Next: Using the chmod Command Up: Sharing Files on RCS Previous: Accessing Files Permitted to

Changing File Permissions: Working With ACLs

Adding a User to an ACL

To add a user to an ACL, first use the UNIX cd command to move to the parent directory of the directory to which you wish to change the file permissions, and then issue a command having the format:
$\begin{alltt} {\bf fs setacl}{\it directory userid access-rights} \end{alltt}$
where

directory: refers to the name of the directory in which you want to add someone to the ACL
userid: refers to the Rensselaer userID of the person you want to add to the ACL
access-rights: may consist of any combination of the seven access privileges (rlidwka)

If you wish, you can also use the abbreviation sa in place of setacl; think of it as standing for ``set access."

Rights issued with the setacl command will replace any pre-existing rights for a person or group.

Examples

To give user ramabz read access to your math directory, you would use the command:
$\begin{alltt}\bf fs sa math ramabz rl \end{alltt}$
To give user healyj write access (rldiwk) to the same directory:
$\begin{alltt}\bf fs sa math healyj write \end{alltt}$
To give user tartom list access to the same directory:
$\begin{alltt}\bf fs sa math tartom l \end{alltt}$
To perform the three previous commands all at once:
$\begin{alltt}\bf fs sa math ramabz read healyj write tartom l \end{alltt}$
Let's suppose that your own userid is doej2. Now, if you were to look at the ACL for your math directory after setting the permissions above, it would appear as follows:
$\begin{alltt} {\bf fs la math} {\tt Access list for math is Normal rights: doej2 rlidwka tartom l healyj rlidwk ramabz rl } \end{alltt}$

Adding All Users to an ACL

If you wish, you may permit a directory to any user with AFS access by using a group called system:anyuser in the fs sa command, instead of a specific userid. This group contains anyone using AFS. A group called system:authuser also exists; this group contains only the people who have used valid userIDs and passwords to log into RCS. (Please refer to the section Working With Groups for more information about groups.)

For example, to give everyone read access (rl) to the directory named math, make sure you are in math's parent directory, and then type:

$\begin{alltt} {\bf fs sa math system:anyuser read} \end{alltt}$

If you look at the ACL for your public directory, you will notice that system:anyuser has rl permission, meaning that anyone logged into AFS can read the files in that directory.

Removing an ACL Entry

To remove a user from an ACL, use the following command format:
$\begin{alltt} {\bf fs sa}{\it directory userid}{\bf none} \end{alltt}$
For example, to remove all of user healyj's permissions within the math directory:
$\begin{alltt}\bf fs sa math healyj none \end{alltt}$
If you then checked the ACL list, it would appear as follows:
$\begin{alltt} {\bf fs la math} {\tt Access list for math is Normal rights: doej2 rlidwka tartom l ramabz rl } \end{alltt}$

Denying a User Access

If a user would by default receive certain permissions based on his or her group membership (for example, system:authuser), and you don't want to allow that person to have such permission, you can use the -negative option before the userid. This indicates that the user is specifically not to have the permissions listed, no matter what else is set, and places them on the negative ACL list. As an example, suppose we had the following:

$\begin{alltt} {\bf fs la /home/60/firstz/public} {\tt Access list for /home/60... ...rmal rights: system:backup l system:authuser rl firstz rlidwka } \end{alltt}$

However, let's suppose that you don't want user whitez to have permission to list or read any of the files in the directory (which he or she would have received by default as a member of the group system:authuser). In this case, you could type:

$\begin{alltt}\bf fs sa /home/60/firstz/public -negative whitez rl \end{alltt}$

Your directory would then have an access list of:

$\begin{alltt} {\bf fs la /home/60/firstz/public} {\tt Access list for /home/60... ... system:authuser rl firstz rlidwka Negative rights: whitez rl } \end{alltt}$

width pt depth .75 pt

Note: Negative ACLs are complex, in that setting one for a user does not necessarily prevent them from ever accessing that directory. For example, a directory that also has permissions set for the group system:anyuser can still allow the user some access to the directory; that person can use the unlog program and still have access as a member of system:anyuser. As a result, you should probably restrict use of negative ACLs to those directories that have permissions for system:authuser or another group that has limited membership that you control. (See the section Working With Groups for more information about groups.)

width pt depth .75 pt

Next: Using the chmod Command Up: Sharing Files on RCS Previous: Accessing Files Permitted to

Send comments to consult@rpi.edu.