AFS (Andrew File System)

Want to know why AFS is important to you? Because it can save you from losing all your files, it can prevent people from maliciously changing your data, and it can stop people from committing computer crimes with your account!

How? Good question. In short, AFS allows you to share your files with only the people you want to have access to them, not everyone. It makes it so that you do not have to give your login and password to someone so that they can access your files (a very bad idea that can lead to felonious abuse of your account!). How does it do all of this? It gives you the ability to limit who has access to your files and what kind of access they are allowed. You can give one person the ability to look at a file and another the ability to change it. The control is yours.

AFS is a network file system. What does that mean to you? It means that when you log into your account, it is on the same virtual disk as everyone else that uses AFS...in the world. What is the reason for this? Well, it makes sharing files much easier. You can login to your machine at UNC and then change over to the directory of someone at the University of Michigan (for whose account you have been granted access). Additionally, it gives you much greater control over who can access your files and how they can access them.

This document will serve as a reference and a quick guide to performing specific tasks with AFS. We have described the most common tasks in a step-by-step manner so that you can refer back to it when you need to set up directory access. We also have a command reference section so that you can browse the commands that are available to you.

Before we get to the how-to section of this document, a couple of very simple principles should be known. First, you should be aware that with AFS you have control over user and group access. This means that you can give access to a single user or to a group of users. The implications of this are very easy to see. You can use groups to bunch users together and give them the same access rights to a directory. Obviously, this can save you a good deal of time, because if you create a directory and a group, you need only add the user to the group to give them whatever access privileges the group has. Secondly, this access is controlled by creating a directory and creating an ACL in that directory. You can give this access to a single user or to a group of users if needed. For example, if you are involved in a work group, then create a directory for that group. Then place all your files for that group into one logical location. So that you don't have to worry about mixing files, you may want to create one directory per group. In fact, you might give the directory the same name as the group (e.g., if you are working on RNA research with several other people, create a group called "RNA" for these users). Then create a directory for them called "RNA." This system allows for tracking where files should go.

First, let's talk about "rights." Rights are privileges in AFS. They determine what kinds of things a user or group can do within a directory. These rights are stored in the ACL (Access Control List) file. Each directory you make automatically has an ACL file created with it. With this file, you can setup access rights for other users and groups that you create. The rights you can assign are:

  • read (r) - this right allows a user to read a file's contents.
  • write (w) - this right allows a user to change the contents of a file. Use with caution, be sure you want users with this right to be able to change your files.
  • lookup (l) - this right allows a viewer to see what is in a directory and see what rights are in the ACL file.
  • insert (i) - this right gives the user the right to add files to your directory.
  • delete (d) - this right allows a user to delete your files from a directory. Use with caution, be sure that you want users with this right to be able to delete your files.
  • lock (k) - this right allows users to lock files with UNIX programs.
  • administer (a) - this right allows users to change rights in a directory. Be VERY careful, this can allow people to change YOUR rights in your own directory. This means they could make it so that you can't even read or change your own files! There is generally no reason to give this out unless you are working with someone else to administer a shared directory for a large group of people.

When assigning rights, you use the single letter in parenthesis above. So for read rights, you use "r." There are also combinations of these rights grouped together in order to make assigning rights easier. These are:

  • all - this gives everyone every right in a directory. This is a bad idea since it includes administer. We recommend not using this right.
  • none - this group takes all rights away. It is a quick and easy way to remove a user from an ACL file.
  • Read - gives r and l privileges. This is useful if you want people to see, but not delete or change files.
  • Write - this right gives read, write, insert and delete rights to people. Use with caution, since it makes it possible for people change and delete your files

When assigning these rights, you use the entire word.

Give careful consideration to what rights you want people to have. Here are some possible scenarios, please choose the one that works best for you:

  1. You want people to be able to read and copy your files. You don't care who sees the files. However, you don't want people to be able to change your files or delete them.
    SOLUTION: give all users the right to lookup and read the directory.
  2. You want only a certain person or a certain group of people to be able to read your files.
    SOLUTION: create a directory and give lookup and read access to either the users you want or create a group if there are many users.
  3. You want a colleague to be able to change a file that you have placed in a directory.
    SOLUTION: Give that user or group lookup, read, and write permissions to your directory.
  4. You want a colleague to be able to change files and delete files if they want to do so.
    SOLUTION: Give the user or group lookup, read, write and delete rights to your directory.
  5. You want to create a directory that anyone can add, delete, or change files in.
    SOLUTION: Give all users all rights.

We will now discuss the steps for setting up groups and directories in order to create the working environment you need. In short the process involves three steps, they are:

  1. Create a directory
  2. Create a group (if more than one person is going to access the directory, otherwise just add a single user). This process uses the "pts" command.
  3. Modify the directory ACL file to allow the group (or user) to access the directory. This process uses the "fs" command.

