (~) as an abbreviation for your home directory pathname:

fs la ~

If you are already in your home directory, you do not need to include the tilde; without a directory pathname, AFS will default to the directory you are currently in. See the section on default protections for examples of access control lists for several different directories.

The fs (file system interface) command does not work by itself. It must be followed by a parameter, like la, to make it perform a specific action. The fshelp command displays a full list of options and fs <command> -help will provide more details about an individual option.

AFS Default Protections

When your Andrew account is created, it comes with several default directories including your home directory, private, public, www. Default protections are set for each of these directories. The following is a list of the commands you can use to see the default protections on each of your default directories and how the protections should appear.

Home Directory

% fs la ~

Normal rights:
system:anyuser l
<your user ID> rlidwka

This indicates that any user on the Andrew system can lookup any file in your home directory but cannot read any files. Therefore, be careful about the type of material you keep in your home directory. You, as the owner, have all possible rights.


% fs la ~/private

Normal rights:
<your user ID> rlidwka

This indicates that you have exclusive rights to this directory. No other user can see files or subdirectories listed in this directory.


% fs la ~/public

Normal rights:
system:anyuser rl
<your user ID> rlidwka

This gives all Andrew users read and lookup rights to files in your public directory. You have all rights.


% fs la ~/www

Normal rights:
system:anyuser rl, service.webman rl
<your user ID> rlidwka

Last Updated: 12/1/11