Access Control Lists
Mosaic is using a distributed file system called AFS. This file system is a little different from most UNIX systems using NFS or some other distributed file system. The most important difference to the user is in the directory/file protection mechanism.
ACCESS CONTROL LISTS
Access control lists (ACLs) are a method of specifying who has permissions to access files and directories. UNIX normally uses the file "mode bits", AFS uses ACLs to control access more precisely.
- AFS uses seven access rights instead of the three that UNIX offers.
- AFS defines three standard groups, and allows users to create additional groups.
AFS only looks at the UNIX "owner" mode bits for file protection. Therefore the "group" and "other" mode bits do not have any effect on the protection of a file.
All accounts on the Mosaic system have default ACL permissions. This permission allows only the owner of a directory to access the files in that directory.
There are seven access rights in the AFS directories. The rights apply to the directory and all files in the directory, including sub-directories. The seven rights may be divided into "Directory" rights and "File" rights.
(l) Lookup - the right to "see" files & sub-directories
(i) Insert - the right to add new files & sub-directories
(d) Delete - the right to remove files & sub-directories
(a) Administer - the right to change ACLs for the directory
File rights are:
(r) Read - the right to read data in files
(w) Write - the right to modify data in files
(k) Lock - the right to issue file locking commands
Access rights are specified in a string of letters. For example the rights to read and lookup are specified as "rl". All rights would look like "rlidwka". There are also special words that combine specific rights:
all - all seven rights (rlidwka)
none - no rights
read - the right to read and lookup (rl)
write - all rights except administer (rlidwk)
There are several consequences to defining access at the directory level. These are: Files inherit the access rights associated with there parent directory. Sub-directories inherit the access rights of their parent directory when created.
AFS allows you to deny access by setting "negative" rights. Negative rights are a way of explicitly denying a user or group permission to perform the specified actions. Normal rights are granting permission for a user or group to perform specified actions.
AFS GROUPS
The system defined groups are:
system:anyuser - everyone who can gain access to Mosaic, including through the Internet
system:authuser - everyone who is "authenticated" on Mosaic
system:administrators - a few Mosaic administrators.
The term "authenticated on Mosaic" means anyone with a valid Mosaic account. The group system:anyuser should be considered to be the public at large. The group system:authuser should be considered to be the student, faculty, and staff of UNCC.
SETTING PERMISSIONS
- Setting permissions on a Windows Based System.
- Setting permissions on a Unix/Linux Based System.
-
Start --> My Computer --> Find the AFS Unix Drive(U:)
-
Right click on the AFS Unix Drive(U:) --> Select AFS --> Select Access Control Lists
-
Through the "Set AFS ACL" window you can add/remove or change user permissions. Take caution when changing permissions of the AFS Unix Drive(U:) or other parent directories, setting the wrong permissions can leave your account inaccessible or allow malicious users to access your account.
-
In order to change permissions, select the users available (red) --> select the permissions you wish the user to have (blue) --> click OK
-
In order to remove a user, select the users available (red) -- > click Remove
-
In order to add new users, select Add --> enter the user name --> select the permissions you wish the user to have --> select Normal Entry --> click OK
Note: Do not select the Negative Entry when adding new users, unless you want to make your account inaccessible to that specific user.
Note: To access your home directory under Unix, type 'cd' in the Terminal window, and for Linux, type 'cd ..' in the Terminal window.
-
The ACL commands belong to the larger group of AFS commands. Each ACL command has the form:
fs < ACLcommand > < options ... > -
The ACL commands are:
cleanacl - clean up access control list helpget - help on commands listacl - list access control list setacl - set access control list -
To list the ACL, at the command shell prompt, type:
fs listaclExample:
In the example above, the group system:administrators has all ACL rights to this directory (this is normal). The group system:anyuser has the right to lookup files from this directoy, but cannot read files. The user jfwu has all the ACL rights as the system:administrators.
-
To change the directory's ACL you would use the fs setacl command. The simplified syntax for this command is:
fs setacl < directory > < user or group > < ACL > -
To give the user dsglenn the right to read and lookup files in the current directory you would issue the command:
fs setacl . dsglenn readExample:
The current directory may be abbreviated by a single period (.). The user must be the login name of a Mosaic account. The ACL is a list of all the rights you wish to grant to the user, or one of the combination rights (all, none, read, write). In the example above, user dsglenn is given permission to read and lookup files.
-
To take user dsglenn rights away:
fs setacl . dsglenn none -
To give the group system:anyuser the right to write files in the sub-directory junkdir you would issue the command:
fs setacl junkdir system:anyuser rlidwk -
To take system:anyuser's rights away, issue the command:
fs setacl junkdir system:anyuser none
ACL GROUPS (UNIX/LINUX ONLY)
- In addition to the three standard ACL system groups, each user may create their own groups. There are three typical ways to use groups, they are:
Private - a group created and administrated by one user Shared - a group created and administrated by one user that informed the members of the group, so that the members may also use the group in ACL Group - a group created and administrated by a group of users - The commands related to ACL groups belong to the pts command. The pts commands are:
adduser add a user to a group apropos search by help text chown change ownership of a group creategroup create a new group createuser create a new user delete delete a user or group from database examine examine an entry help get help on commands listmax list max id listowned list groups owned by an entry or zero id gets orphaned groups membership list membership of a user or group removeuser remove a user from a group rename rename user or group setfields set fields for an entry setmax set max id - If the teacher of a class, bob, wanted to create a group for the class engr2300, he would issue the command:
pts creategroup bob:engr2300Note that he used his userid "bob" and then a ":" before the name he assigned to the group. - To add several members to the group at once bob uses:
pts adduser -user jcsmith blbrown tim hjk -group bob:engr2300 - If he only wanted to add one user at a time he would issue a command of the form:
pts adduser jcsmith bob:engr2300 - bob may then use the group in the fs setacl command.
fs setacl classdir bob:engr2300 rliThis would give read, lookup, and insert rights to everyone in the group on the directory classdir (a sub-directory of the current directory).