Glue uses a file system called the Andrew File System (AFS) which is similar to NFS in some ways. AFS has additional security in the form of access control lists. This means that although the normal Linux/Unix file permissions are available, they have a different impact than what you would expect. AFS also supports quotas. Wikipedia has a short but helpful description of AFS http://en.wikipedia.org/wiki/Andrew_File_System.
fs examine ~ - examine the home directory of the user issuing the command
AFS uses a directory level Access Control List (ACL) and the traditional UNIX owner permissions to control access for all users. The ACL is applied at the directory level so it affects all the subdirectories and files within that directory. AFS does not have ACLs at the file level. If you want other users to have access to something, you have to give them access to an entire directory. ACLs can be far more granular than user, group, other Unix permissions as you can specify many ACLs for a single directory and can get down to individual users.
The UNIX owner permissions apply to everyone and are mainly useful for giving execute permission to files you can execute. Turning off all the UNIX owner permission denies everyone, including the owner, access to the file.
Here's how a permission check works:
AFS then checks the directory ACLs (both the access list and the negative rights list); you have to go through to get the directory you want to access (requires "l" permission only). If that permission check passes, it then checks the UNIX owner access bits (group and other access bits are ignored) on the file. If that passes, you have permission.
ACLs have seven access flags: four for the directory itself, and three for files.
The directory flags are:
The file access flags are:
So to read a file a user must have read and looked up permission for any directories necessary to get to the file, read and looked up permission for the directory containing the file. For individual files, the UNIX owner permissions apply to everyone. So the UNIX owner read permission must be set for the file as well.
A new directory inherits the ACL of its parent. If a directory is open for others to read, any new subdirectories created in that directory will be open for others to read unless the user specifically removes the ACL permissions for that new directory.
Check an ACL in AFS:
"fs listacl <directory>" or "fs la <directory>"
fs listacl . - list the ACLs for the current directory
fs listacl ~johndoe - list the ACLs for the home directory of John Doe
Set an ACL in AFS:
"fs setacl -dir <directory> -acl <acl you want>" or "fs sa -dir <directory> -acl <acl you want>"
fs setacl -dir . -acl johndoe rl - give read and lookup access for the current directory to John Doe
fs setacl -dir ~johndoe -acl johndoe rlidwka - give all access to John Doe to the home directory for John Doe
fs setacl -dir ~johndoe -acl johndoe rlidwk - give all access except administrative access to John Doe to John Doe's home directory
Recursively set an ACL in AFS to all subdirectories are affected:
"recursive_setacl -dir <directory> -acl <acl you want>" or "recursive_setacl -dir <directory> -acl <acl you want>"
recursive_setacl -dir . -acl johndoe rl - give read and lookup access for the current directory and all directories below the current directory to John Doe
recursive_setacl -dir ~johndoe -acl johndoe rlidwka - give all access to John Doe to the home directory for John Doe and all directories below John Doe's home directory
recursive_setacl -dir ~johndoe -acl johndoe rlidwk - give all access except administrative access to John Doe to John Doe's home directory and all directories below John Doe's home directory