AFS Protection Groups

AFS Concepts

AFS implements the concept of user-administered groups. Any user may create a group; only system administrators may create groups at the "top level" (i.e., without a username: prefix). User-created groups are always owned by the user who created them; system groups may be owned by anyone. The usual practice in CSAIL is for top-level groups to be owned by groups, rather than users; normally, the owner of a group will either be the group itself (meaning that everyone in the group can manage the group membership and permissions) or it will be another group created specifically for the purpose of managing the first. (By convention, the group that manages FOO is called FOO-admin and is itself self-administered.) See the pts command for more information about examining and managing AFS protection groups.

There are a few other special groups that are defined by AFS:

  • system:administrators is the group of system administrators, naturally enough. Even if this group does not appear on the access-control list for a directory, members of this group have plenary authority over all files and directories on the system.
  • system:anyuser is the group of all users, whether or not they are authenticated (i.e., everyone in the universe).
  • system:authuser is the group of all local authenticated users. You might use this group to restrict access to some resource that is not private but must not be made totally public for legal or administrative reasons. (An example might be software for which CSAIL has a site license.)
  • system:authuser@FOREIGN.CELL.NAME is the group of all authenticated users in the cell named FOREIGN.CELL.NAME (folded to lower case). This requires cross-realm Kerberos authentication, which is currently only set up between CSAIL and Athena.

Protection Groups and pts

AFS uses protection groups, which are a bit like Unix groups, only much more powerful and flexible.

Using pts creategroup to create a new group

Use the pts creategroup command to create a new group of users, specifying your username and the name of the group you want to create. The command format is:
pts creategroup your_user_name:groupname
For instance, if I want to create a group of people who will get permissions to see a private folder in my home directory, I would type this command:
lpb@shaggy:~$ pts creategroup lpb:really_cool_people
group lpb:really_cool_people has id -17016
When creating a group, you always put your username before the colon. You can name your group anything you want.

Adding and removing people from groups

Users are added and removed from groups using pts adduser and pts removeuser respectively.
lpb@shaggy:~$ pts adduser -user wollman noahm kcr ftilley -group lpb:really_cool_people
To inspect the group membership, use pts membership:
lpb@shaggy:~$ pts membership lpb:really_cool_people
Members of lpb:really_cool_people (id: -17016) are:
If I don't want people in my group anymore, I can remove them like this:
lpb@shaggy:~$ pts removeuser -user wollman -group lpb:really_cool_people
lpb@shaggy:~$ pts membership lpb:really_cool_people
Members of lpb:really_cool_people (id: -17016) are:

Cached permissions and group membership changes

When the AFS client makes an access-control check, the results of this check are cached on a per-session basis for some time. If the ACL of a file is changed, AFS's built-in cache consistency mechanism will make sure that any cached access-control decisions for that file are discarded. However, if the ACL references a protection group, and the group membership changes, this cache flush does not happen. This means that group membership changes may not take effect immediately, even though they are visible in the pts command and are visible in new login sessions.

  • For Debian Linux, you can clear this old state is to log out and back in again. You can also use the fs flushv command to clear all cached AFS client state for a particular volume.
  • For Windows, destroy your credentials (using leash) and ask for new ones.

Deleting groups

If you're done with a group, use pts delete:
lpb@shaggy:~$ pts delete lpb:really_cool_people
Read the pts manpage for a complete list of what you can do with AFS protection groups.

Using fs setacl to set an ACL on a directory

Once you have a group, you will use it to give people in that group certain permissions on a directory.

lpb@shaggy:~$ fs setacl secret_files lpb:really_cool_people read
lpb@shaggy:~$ fs listacl secret_files
Access list for secret_files is
Normal rights:
  lpb:really_cool_people rl
  lpb:lpb rlidwka
  system:anyuser l
  lpb rlidwka
There is more information about ACL's in the Introduction to AFS

Recommended Course Directory Permissions

Information about how to set up course directories can be found right here.

-- GarrettWollman - 01 Dec 2004 -- LaurenBurka - 31 Jul 2007
Topic revision: 13 Sep 2007, LaurenBurka

MIT Computer Science and Artificial Intelligence Laboratory


  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology