File and directory protection provides the ability to determine who can access your files and directories and what operations these users can perform on them. These protection settings are called privileges or "rights" that you can give or take away from users who join a particular group.
To view the Andrew directory protections on a directory, type the following (where directory is the directory you want to view).
EXAMPLE: fs la .fs la ~ju32fs la /afs/andrew/org/salsa
To change the privileges or rights to directories for a user, type:
EXAMPLE: fs sa /afs/andrew/org/salsa ju32
To remove a user or group's access to a directory, type:
EXAMPLE: fs sa /afs/andrew/org/salsa ju32:mygroup none
fs sa /afs/andrew/org/salsa jd4 none
To give back rights that have been taken away:
To give or take away rights to a group, substitute "groupname" with "userID"
Who can work with my directories?
You can set rights for individual users or groups of users. The access control list (ACL) for a directory tells you which users or groups have rights for that particular directory.
Types of Rights
There are two different types of rights: positive and negative.
- Positive rights allow other users or groups special access to a directory.
- Negative rights prevent access for users who would otherwise have access.
Following is a list of rights you can set for other users or groups. Each of these rights can be positive (allowing the action) or negative (denying the action):
Read (r): read any file in the directory.
Lookup (l): list all files in the directory and obtain status information about the files.
Insert (i): add new files to the directory.
Delete (d): remove files.
Write (w): create or edit files in the directory.
Lock (k): place write locks on any file in the directory. This is used mainly by application programs.
Administer (a): modify the access list and ownership of a directory. The owner of the directory always has Administer rights, even if he or she appears to have no rights to the directory. Therefore, the owner of a directory can always reset the protections.
Commonly Used Aliases of Rights
To keep you from having to remember exactly what codes to use, you can combine a group of user rights into an alias (see the aliases help file):
read (rl): allows users to lookup and read any files in the directory.
write (rlidwk): allows users all the read rights above, as well as the right to add, change, and delete files in the directory.
all (rlidwka): allows users all rights to the directory, including Administer. You should be careful about assigning another user all rights to one of your directories.
none: allows users no rights to the directory (users will not be listed at all on the access control list for the directory). Note that users given no rights may still have access to the directory if they are members of a protection group that has access to the directory; see the section "Removing rights from directories."
Giving Rights to Directories
There may be times when you want to give certain users rights to your subdirectories. To do this, use the fs command with the sa (setting access) parameter. At the system prompt, type:
Directoryname is the pathname of the directory to which you are setting rights, userID is the user ID of the person to whom you are giving rights, and rights are the abbreviations or codes for the rights you wish to set.
For example, if you wanted to give someone whose userID is "pat" read and lookup access to a directory of yours called notes (remember that read can be used to indicate both read and lookup "rl" rights), at the system prompt you would type:
fs sa ~/notes pat read or fs sa ~/notes pat rl
To verify that the correct rights were added, use the fs la directoryname command explained earlier.
Giving Rights to Users from Other Cells
It is possible to add users from other cells to an access control list, provided they have obtained a cross-realm token for your cell and have had this token registered in the protection database for your cell; see the cklog help file for further information on cross-realm tokens and authentication.
To add a user from another cell, use the fs sa command and supply the cross-realm identity for this person as the userID (to add a protection group you would use the pts command). A cross-realm identity is in the form: <userID>@<cellname> So the fs sa command would appear as:
directoryname <userID>@<cellname> rights
For example, to add Harry Bovik from Computer Science (userID of email@example.com) to an access control list of yours in the Andrew cell, you would add his cross-realm identity to your ACL.
Harry's cross-realm identifier would be firstname.lastname@example.org (note the difference between this and his CS user ID); this is what you would add to your access control list.
directoryname email@example.com rl
The individual you wish to add to your access control list must have obtained the cross-realm token and registered it with the protection database for your cell; you cannot do this for the individual.
Removing Rights from Directories
There are two possible ways to take away rights to a directory. One way is to use none with the fs sa command and the other is to use -negative with the fs sa command.
The main difference between none and -negative is that none merely erases a userID or group name from the access control list, while -negative adds the name to the list with a special kind of permission, negative rights.
If you remove a user from the ACL of one of your directories using none, but he or she is a member of another group that has rights, the user will still have rights to the files in that directory. However, if you use -negative to deny rights, he or she will appear on the ACL as having negative rights. Then, even though the user is still a member of the other group, he or she will be denied access to your directory because of those negative rights.
To take away all rights to a particular directory (to set none rights) you place `none' at the end of an fs sa command line:
directoryname userID none
Where directoryname is the name of the directory you are denying access to and userID is the userID of the person to whom you are denying access.
For example, if you had previously given user pat read rights ("rl" rights) to your notes directory, but decided now that you don't want pat to have any rights, at the system prompt you would type:
fs sa ~/notes pat none
Remember, pat will still have the same access that system:anyuser has, because pat is a member of that group.
Setting negative rights, or using -negative
When you use -negative with the fs sa command, you are setting negative rights or denying a user specific access to a directory. To assign negative rights, at the system prompt type:
Where directoryname is the pathname of the directory you are setting negative rights for, userID is the user ID of the person to whom you are denying rights, and rights are the abbreviations for the rights you are taking away.
To give pat negative read and lookup rights (to take away those rights) to your notes directory, use the word read for "rl"; at the system prompt type:
fs sa ~/notes -negative pat read
If you use the fs la ~/notes command, you will see that a list of negative rights has been added to the rights list for notes:
system:anyuser rl<userID> rlidwka
Reinstating Rights You Had Removed
There are two ways to give back rights that you have taken away. Which you use depends on how you removed the rights initially.
- If you used none to take away a user's rights, use the same command described earlier for setting rights:
fs sa directoryname userID right
- If you used -negative to take away a user's rights, then you must use -negative combined with none to remove those negative rights:
fs sa directoryname -negative userID none
In this case, you are telling the system that the user has no negative rights.