Protecting Files and Directories on Andrew This document, which provides an overview of file and directory protection on Andrew, includes the following sections: How Protections Work What are the Protections? Protection Groups How to Find out Directory Protections Default Protections Setting to Give Rights Setting to Take Away Rights Giving Back Rights You Have Taken Away File Protection Using chmodt.] Quick Reference The default protections on Andrew may be different from those on other systems you have used. By default, all Andrew users have access to your home directory, and can display, copy, or print files stored there. If you have private files, store them in your private directory. In general, do not store highly confidential material online, as no system is completely secure. How File and Directory Protections Work File and directory protections are privileges you can give or take away from other users. Protections are often called "rights". When you tell Andrew which users you would like to be able to perform certain actions on your directories, you are setting rights. Do My Directories Automatically Come with Protections? When your account was created, several default (automatically present) directories were placed in it. Each of these directories also comes with default protections. You can add to these default protections, but you should not take away any of them, or you may prevent some basic system functions (like Mail or printing) from working for you. Any subdirectories you create automatically take on the same protections as their parent directories. So if you change the protections on a directory and then add a subdirectory, the subdirectory will inherit the changed protections of its parent. Who Can Work With My Directories? You can set rights for individual users or groups of users. The access control list (acl) for a directory tells you which users or groups have rights for that particular directory. See the "How to Find Out Directory Protections" section of this document for more information. Are There Different Kinds of Rights? There are two different kinds of rights, positive and negative. Positive rights allow other users or groups special access to a directory. There are a number of different positive rights, each of which allows a user to perform different actions on a directory. See the "What Are the Protections?" section of this document for more information. Negative rights deny other users or groups access to a directory. With negative rights you can prevent users from performing the actions that positive rights would allow. What Are the Protections? The following is a list of the different rights that you can set for other users or groups. Each of these rights can either be positive (allowing the action) or negative (denying the action): Read (r): read any file in the directory Lookup (l): obtain status information about the files in the directory Insert (i): add new files or subdirectories to the directory Delete (d): remove files or subdirectories Write (w): write, or edit, any existing file in the directoryq' to quit.] Lock (k): place read locks on any file in the directory. This is used mainly by application programs. Administer (a): modify the access list and ownership of a directory. The owner of the directory always has Administer rights, even if he or she is locked out of the directory. Therefore, the owner of a directory can always reset the protections. There are also commonly used groups of rights which you can assign, to save yourself some time in typing out lists of individual protections: read (rl): allows users to lookup and read any files in the directory. write (rlidwk): Allows users all the 'read' rights above, as well as the right to change and delete files in the directory. all (rlidwka): allows users all rights to the directory, including Administer. You should be very careful about assigning another user "all" rights to one of your directories. none (): allows users no rights to the directory. Protection Groups A group is a collection of users, either individuals or other groups. There are two major groups in the Andrew system: system:anyuser system:authuser Where system:anyuser is just that--anyone using the system, and system:authuser is a user with a valid token (see How Authentication Works for more information). Membership for these groups is decided on the basis of authentication. You may also belong to a group created by another user, or create a group of users yourself to assign protections with. See the afs-groups help document for details. How Authentication Works. When a person logs in and supplies a password, the password gets passed to the Kerberos servers for verification; if it is verified, the user receives a set of tokens and is considered "authenticated". If a user stays logged in for more than 25 hours, the Andrew system no longer recognizes that person, and the user has become "unauthenticated." That means that the user is logged in, but is not recognized as belonging to his or her user id; that person is an anonymous user. To become re- authenticated, the user must use the 'klog' command at the system prompt. How to Find Out the Protections on a Directory The fs (for 'Andrew File System interface') program allows you to see the protections for a directory. To find out how a specific directory is protected, at the system prompt type fs la directoryname Where directoryname is the pathname of the directory whose rights you want to see. You will see a listing of the rights for that