Using Access Control Lists (ACLs) With AFS Directories and Folders

Overview

You can control the read/write access of the folders and documents in your Andrew File System (AFS) home directory through the use of Access Control Lists (ACLs). This document explains the pre-set access controls on the folders that are provided for you inside your AFS home directory. For general information about AFS and your home directory, see AFS Overview.

What Are ACLs?

An ACL is a list of uniqnames and/or protection groups with assigned access permissions. (A protection group—or pts group—is similar to an e-mail group, but is used for assigning access rights instead of sending e-mail.) ACLs are set for folders. For example, you might create a folder for a group project in your AFS home directory. You could then set ACLs for that folder to allow only your group members to read what is inside it and write changes to it.

There are seven basic access privileges that can be associated with an ACL and set for a folder. Each is indicated by a one-letter abbreviation.

  1. lookup (l). If you have lookup access to a folder, you can see -- or "list" -- the names of documents and folders inside it, but you cannot open and read them. A user must have lookup access rights in order to be granted other permissions. If, for example, you assigned read rights on a folder to a friend but did not assign lookup rights, your friend would not be able to see the documents in the folder and would therefore not be able to select any to read.

  2. insert (i). If you have insert access to a folder, you can add new documents and folders to it.

  3. delete (d). If you have delete access to a folder, you can delete documents and folders from it.

  4. admin (a). If you have admin access to a folder, you can change the ACLs for it and the folders inside it. You have admin rights for all folders inside your AFS home directory, but you cannot change the access privileges for your home directory itself.

  5. read (r). If you have read access to a folder, you can open and read any document inside it (assuming, of course, that you have the corresponding application, such as Word or Excel, isntalled).

  6. write (w). If you have write access to a folder, you can make and save changes to any document inside it.

  7. lock (k). If you have lock access to a folder, you can place read or write limitations on it. This ACL is rarely used. It allows you to lock a folder while you are updating a document inside it so that no other user can alter the document until you release the lock.

There are four combination rights that can be associated with an ACL. These are always spelled out fully and cannot be abbreviated.

  • write. All rights except admin (rlidwk).

  • read. Read and lookup rights (rl).

  • all. All seven rights (rlidwka).

  • none. No rights.

Your Pre-Set Folders

Your AFS home directory comes with a few included folders; ACLs have been set for these folders, and you can change these ACLs if you wish. You have all-access rights to your home directory and to the folders inside it. (Note that if your AFS home directory was created in the early 1990s, your ACLs may be slightly different from those listed below.)

  • Public: The ACLs for your Public folder are:

    system:anyuser rl
    <youruniqname> rlidwka

    This means that any AFS user in the world can see that you have a Public folder inside your AFS home directory and can read the documents inside it. No one other than you, however, can make changes to, add, or delete documents.

    Note Your own uniqname will be substituted for <youruniqname>.

    Tip You can publish your own home page on the web by using your Public folder. Create a folder called html inside your Public folder, and put your web page(s) inside. For more detail, see Create Your Own U-M Web Page. Do not change the ACLs on your Public folder if you use it to publish on the Web.

  • Shared: The ACLs for your Shared folder are:

    system:authuser l
    <youruniqname> rlidwka

    This means that any U-M AFS user can see that you have a Shared folder inside your AFS home directory. No one other than you, however, can make changes to, add, or delete documents.

  • Private: The ACLs for your Private folder are:

    system:anyuser l
    <your uniqname> rlidwka

    This means that any AFS user can see that you have a Private folder inside your AFS home directory. If this folder is opened, he/she will see the names of folders, but will not be able to see the contents. No one other than you can make changes to, add, or delete documents.

  • Network Trash Folder: This folder is for Mac system use only. Do not delete it, and do not change its ACLs.

Other Folders

If you use Pine for e-mail or trn for Usenet news, other folders (for example, mail and news) may be created for you when you use those programs. It's best to just leave these folders alone; they are for the use of those programs only.

You can create folders inside your home directory and inside the pre-set folders. When you create a folder, it inherits the ACLs of its parent folder).

Connect to the Login Service to Check and Set ACLs

To check and set ACLs, you must issue Unix commands. You can do this from the Login Service.

  1. Use secure software to connect to the Login Service (login.itd.umich.edu).

    • Windows: Use PuTTY software. For information about obtaining and using PuTTY, see Use PuTTY to Connect to Host Computers [Windows]

    • Mac OS X: Mac OS X comes with SSH software called Terminal. Open the Applications folder, then the Utilities folder to find it. Open Terminal and enter this command: ssh login.itd.umich.edu

       

  1. At the login prompt, type your uniqname and press RETURN or ENTER.
  2. At the AFS Password prompt, type your UMICH password and press RETURN or ENTER.

Checking ACLs

First, connect to the Login Service (see directions above).

