Access control (permissions)
Access control is handled at the directory level. All files in a
particular directory share the same permissions. Each directory has a set (up to 20) of
user permission pairs, which together are referred to as the Access
Control List or ACL.
The User in this sense is actually a
- single username
- AFS groupname, containing users or computer IP addresses.
The Permission in this sense is a combination of the following:
- r Read access to the files in this directory
- w Write access to the files in this directory
- i Insert access - can create files in this directory
- d Delete access - can delete files in this directory
- l Lookup access - can list the filesnames, and traverse the directory
- k locK access - can place advisory locks on files in this directory
- a Administer - can change the ACL on this directory.
The common combinations are "l" for lookup-only, "rl" for read permission and
"rlidwk" for read and write permission.
Three special groups exist and are commonly found in ACLs.
- system:anyuser All users, including ones with no token. This may imply worldwide
accessiblity if the directory can be reached.
- system:authuser Any user with a token for the cell
- system:administrators A short list of system administrators who have effective "root" access
to the AFS cell.
Access control is
more flexible than traditional Unix permissions, which only allow for a
single group; traditional Unix imposes access control at the file
level though. In practice the directory level controls are not a big
problem. Symlinks to subdirectories can be used if specific files need to have
different permissions. The Owner's mode bits are also used to control
access to a specific file. Group and Other bits are
not used.
Newly created directories inherit the ACL of the parent. The user's umask
(file mode creation mask) is still used for file creation, but only the 'user'
bits are relevant.
Default user accounts in the Northstar cell have two directories named public
and private. public allows any user to read, while private is inaccessible
to all but the owner.
Note that the home directories has public lookup access, to permit the public
directory to be reached.
Root-owned processes on a traditional Unix filesystem can read any
file regardless of permissions. This is not true with AFS homes.
A consequence of the directory-based ACLs is that hard links are only permitted for files
in the same directory. Hard links across directories would give rise to ambiguities
in access control.