How-To

  1. Create a directory
  2. Create a group
  3. Add a user to a group
  4. Delete a user from a group
  5. List who is in a group
  6. Delete a group
  7. Share a directory with a group
  8. Share a directory with a single user
  9. Share a directory with multiple users
  10. View the access rights in a directory
  11. Delete all other users access to a shared directory
  12. Learn more about the pts command
  13. Learn more about the fs command
  14. Access remote AFS directories
  15. Determine the path to your shared directory

DIRECTORIES

Create a directory

In order to create a directory, you must telnet into nun. At the prompt, create the directory by issuing the following command (if, for example, you wanted to create a directory called rna):

%mkdir rna

You may substitue whatever name you wish for "rna" above. Note, you cannot have spaces in the name. It is a good idea to avoid any non-alphanumeric characters as well. Generally, using a simple and intuitive name works best.

If you wish to learn more about simple UNIX commands, please visit the ITS website at:

http://its.unc.edu/.


GROUPS

Create a group

In order to create a group, you must give it a name. The name must include your username, a colon and then the group name. For example, to create a group for the RNA directory, you could use the name "myuserid:rna." Of course, myuserid would be replaced with your user id/login for the machine you are on. (If you don't know your userid, then simply type "whoami" at the command prompt. This command will print out your userid.) Once you decide on the name of the group, you can use the "pts" command with the flag "creategroup" to create the group. For example:

% pts creategroup myuserid:rna

If for some reason, you leave part of the command out, it will give you an error message. Getting an error message isn't a problem, just try again. Once you have typed the above command, you have created a group. You can now go on to add users to the group and define access rights to the group. Note, you cannot use spaces and some special characters in the name. As a general rule, just use alphanumeric characters.

Add a user to a group

In order to add another user to your group, you use the "pts" command with the "adduser" flag. You type the following at the prompt:

% pts adduser userid myuserid:rna

Of course, you substitute "userid" with the actual userid for the user you are adding to the group.

Delete a user from a group

In order to delete a user, issue the following command:

% pts removeuser userid myuserid:rna

You must substitute "userid" with the userid of the person you wish to delete from your group.

List who is in a group

To see all the members of a group, issue the following command:

% pts membership myuserid:rna

It will list who the members of the group are.

To delete a group

If you wish to delete a group entirely, the following command will delete it and all the members of the group:

% pts delete myuserid:rna

Share a directory with a group

In order to share a directory with a group, you use the "fs" command with the "setacl" flag. This command allows you to indicate the directory you wish to change, the group name and the rights you wish the group to have in the directory. You can issue the command as follows.

To give the group read and lookup rights:

% fs setacl rna myuserid:rna rl
OR (using the shortened aliases)
% fs setacl rna myuserid:rna read

To give the group read, lookup, and write rights:

% fs setacl rna myuserid:rna rlw

To give the group read, lookup, write and delete rights:

% fs setacl rna myuserid:rna rldw
OR (using the shortened aliases)
% fs setacl rna myuserid:rna write

Share a directory with a single user

In order to share a directory with a group, you use the "fs" command with the "setacl" flag. You then follow that with the directory to be shared, the userid of the user and the rights to be given. For example:

To give the user read and lookup rights:

% fs setacl rna userid rl
OR (using the shortened aliases)
% fs setacl rna userid read

To give the user read, lookup, and write rights:

% fs setacl rna userid rlw

To give the user read, lookup, write and delete rights:

% fs setacl rna userid rldw
OR (using the shortened aliases)
% fs setacl rna userid write

Share a directory with multiple users

Setting access for multiple users is the same as setting it for a single user. You just execute the command once for each user. Alternatively, you may consider setting up a group once the number of users begins to grow.

View the access rights in a directory

In order to see what the rights are for a directory, simply execute the following command:

%fs listacl

The default output will look like this:

Access list for . is
Normal rights:
	
    system:administrators rlidwka
    system:anyuser l
    yourid rlidwka 
            

This is the normal listing for a directory that has no other users or groups added to it. Every directory's ACL includes a line for the system administrators. At UNC, all users may do a lookup in every directory by default. Finally, the last line is your access, it includes all access rights because it is your directory. After your listing will appear any other userids that have access and what their rights are for that directory. You may refer to the definition of the access rights above if you are unsure what the letters represent.

Delete all other users' access to a shared directory

If you have a directory that is shared and you want to delete all access from it except your own, then issue the following command:

% fs setacl . yourid all -clear

Substitute "yourid" with your login id. This command will give you all permissions for the directory and revoke all other groups and users rights for the directory.

Learn more about the pts command

In order to learn more about the pts command and what kinds of flags it can use, type the following command:

% pts help

In fact, most AFS commands will take the "help" argument. This is a good way to learn more about AFS commands.

Learn more about the fs command

In order to learn more about the fs command and what kinds of flags it can use, type the following command:

% fs help

In fact, most AFS commands will take the "help" argument. This is a good way to learn more about AFS command

s.

Access remote AFS directories

Since AFS is a network file system, you can, in theory, reach any other AFS site in the world. You just have to know the path to the site you want to access. In order to determine this, we recommend that you talk to your colleagues and see what the path is to their shared directory. Once you know the path, you may simply use the UNIX "cd" command to get there. For example:

% cd /afs/umich.edu/userid/path/directoryname

Determine the path to your shared directory

In order to find out what the path is to one of your shared directories, simply go to that directory after telnetting into the site. Then type the "pwd" command. It will give you the full path to the directory you are in.