AFS Groups
With the pts (protection server) command, you can create your own AFS groups and add them to AFS access control lists. AFS groups make it much easier to manage ACLs for large directory trees, and allow the addition of large numbers of users to an ACL with a single command. A typical use of AFS groups would be to create a new AFS directory that will be the root of a larger tree, and add the appropriate group to its ACL. Since a new AFS directory inherits its parent's ACL, sub-directories created in that tree will also have that group on their ACL. Adding or revoking a user's group membership will thus change access for that user throughout the entire directory tree.
In addition to user-created groups, the following system and special groups exist and have the listed membership:
system:anyuser
Anyone, anywhere.
system:authuser
Anyone authenticated to the ir.stanford.edu AFS cell (people with valid AFS accounts).
system:administrators
Authorized AFS administrators (Facilities staff).
The above special groups may be added to ACLs in the same way as user-created AFS groups. There are a few more system:groups, but none that should concern you. There also are some special groups with a dot in their name, such as: username.cgi or username.cron
Note: typing pts help will list the various pts commands. Most pts commands can be used with or without named arguments. For example,
pts creategroup usrid:groupname
and
pts creategroup -name usrid:groupname
will do the same thing. Throughout the remaining examples, "usrid" is used as the username of the owner. At Stanford, the "usrid" is typically the user's "sunetid".
AFS group names have the form username:<identifier>, and are created with the pts creategroup command. The username specified will be the owner of the group, and must be a valid AFS user name (you will usually want to use your own AFS username). For example, the command:
pts creategroup usrid:groupname
would create a group called usrid:groupname.
To add a user to a group (you own), use the pts adduser command:
pts adduser jsmith usrid:groupname
To remove a user from a group (you own), use the pts removeuser command:
pts removeuser jsmith usrid:groupname
To see a list of the groups (you own), use the pts listowned command:
pts listowned -name usrid
To see a list of the members of a group, use the pts membership command:
pts membership usrid:groupname
You can use the pts examine command to find out information about a group (you can also use this command on an AFS username). For example, the command:
pts examine usrid:groupname
would produce something similar to the following output:
Name: usrid:groupname, id: -3745, owner: usrid, creator: usrid,
membership: 2, flags: S-M--, group quota: 0.
The above fields have the following meanings:
Name
The name of the group.
id
A unique identification number for the group.
owner
The owner of the group.
creator
The person who originally created the group.
membership
How many members belong to the group.
flags
Group privacy flags that determine who can list group properties or make certain changes to the group. See below for details.
group quota
How many more groups a user is allowed to create.
The five group privacy flags appear in the following order:
Each one of the flags, SOMAR, has three possible values:
The default values of S-M-- gives anyone the ability to examine a group and see who belongs to a group, and only gives the owner of the group the other rights. You can use the pts setfields command to change these default values for your groups. Type pts help setfields for details about the syntax of this command.
These off-site links will open in a new browser window.
OpenAFS documentation on groups
You can view the access restrictions for any directory with the following listacl command:
fs la -p dirname
which would list all group:access permissions for the given dirname. You can use a period for dirname meaning "the current directory". You can also use a fully-qualified path-name.
You can apply your groups to your directories to allow specific access by members of that group to your directories with setacl. For example:
fs sa -d dir1 -a usrid:groupname rlwk
or
fs sa -d dir1 -a usrid rlidwka
The first example gives all the members of that group read/locate/write/lock access to your "dir1" directory.
The second example shows how you can change your own access permissions to your "dir1" directory.
If you have another group with different members, you can do something like:
fs sa -d dir1 -a usrid:friends rl
to give them just read/locate access. The general syntax is:
fs sa -d <directory>+ -a <access list entries>+
The first portion of an access list entry is the user or group name.
The second portion of each access list entry specifies the access codes, which have these meanings:
a (administer)
Change the entries on the ACL.
d (delete)
Remove files and subdirectories from the directory or move them
to other directories.
i (insert)
Add files or subdirectories to the directory by copying, moving
or creating.
k (lock)
Allow "flock" read or write locks on the files in the directory.
Such locks are only effective if done from a single host machine.
l (lookup)
List the files and subdirectories in the directory, stat the
directory itself, and issue the "fs la -p" command to examine
the directory's ACL.
r (read)
Read the contents of files in the directory; issue the "ls -l"
command to stat the elements in the directory.
w (write)
Modify the contents of files in the directory, and issue the
UNIX chmod command to change their mode bits.
You can remove an access list entry by using the word "none" as the access code following the user or group name.
For example: fs sa -d dir1 -a system:anyuser none
You may need "fs sa -d . -a system:anyuser l" to allow others to access subdirectories.
You can determine the disk-location of any directory-path with this command:
fs whereis [dirpath]
which would list where the given dirpath is physically stored.
You can determine how much space you have for any directory-path with this command:
fs listquota [dirpath]
In both commands above, the [dirpath] portion is optional. If you don't give it, your current directory is the path.
What follows is a summary of the pts commands:
pts adduser
pts adduser -user <user name>+ -group <group name>+
pts ad -u <user name>+ -g <group name>+
pts creategroup
pts creategroup -name <group name>+
pts cg -na <group name>+ [-o <owner of the group>]
pts delete
pts delete -nameorid <user or group name>+
pts d -na <user or group name>+
pts examine
pts examine -nameorid <user or group name>+
pts e -na <user or group name>+
pts listowned
pts listowned -nameorid <user or group name>+
pts listo -na <user or group name>+
pts membership
pts membership -nameorid <user or group name>+
pts m -na <user or group name>+
pts groups -na <user or group name>+
pts g -na <user or group name>+
pts removeuser
pts removeuser -user <user name>+ -group <group name>+
pts rem -u <user name>+ -g <group name>+
pts setfields
pts setfields -nameorid <user or group name>+
[-access <set privacy flags>]
[-groupquota <set limit on group creation>]
pts setf -na <user or group name>+
[-a <set privacy flags>]
[-groupquota <set limit on group creation>]
Example: pts setf -na guertin:spires -a SOM--
"<list>+" represents a single entity or multiple-entity space-delimited list.
======================================================================================