Previous: The NFS to AFS migration
Up: AFS
Next: AFS Groups
In NFS and UFS, you can set permissions on a file-by-file basis. In
AFS, file permissions are specified for each directory, and apply to
the directory and to all the files that directory contains. They do
not apply to the subdirectories of a directory, since the
subdirectories have their own permissions; however, any newly created
subdirectory will inherit the permissions of its parent directory.
These directory permissions are flexible; they can be applied
individually for each user. You can give Jim, Mary and Bill the
permission to see the list of all files in your home directory,
Valerie the permission to list and read them, and Tom the permission
to list, read and write them. The list of all users that have
permissions, along with their permissions, is called the access control list or
ACL
of the directory.
There are seven types of access that you can grant:
To change the the ACL for a file or directory, you can use the fs command, mentioned in Section 6.2 of this document.
UFS file permissions still exist for files in AFS, but their meaning
is different. User field of UFS file
permissions
can be used to further restrict the access rights on the AFS files and directories.
Withdrawing the user permissions
will deny the right of access to all the users who would normally have
that right, including the owner of the file. For example, if the user
read permission for a file is set (as it normally is), then anyone who
has an AFS read permission on the directory can access the file. However,
if you withdraw the user read permission using the chmod
command, then no one (including you) will be able to read
the file, even if they have AFS read permission on the directory. If
you set all the UFS permissions on a file, then the right of access
that file will be determined solely from the ACL on the directory.
(Group and other fields of UFS file permissions are
generally not used.)
It is also possible to give users ``negative permissions'' on a directory, thus specifically denying them the corresponding rights. Negative permissions are stronger than the positive ones. Their use is described in more detail in section 3.3 of this document.
Each directory has its own ACL. Whenever you create a new directory,
it ``inherits'' the ACL of its parent. You always have the administer
rights on the top-level directories in your locker (or any other AFS
volume
you own). You cannot take this right away from yourself.