Protection Rights-Computing Services - Carnegie Mellon University

Protection Rights

File and directory protection provides the ability to determine who can access your files and directories and what operations these users can perform on them. These protection settings are called privileges or "rights" that you can give or take away from users who join a particular group.

To view the Andrew directory protections on a directory, type the following (where directory is the directory you want to view).

fs la

EXAMPLE: fs la .fs la ~ju32fs la /afs/andrew/org/salsa

To change the privileges or rights to directories for a user, type:
fs sa

EXAMPLE: fs sa /afs/andrew/org/salsa ju32

To remove a user or group's access to a directory, type:
fs sa
directoryuserid_OR_ptsgroup none

EXAMPLE: fs sa /afs/andrew/org/salsa ju32:mygroup none
fs sa /afs/andrew/org/salsa jd4 none

To give back rights that have been taken away:
fs sa
directoryname userIDrights

With -negative:
fs sa
directoryname -negative
userID none<

To give or take away rights to a group, substitute "groupname" with "userID"

Who can work with my directories?

You can set rights for individual users or groups of users. The access control list (ACL) for a directory tells you which users or groups have rights for that particular directory.

Types of Rights

There are two different types of rights: positive and negative.

  • Positive rights allow other users or groups special access to a directory.
  • Negative rights prevent access for users who would otherwise have access.

Following is a list of rights you can set for other users or groups. Each of these rights can be positive (allowing the action) or negative (denying the action):

Read (r): read any file in the directory.
Lookup (l): list all files in the directory and obtain status information about the files.
Insert (i): add new files to the directory.
Delete (d): remove files.
Write (w): create or edit files in the directory.
Lock (k): place write locks on any file in the directory. This is used mainly by application programs.
Administer (a): modify the access list and ownership of a directory. The owner of the directory always has Administer rights, even if he or she appears to have no rights to the directory. Therefore, the owner of a directory can always reset the protections.

Commonly Used Aliases of Rights

To keep you from having to remember exactly what codes to use, you can combine a group of user rights into an alias (see the aliases help file):

read (rl): allows users to lookup and read any files in the directory.
write (rlidwk): allows users all the read rights above, as well as the right to add, change, and delete files in the directory.
all (rlidwka): allows users all rights to the directory, including Administer. You should be careful about assigning another user all rights to one of your directories.
none: allows users no rights to the directory (users will not be listed at all on the access control list for the directory). Note that users given no rights may still have access to the directory if they are members of a protection group that has access to the directory; see the section "Removing rights from directories."

Giving Rights to Directories

There may be times when you want to give certain users rights to your subdirectories. To do this, use the fs command with the sa (setting access) parameter. At the system prompt, type:

fs sa

Directoryname is the pathname of the directory to which you are setting rights, userID is the user ID of the person to whom you are giving rights, and rights are the abbreviations or codes for the rights you wish to set.

For example, if you wanted to give someone whose userID is "pat" read and lookup access to a directory of yours called notes (remember that read can be used to indicate both read and lookup "rl" rights), at the system prompt you would type:

fs sa ~/notes pat read  or   fs sa ~/notes pat rl

To verify that the correct rights were added, use the fs la directoryname command explained earlier.

Giving Rights to Users from Other Cells

It is possible to add users from other cells to an access control list, provided they have obtained a cross-realm token for your cell and have had this token registered in the protection database for your cell; see the cklog help file for further information on cross-realm tokens and authentication.

To add a user from another cell, use the fs sa command and supply the cross-realm identity for this person as the userID (to add a protection group you would use the pts command). A cross-realm identity is in the form: <userID>@<cellname> So the fs sa command would appear as:

fs sa
directoryname <userID>@<cellname> rights

For example, to add Harry Bovik from Computer Science (userID of to an access control list of yours in the Andrew cell, you would add his cross-realm identity to your ACL.

Harry's cross-realm identifier would be (note the difference between this and his CS user ID); this is what you would add to your access control list.

fs sa
directoryname rl

The individual you wish to add to your access control list must have obtained the cross-realm token and registered it with the protection database for your cell; you cannot do this for the individual.

Removing Rights from Directories

There are two possible ways to take away rights to a directory. One way is to use none with the fs sa command and the other is to use -negative with the fs sa command.

The main difference between none and -negative is that none merely erases a userID or group name from the access control list, while -negative adds the name to the list with a special kind of permission, negative rights.

If you remove a user from the ACL of one of your directories using none, but he or she is a member of another group that has rights, the user will still have rights to the files in that directory. However, if you use -negative to deny rights, he or she will appear on the ACL as having negative rights. Then, even though the user is still a member of the other group, he or she will be denied access to your directory because of those negative rights.
Using None

To take away all rights to a particular directory (to set none rights) you place `none' at the end of an fs sa command line:

fs sa
directoryname userID none

Where directoryname is the name of the directory you are denying access to and userID is the userID of the person to whom you are denying access.

For example, if you had previously given user pat read rights ("rl" rights) to your notes directory, but decided now that you don't want pat to have any rights, at the system prompt you would type:

fs sa ~/notes pat none

Remember, pat will still have the same access that system:anyuser has, because pat is a member of that group.

Setting negative rights, or using -negative

When you use -negative with the fs sa command, you are setting negative rights or denying a user specific access to a directory. To assign negative rights, at the system prompt type:

fs sa
directoryname -negative
userID rights

Where directoryname is the pathname of the directory you are setting negative rights for, userID is the user ID of the person to whom you are denying rights, and rights are the abbreviations for the rights you are taking away.

To give pat negative read and lookup rights (to take away those rights) to your notes directory, use the word read for "rl"; at the system prompt type:

fs sa ~/notes -negative pat read

If you use the fs la ~/notes command, you will see that a list of negative rights has been added to the rights list for notes:

Normal rights:
system:anyuser rl<userID> rlidwka

Negative rights:
pat rl

Reinstating Rights You Had Removed

There are two ways to give back rights that you have taken away. Which you use depends on how you removed the rights initially.

  • If you used none to take away a user's rights, use the same command described earlier for setting rights:
    fs sa directoryname userID right
  • If you used -negative to take away a user's rights, then you must use -negative combined with none to remove those negative rights:
    fs sa directoryname -negative userID none
In this case, you are telling the system that the user has no negative rights.