MATH‎ > ‎

Files/Quotas/Permissions on GLUE

Glue uses a file system called the Andrew File System (AFS) which is similar to NFS in some  ways. AFS has additional security in the form of access control lists. This means that although the normal Linux/Unix file permissions are available, they have a different impact than what you would expect.  AFS also supports quotas.  Wikipedia has a short but helpful description of AFS http://en.wikipedia.org/wiki/Andrew_File_System.

Quotas:

fs examine ~ - examine the home directory of the user issuing the command

fs examine 

Permissions:

AFS uses a directory level Access Control List (ACL) and the traditional UNIX owner permissions to control access for all users. The ACL is applied at the directory level so it affects all the subdirectories and files within that directory. AFS does not have ACLs at the file level. If you want other users to have access to something, you have to give them access to an entire directory.  ACLs can be far more granular than user, group, other Unix permissions as you can specify many ACLs for a single directory and can get down to individual users.

The UNIX owner permissions apply to everyone and are mainly useful for giving execute permission to files you can execute. Turning off all the UNIX owner permission denies everyone, including the owner, access to the file.

 

Here's how a permission check works:

AFS then checks the directory ACLs (both the access list and the negative rights list); you have to go through to get the directory you want to access (requires "l" permission only). If that permission check passes, it then checks the UNIX owner access bits (group and other access bits are ignored) on the file. If that passes, you have permission.

 

ACLs have seven access flags: four for the directory itself, and three for files.

 

The directory flags are:

 

lookup(l)to look at the directory listing
insert (i)to add files in that directory
delete (d)to delete files in that directory
administer(a)
to administer that directory, i.e. total control of the directory's ACL

 

The file access flags are:

 

read(r)to read all files in the directory (use the owner permissions for control over individual files at the Unix level, i.e. chmod 0 file but that denies everyone, or make a special subdirectory to hold the files others are allowed to read)
write(w)
to write to all files
flock(k)to give exclusive file locking ability ("flock" is a C programming call that deals with file sharing. This generally only works locally, not between hosts.)

So to read a file a user must have read and looked up permission for any directories necessary to get to the file, read and looked up permission for the directory containing the file. For individual files, the UNIX owner permissions apply to everyone. So the UNIX owner read permission must be set for the file as well.

 

A new directory inherits the ACL of its parent. If a directory is open for others to read, any new subdirectories created in that directory will be open for others to read unless the user specifically removes the ACL permissions for that new directory.


Check an ACL in AFS:

"fs listacl <directory>" or "fs la <directory>"


Examples:

fs listacl . - list the ACLs for the current directory

fs listacl ~johndoe - list the ACLs for the home directory of John Doe


Set an ACL in AFS:

"fs setacl -dir <directory> -acl <acl you want>" or "fs sa -dir <directory> -acl <acl you want>"


Examples:

fs setacl -dir . -acl johndoe rl - give read and lookup access for the current directory to John Doe

fs setacl -dir ~johndoe -acl johndoe rlidwka - give all access to John Doe to the home directory for John Doe

fs setacl -dir ~johndoe -acl johndoe rlidwk - give all access except administrative access to John Doe to John Doe's home directory


Recursively set an ACL in AFS to all subdirectories are affected:

"recursive_setacl -dir <directory> -acl <acl you want>" or "recursive_setacl -dir <directory> -acl <acl you want>"


Examples:

recursive_setacl -dir . -acl johndoe rl - give read and lookup access for the current directory and all directories below the current directory to John Doe

recursive_setacl -dir ~johndoe -acl johndoe rlidwka - give all access to John Doe to the home directory for John Doe and all directories below John Doe's home directory

recursive_setacl -dir ~johndoe -acl johndoe rlidwk - give all access except administrative access to John Doe to John Doe's home directory and all directories below John Doe's home directory