directory. Example. You can see the protections on your home directory by using the "fs la" command followed by the tilde (~) as an abbreviation for your home directory pathname. fs la ~ Default Protections When your account is created, it comes with several default directories including your home directory, private, Mailbox, .Outgoing, and PrintDir. Each of these directories comes with its own default protections. The Mailbox, .Outgoing, and PrintDir directories are special purpose directories used by the Andrew File System when you read or send mail or print a document. Do not remove or change the permissions on these directories; deleting or removing the service ids (e.g., postman, spooler, or the appropriate system:anyuser) can result in a disruption in your printing or mail services. The following is a list of the commands you can use to see the default protections on each of your default directories, and what the protections should look like: Home Directory: % fs la ~ Normal rights: system:anyuser rl rlidwka This says that any user on the Andrew system can read or lookup any file in your home directory. Therefore, you should be very careful about the type of material that you keep in your home directory. You, as owner, have all possible rights. private: % fs la ~/private Normal rights: rlidwka This indicates that only you have rights to this directory. No other user, authenticated or unauthenticated, can see files or subdirectories listed in this directory. You have all possible rights. Mailbox: % fs la ~/Mailbox Normal rights: system:anyuser lik rlidwka This shows that any user can lookup, insert, and lock your mailbox. Andrew-authenticated users, including postman, are able to insert files in your mailbox. Please note that other users do not have read permission on this directory, which prevents them from reading any files in your mailbox. You have all rights except write, which means that you cannot edit or change the contents of a piece of mail which was sent to you. .Outgoing: % fs la ~/.Outgoing Normal rights: postman rlidk rlidka This shows that you have all rights to this directory and that postman is able to read, lookup, insert, delete and lock the directory, allowing postman to pickup your outgoing mail. No other user is able to access this directory, preventing them from reading your delayed mail. PrintDir: % fs la ~/PrintDir Normal rights: spooler rld rlidwka The rights for PrintDir allow the print spooler to lookup which file you asked to be printed, read that file, print or "spool" it, and delete it when the job is done. You have all possible rights. Note: In older Andrew accounts, the line "778 l" often appears after the line "spooler rlidw". "778" is the notation for your local workstation account, also known as the 'root'. If you have this line in your PrintDir default rights, it doesn't mean anything and will not affect your account in any way. You can remove it if you like using the fs cleanacl command. Giving Rights to Directories There may be times when you want to give certain users rights on subdirectories that you have created. To do this, you use the "fs" command with the "sa" switch (a switch is an attachment you can put onto a command to make it do a specific action--in this case "sa", which stands for setting access). At the system prompt type fs sa directoryname userid rights Where directoryname is the pathname of the directory to which you are setting rights, userid is the user ID of the person to whom you are giving rights, and rights are the notations for the rights you wish to set. NOTE: It is also possible to add users from other cells to an access control list, provided they have obtained a cross-realm token for your cell, and have had this token registered in the protection database for your cell. (See the online help on cklog for further information on cross-realm tokens and authentication.) You would add this user using the fs sa command, and supplying the cross-realm identity for this person as the userid. For example, if you wish to add your friend Harry Bovik from CS (with the user ID of bovik@cs.cmu.edu) to an access control list of yours in the Andrew cell, you would add his cross-realm identity to your group. A cross-realm identity is in the form: @; Harry's cross-realm identifier would be bovik@andrew.cmu.edu (note the difference between this and his CS user ID) and this is what you would add to your access control list. It is important to realize that the individual you wish to add to your access control list must have obtained the cross-realm token and registered it with the protection database for your cell--you cannot do this for the individual. For example, if you wanted to give someone whose user ID is "pat" read and lookup access to a directory of yours called 'notes' (remember that 'read' can be used to indicate read and lookup "rl" rights), at the system prompt you would type fs sa ~/notes pat read To make sure that the correct rights were added, you can use the fs la directoryname command explained earlier. Taking Away Rights from Directories There are two possible ways to deny, or take away, rights to a directory. One way is to use 'none' with the "fs sa" command and the other is to use '-negative' with the "fs sa" command. What's the Difference Between Using 'none' or '- negative'? The main difference between 'none' and '- negative' is that 'none' merely erases a user id or group name from the rights list, while '-negative' adds the name to the list with a special kind of permissions, negative