Home | About Us | OIT Home | Search | How Are We Doing? | Virus Alerts | System and Network Status | How to Contact Us | Español

University Systems --> WAM --> All WAM Pages --> AFS Access Control Lists on Wam -->

AFS Access Control Lists on Wam
Under AFS, traditional UNIX group and other permission mean absolutely nothing.

AFS uses a directory level Access Control List (ACL) and the traditional UNIX owner permissions to control access for all users. The ACL is applied at the directory level so it affects all the subdirectories and files within that directory. AFS does not have ACLs at the file level. If you want other users to have access to something, you have to give them access to an entire directory.

The UNIX owner permissions apply to everyone and are mainly useful for giving execute permission to files you can execute. Turning off all the UNIX owner permission denies everyone, including the owner, access to the file.

Here's how a permission check works:

AFS first checks the directory ACLs (both the access list and the negative rights list) you have to go through to get the directory you want to access. If that permission check passes, it then checks the UNIX owner access bits on the file. If that passes, you have permission.

ACLs have seven access flags: four for the directory itself, and three for files.

The directory flags are: 

lookup          to look at the directory listing
insert          to add files in that directory
delete          to delete files in that directory
administer      to administer that directory, i.e. total control of the 
                directory's ACL

The file access flags are: 

read            to read all files in the directory (use the owner
                permissions for control over individual files at
                the Unix level, i.e. chmod 0 file but that denies
                everyone, or make a special subdirectory to hold 
                the files others are allowed to read)
write           to write to all files
flock           to give exclusive file locking ability ("flock" is a C 
                programming call that deals with file sharing. This
                generally only works locally, not between hosts.)

So to read a file a user must have read and lookup permission for any directories necessary to get to the file, read and lookup permission for the directory containing the file. For individual files, the UNIX owner permissions apply to everyone. So the UNIX owner read permission must be set for the file as well.

A new directory inherits the ACL of its parent. If a directory is open for others to read, any new subdirectories created in that directory will be open for others to read unless the user specifically removes the ACL permissions for that new directory.

How do I:
How are we doing? Comments on this page?

This page is maintained by the Office of Information Technology
Questions and/or comments: Contact Us
Last modified: Friday, 29-Aug-2008 13:45:32 EDT
© Sunday, 07-Sep-2008 08:27:11 EDT University of Maryland

 Office of Information Technology
Office of Information Technology Help Desk Web Site University of Maryland Web Site Office of Information Technology Web Site