Skip to content Accesskey=4Skip to sub-navigation Accesskey=3View our Accessibility Options MIT Information Systems Home About IS&T Contact IS&T Site Map Search Advanced Search
Getting StartedGetting Services by Topic or Alphabetically Getting Help

On This Page

[Help]

  

Quick Links

Top Level
Related Links

Ask OLC a question

Athena Consulting Homepage

Helpdesk Stock Answers (for Mac/PC questions)

How PERMISSIONS work in AFS

Permissions to access files and directories are set in the form of
access control lists, or acl's.  Unlike NFS, where individual files
may be readable and writable by everyone, a group of people, or only
you, AFS only allows you to set permissions for entire directories at
a time.  However, these permissions may be set for any number of
people or groups, and each one may be completely different.

There are seven types of permissions that can be given to users for a
directory:

      Right    Enables users to:
	r	read the contents of files in the directory
	l	list the names of files in the directory
	i	insert files into the directory
	d	delete files from the directory
	w	write (or modify) files into the directory
	k	lock (or modify the write-mode bit) of files in the directory
	a	administer or change the acl of the directory

As owner of the directory, administrative (a) access is implied.  Other
than that, no rights above imply any others; for example, a user with
"write" permission is not automatically given "insert" permission as well.

Acl's are examined and modified using the "fs" command.  To determine
what permissions a directory has, type the command:

	fs la directory

at your prompt, where "directory" is the name of the directory to be
examined.  (To see the current directory, this can be left out.)  In
Joeuser's sample directory, for example, this will return an acl that
might look something like this:

	athena% fs la sample
	Access list for sample is
	Normal rights:
	  system:anyuser rl
	  joeuser rlidwka
	  janeuser rliw

The list contains pairs of users or groups, and their respective
permissions on that directory.  In this example, because Joeuser is
the owner of the directory, he has all permission to do anything to
the directory.  Janeuser has permission to read, lookup, insert, and
write files.  "system:anyuser" corresponds to anyone, so anybody can
read and lookup files.  (This corresponds to a directory being
"world-readable" under NFS.)

To set permissions, use the "sa" argument with "fs" in the following
format:

	fs sa directory user permissions
or      fs sa directory system:groupname  permissions

"directory" corresponds to the directory for which rights are being
set, the "user" or "groupname" means the person or group for whom you are
setting these rights, and "permissions" is the list of rights to be
given.  For example, in order for Joeuser to give Jimuser access to
read, lookup, and delete files in his sample directory, he would type:

	fs sa sample jimuser rld

There are also common aliases for groups of rights, that can be
referred to as follows:

       Alias	       Expands to
	read		rl
	write		rlidwk
	all		rlidwka
	none		nothing (used to remove access)

For more details about fs, you can type "fs help" or "fs help <topic>"
at the athena% prompt.

MIT Home | Getting Started | Getting Services | Getting Help | About IS&T | Accessibility
Ask a technology question or send a comment about this web page.