rights. For example, if you deny a user all access to your "notes" directory using 'none', but system:anyuser still has read and lookup rights, the user will still be able to read and lookup files in the directory because they are a member of the group system:anyuser. However, if you use '-negative' to deny rights, they will appear as having negative rights. Then even though the user is still a member of system:anyuser, they will be denied access to your "notes" directory because of those negative rights. Using 'none'. To take away all rights to a particular directory (to set 'none' rights) you place the 'none' notation at the end of an "fs sa" command line. fs sa directoryname userid none where directoryname is the name of the directory you are denying access to and userid is the user id of the person to whom you are denying access. Example. If you had previously given user pat 'read' rights ("rli"rights) to your "notes" directory, but decided now that you don't want pat to have any rights, at the system prompt you would type fs sa ~/notes pat none Remember, pat will still have the same access that system:anyuser has, because pat is a member of that group. Using '-negative' or Setting Negative Rights. When you use '-negative' with the "fs sa" command, you are setting negative rights or denying a user specific access to a directory. To assign negative rights, at the system prompt type fs sa directoryname -negative userid rights where directoryname is the pathname of the directory you are setting negative rights for, userid is the user ID of the person to whom you are denying rights, and rights are the abbreviations for the permissions you are taking away. Example. To give pat negative read and lookup rights, (using the 'read' for "rl") or take away those permissions, to your "notes" directory, at the system prompt type fs sa ~/notes -negative pat read If you use the fs la ~/notes command, you will see that a list of negative rights has been added to the rights list for "notes": Normal rights: system:anyuser rl rlidwka Negative rights: pat rli Giving Back Rights You Have Taken Away There are two ways to give back rights that you have taken away, and which one you use depends on how you removed the rights initially. If you used 'none' to take away a user's rights, then to re-set, or give back, those rights, you use the same command described earlier for setting rights: fs sa directoryname userid rights If you used '-negative' to take away a user's rights, then you must use '-negative' combined with 'none' to remove those negative rights: fs sa directoryname -negative userid none. This gives the user who has userid for their user ID no negative rights. File Protection Using "chmod" On Andrew, most protections are set on directories using the "fs sa" command. However, it is possible to set access to an individual file using the "chmod" command. "Chmod" allows you to control whether a file can be read or written at all. If you "turn off" writing for a file, you will prevent anyone, including yourself, from writing to that file; the same goes for reading a file. If you "turn on" writing for a file, you allow anyone with write access to the directory the file is in write access to the file; the same goes for read access. To turn off write access for a file, at the system prompt type chmod -w filename To turn off read access for a file, at the system prompt type chmod -r filename To turn on write access, at the system prompt type chmod +w filename To turn on read access, at the system prompt type chmod +r filename Where filename is the name of the file you want to change the access on. Important Note If you wish to restrict access to your top level or home directory, you must still give postman and spooler rl rights in order to have mail and printing service. A better way to protect your confidential files is to create your own private directory to which only you have access. Should you modify your home directory or service directory protections in such a way as to prevent correct functioning of these services, system administrators may have to reset the protections. For example, The Andrew postmaster may notice that the mail system has tried to deliver you mail but has not been able to, either because you have incorrectly changed the protection on your Mailbox directory or your home directory. In the case of mistaken changes to service directories, system administrators will set these back to their default settings (as listed above). In the case of a mistaken changed to your home directory, system administrators will assume that you were meaning to make it more private and will only give spooler and postman l (lookup) rights. Further questions about directory permissions should be sent to advisor@andrew. Quick Reference 1. How to Find Out the Protections on a Directory: fs la directoryname 2. Giving Rights to Directories fs sa directoryname userid rights 3. Taking Away Rights from Directories With 'none': fs sa directoryname userid none With '-negative': fs sa directoryname -negative userid rights 4. Giving Back Rights You Have Taken Away Re-setting: fs sa directoryname userid rights With '-negative': fs sa directoryname -negative userid noneinue, 'q' to quit.] Related Tools Select (highlight) one of the italicized names and choose "Show Help on Selected Word" from the menu to see the Help document for: afs (Andrew File System) afs-groups chmod cklog directories (Managing Files and Directories Overview) forwarding (Mail Forwarding on Andrew) fs wpi