Checking ACLs for Your Home Directory

  1. At the % prompt, type fs listacl and press RETURN or ENTER. If you don't specify a directory, your AFS home directory will be checked. Here's a sample of how that might look:

    galaga% fs listacl

  2. The ACLs for your home directory will be displayed:

    Access list for . is
    Normal rights:
    system:anyuser l
    <youruniqname> rlidwka

    This means that anyone using AFS has lookup rights to your home directory and that you have read, lookup, insert, delete, write, lock, and admin rights to your own home directory. Because system:anyuser does not have read access, no one can read files and documents inside your home directory.

    Note "System:anyuser" is a pts group that includes all AFS users. Your own uniqname will be substituted for <youruniqname>.

Checking ACLs for Folders Inside Your Home Directory

To see ACLs for a specific folder inside your home directory, you must specify the folder name when you issue the command to list ACLs.

  1. At the % prompt, type fs listacl <foldername> (where you have substituted the actual folder name for <foldername>) and press RETURN or ENTER. For example, here is a % prompt followed by the command you would enter to see the ACLs on your Shared folder:

    galaga% fs listacl Shared

  2. The ACLs will be displayed:

    Access list for Shared is
    Normal rights:
    system:anyuser rl
    <youruniqname> rlidwka

    Note Your own uniqname will be substituted for <youruniqname>.

Important Be sure to use exact capitalization exact when you specify a folder name. If you ask for ACLs for a "shared" folder instead of a "Shared" folder, for example, you may recieve a notification saying that the folder doesn't exist.

Checking ACLs on Other AFS Directories

As long as you know the path to an AFS directory or folder, you can find out its ACLs. For example, to see the ACLs for the Software Distribution Directory, type the following at the % prompt on the Login Service:

fs listacl /afs/umich.edu/group/itd/swdist

Tip In many cases, you can abbreviate the pathname by using a tilde (~). For example, you can also check the ACLs on the Software Distribution Directory by typing fs listacl ~swdist at the % prompt. And you can see the ACLs for the home directory of anyone at U-M by typing fs listacl ~<uniqname> (where you have substituted the person's uniqname for <uniqname>) at the % prompt. Omit the angle brackets.

Setting ACLs

First connect to the Login Service (see directions above). Note that you can only set ACLs on folders for which you have admin rights.

Tip New folders inherit ACLs from the folders in which they are created. If you create a folder in the Shared folder inside your AFS home directory, for example, it is automatically set to the same ACLs as your Shared folder. However, if you later change the ACLs of your Shared folder, the ACLs of the folders inside will not automatically change to match.

Tip If you find yourself needing to set ACLs on a folder to more than three or four people, consider using a protection (pts) group. A pts group is a lot like an e-mail group, except that it is a list of uniqnames rather than a list of e-mail addresses. You can use pts groups to give access rights to groups of people. This can be especially helpful if membership of the group changes over time. See Creating and Using Protection (pts) Groups for how to create a pts group. You then use the pts group name instead of individual uniqnames when setting ACLs.

Giving People Access Rights

You issue the fs setacl command at the % prompt to set ACLs. Here's how you indicate which folder, to whom you want to give access, and which rights:

Screen shot of the command with the parts identified

For example, if you want to give Barbara Jensen (a fictitious person whose uniqname is bjensen) full access to the files in a folder called 'labwork' inside your home directory, you would type the following at the % prompt on the Login Service:

fs setacl labwork bjensen write

After typing the command and pressing RETURN or ENTER, you will be redirected to the % prompt. You can check the change by typing fs listacl labwork at the % prompt. If you are setting ACLs for a folder outside your home directory, list the full path instead of just the folder name (for example, list /afs/umich.edu/user/b/j/bjensen/ instead of bjensen).

Taking Away Access Rights

To remove access rights, set the ACLs to that person (or group) to 'none'. For example, to take away Barbara Jensen's access rights to the labwork folder in your home directory, type the following at the % prompt:

fs setacl labwork bjensen none

Denying Access Rights to Particular People in a Group

You may want to grant access rights to all the members of a pts group except one or two individuals. You do this by first setting ACLs to grant the appropriate rights to the pts group (for example, fs setacl <folder> <pts group name> read), then setting negative ACLs for the one or two individuals. This example shows how to set negative ACLs denying Barbara Jensen access to a folder:

fs setacl -negative <folder> bjensen all

If you change your mind and wish to restore access, you can issue the following command to remove the negative rights:

fs setacl -negative <folder> bjensen none

Appendix: Changing ACLs on Many Folders at Once (Advanced)

Note It is possible to set ACLs on all the folders inside a particular folder with just one command. However, we do not recommend this method unless you are very comfortable with Unix.

To change ACLs on all the folders inside a given folder, issue the following command at the % prompt:

find <folder> -type d -exec fs sa {} <uniqname or pts group> <permissions> \;

Make the following substitutions, and do not type the angle brackets:

<folder> Type the name of the folder (or directory) within which you want to change all the ACLs.
<uniqname or pts group> Type the uniqname or pts group name for which you want to set ACLs.
<permissions> Type the access rights you want to set.
Tags: 
Last Updated: 
Thursday, March 20, 2014