AFS Protection Groups
AFS Protection Group Concepts
AFS implements the concept of user-administered groups. Any user may
create a group; only system administrators may create groups at the “top
level” (i.e., without a username: prefix). User-created groups are
always owned by the user who created them; system groups may be owned by
anyone. The usual practice in CSAIL is for top-level groups to be owned
by groups, rather than users; normally, the owner of a group will either
be the group itself (meaning that everyone in the group can manage the
group membership and permissions) or it will be another group created
specifically for the purpose of managing the first. (By convention, the
group that manages
FOO is called
FOO-admin and is itself
self-administered.) See the
pts command for more information about
examining and managing AFS protection groups.
There are a few other special groups that are defined by AFS:
system:administratorsis the group of system administrators, naturally enough. Even if this group does not appear on the access-control list for a directory, members of this group have plenary authority over all files and directories on the system.
system:anyuseris the group of all users, whether or not they are authenticated (i.e., everyone in the universe).
system:authuseris the group of all local authenticated users. You might use this group to restrict access to some resource that is not private but must not be made totally public for legal or administrative reasons. (An example might be software for which CSAIL has a site license.)
system:authuser@FOREIGN.CELL.NAMEis the group of all authenticated users in the cell named
FOREIGN.CELL.NAME(folded to lower case). This requires cross-realm Kerberos authentication, which is currently only set up between CSAIL and Athena.
Protection Groups and
AFS uses protection groups, which are a bit like Unix groups, only much more powerful and flexible.
Using pts creategroup to create a new group
Use the pts creategroup command to create a new group of users, specifying your username and the name of the group you want to create. The command format is:
pts creategroup your_user_name:groupname
For instance, if I want to create a group of people who will get permissions to see a private folder in my home directory, I would type this command:
youruser@login:~$ pts creategroup youruser:your_afs_group group youruser:your_afs_group has id -17016
When creating a group, you always put your username before the colon. You can name your group anything you want.
Adding and removing people from groups
Users are added and removed from groups using pts adduser and pts removeuser respectively.
youruser@login:~$ pts adduser -user user1 user2 user3 user4 -group youruser:your_afs_group
To inspect the group membership, use pts membership:
youruser@login:~$ pts membership youruser:your_afs_group Members of youruser:your_afs_group (id: -17016) are: user1 user4 user2 user3
If I don’t want people in my group anymore, I can remove them like this:
youruser@login:~$ pts removeuser -user user1 -group youruser:your_afs_group youruser@login:~$ pts membership youruser:your_afs_group Members of youruser:your_afs_group (id: -17016) are: user4 user2 user3
Cached permissions and group membership changes
When the AFS client makes an access-control check, the results of this
check are cached on a per-session basis for some time. If the ACL of a
file is changed, AFS’s built-in cache consistency mechanism will make
sure that any cached access-control decisions for that file are
discarded. However, if the ACL references a protection group, and the
group membership changes, this cache flush does not happen. This means
that group membership changes may not take effect immediately, even
though they are visible in the
pts command and are visible in new
- For CSAILUbuntu, you can clear this old state is to log out and back
in again. You can also use the
fs flushvcommand to clear all cached AFS client state for a particular volume.
- For Windows, destroy your credentials (using
leash) and ask for new ones.
If you’re done with a group, use pts delete:
youruser@login:~$ pts delete youruser:your_afs_group
Read the pts manpage for a complete list of what you can do with AFS protection groups.
Using fs setacl to set an ACL on a directory
Once you have a group, you will use it to give people in that group certain permissions on a directory.
youruser@login:~$ fs setacl secret_files youruser:your_afs_group read youruser@login:~$ fs listacl secret_files Access list for secret_files is Normal rights: youruser:your_afs_group rl youruser:youruser rlidwka system:anyuser l youruser rlidwka
Recommended Course Directory Permissions
Information about how to set up course directories can be found [right here].