|
   
| |
Here tell you how to:
Note: If you want to know more about AFS. Refer to Unix User's Guide which provided
from CCST.
 | AFS Security AFS augments the
standard Unix file protection mechanism, using a more precise mechanism for controlling
access to files: access control list (ACL). ACL is simply a list of users with certain
access rights defined on a directory.
|
| AFS Access Rights Seven standard
access rights are available to ACLs:
Right |
Abbr. |
Description |
| LOOKUP |
l |
allow to list the names of the files and
subdirectories in the directory. |
| INSERT |
i |
allow to add new files and subdirectories in the
directory. |
| DELETE |
d |
allow to delete files and subdirectories from the
directory. |
| ADMINISTER |
a |
allow to change the ACL for the directory.Users
always have this right on their home directories, even if they accidentally remov
themselves from the ACL. |
| READ |
r |
allow to look at the contents of files in the
directory. |
| WRITE |
w |
allow to modify the contents of files in the
directory, and change their Unix protection mode with the chmod
command. |
| LOCK |
k |
allow the files under the directory to be locked. |
Each access right has a
single-character abbreviation shown above.
An ACL with access right "lidrw" to a directory means that all users in the
ACL can look up, add and delete files, and read and write files in the directory.
There are also shorthand forms for common combinations of rights:
 | Rights Short form Description
rlidwk write all
rights except ADMINISTER
rl
read READ and LOOKUP rights
rlidwka all all seven rights
none
no rights
|
|
| AFS Commands AFS commands are used to
list AFS information, protect directories, and create and manage ACL groups. There are two
basic commands:
fs - list AFS information, set directory ACLs
pts - manipulate ACL groups
The following subsection describes the syntax and use of some common command
options. The options may be abbreviated to the underlined characters.
|
| Getting On-line Help
The fs and pts on-line help
can be displayed with the command followed by the parameter help:
% fs help
% pts help
|
| Listing Directory's ACL Format:
% fs listacl [directory
...]
Note If no directory is specified, current directory is assumed.
Example:
% fs la
Access list for . is
Normal rights:
system:administrators rlidwka
system:anyuser rl
terry rlidwka
mary rlw
The example shows that the current directory has all seven rights for AFS system:administrators
group, read and lookup rights for system:anyuser group, all seven rights for user terry, and read, lookup and write rights for user mary.
|
| Checking User Quota Each Unix
user is given a limit to the size of disk space he can occupy (quota) in the AFS
file system. To display quota information:
% fs listquota [directory ...]
Note If no directory is specified, the quota under the current directory is
displayed.
Example:
% fs lq
Volume Name
Quota Used %Used Partition
staff.cc.terry 100000 16517 17% 21%
The numbers Quota and Used are in kilobytes. Therefore, the example
shows that user terry has a storage quota of 100,000 kilobytes, i.e. 100 megabytes, and
has used up 16,517 kilobytes, which is around 17% of the quota.
|
| Setting Directory ACL |
Format:
% fs setacl directory username rights
Note username can be any valid AFS user, system group, and user defined
group name.
Examples:
% fs sa . terry rl
% fs sa doc mary write
% fs sa memo system:anyuser none
This first command authorizes user terry to read and lookup files in the current
directory. The second command gives write ( rlidwk) access of the doc directory to mary. The last
command removes all access rights to the memo directory from anyuser.
| Create Group
Apart from the system defined groups, users can create
their own ACL groups with creategroup. To remove a user-defined ACL group, use the delete option.
Format:% pts creategroup [groupname]
% pts delete [groupname]
Examples:
% pts cg terry:faculty
# create a new ACL group
group terry:faculty has id -218
% pts del terry:faculty
# delete
the group
|
| Add Users
After an ACL group is created, the group owner can add
members to or remove members from the group with the
adduser and removeuser
options.
Format:
% pts adduser username groupname
% pts removeuser username groupname
Examples:
% pts ad mary terry:faculty
# add mary to the new group
% pts ad peter terry:faculty # add peter to
the group
|
| List users in a group
The membership option lists all members under a ACL group.
Format:
% pts membership groupname
Note This command cannot list members of system:anyuser.
Example:
% pts m terry:faculty
# list members of the group
Member of terry:faculty (id: -218) are:
mary
peter |
|
Send comments or
questions to us