Text-only Table of Contents (frame/ no frame)
(9) Access control Previous Top Next

Access control (permissions)

Access control is handled at the directory level. All files in a particular directory share the same permissions. Each directory has a set (up to 20) of user permission pairs, which together are referred to as the Access Control List or ACL.
The User in this sense is actually a The Permission in this sense is a combination of the following: The common combinations are "l" for lookup-only, "rl" for read permission and "rlidwk" for read and write permission.

Three special groups exist and are commonly found in ACLs.

Access control is more flexible than traditional Unix permissions, which only allow for a single group; traditional Unix imposes access control at the file level though. In practice the directory level controls are not a big problem. Symlinks to subdirectories can be used if specific files need to have different permissions. The Owner's mode bits are also used to control access to a specific file. Group and Other bits are not used.

Newly created directories inherit the ACL of the parent. The user's umask (file mode creation mask) is still used for file creation, but only the 'user' bits are relevant.

Default user accounts in the Northstar cell have two directories named public and private. public allows any user to read, while private is inaccessible to all but the owner. Note that the home directories has public lookup access, to permit the public directory to be reached. Root-owned processes on a traditional Unix filesystem can read any file regardless of permissions. This is not true with AFS homes.

A consequence of the directory-based ACLs is that hard links are only permitted for files in the same directory. Hard links across directories would give rise to ambiguities in access control.

Previous Top Next


access-control.src  last modified Mar 30, 2009 Introduction Table of Contents
(frame/no frame)
Printable
(single file)
© Dartmouth College