Using Access Control Lists With Institutional File System Directories and Folders

You can control whether other people can see the folders and documents in your Institutional File System (IFS) home directory, whether they can make changes to them, and other topics through the use of Access Control Lists (ACLs). This document tells you how to do that. It also tells you about the pre-set access controls on the folders that are provided for you inside your IFS home directory. For general information about IFS and your home director, see IFS Overview (R1070).

What Are ACLs?

An ACL is a list of uniqnames and/or protection groups to which access rights have been assigned. (A protection group—or pts group—is similar to an e-mail group except that it is used for assigning access rights instead of sending e-mail.) ACLs are set for folders. For example, you might create a folder in your IFS home directory that you want to use for a group project. You could then set ACLs for that folder to allow only your group members to see what is inside it and make changes.

There are seven basic access privileges that can be associated with an ACL and set for a folder. Each is indicated by a one-letter abbreviation.

• lookup (l). If you have lookup access to a folder, you can see -- or "list" -- the names of documents and folders inside it, but you cannot open and read them. A user must have lookup access rights in order to use any other rights. If, for example, you assigned read rights on a folder to a friend but did not assign lookup rights, your friend would not be able to see the documents in the folder and would therefore not be able to select any to open and read.

• insert (i). If you have insert access to a folder, you can add new documents and folders to it.

• delete (d). If you have delete access to a folder, you can delete documents and folders from it.

• admin (a). If you have admin access to a folder, you can change the ACLs for it and the folders inside it. You have admin rights for all folders inside your IFS home directory, but you cannot change the access privileges for your home directory itself.

• read (r). If you have read access to a folder, you can open and read any document inside that folder (assuming, of course, that you have the right application, such as Word or Excel, to open it).

• write (w). If you have write access to a folder, you can make and save changes to any document inside it.

• lock (k). If you have lock access to a folder, you can place read or write limitations on it. This ACL is rarely used. It allows you to lock a folder while you are updating a document inside it so that no other user can alter the document until you release the lock.

There are four combination rights that can be associated with an ACL. These are always spelled out and cannot be abbreviated.

• write. All rights except admin (rlidwk).

• read. Read and lookup rights (rl).

• all. All seven rights (rlidwka).

• none. No rights.

Your Pre-Set Folders

Your IFS home directory comes with some folders already inside it. ACLs have been set for these folders. You can change these ACLs if you wish. You have all-access rights to your home directory and all the folders inside it. (Note that if your IFS home directory was created in the early 1990s, your ACLs may be slightly different from those listed below.)

• Public. The ACLs for your Public folder are:

  system:anyuser rl
  <youruniqname> rlidwka

  This means that any IFS user in the world can see that you have a Public folder inside your IFS home directory and can read the documents inside it. No one other than you, however, can make changes to, add, or delete documents.

  Note: Your own uniqname will be substituted for <youruniqname>.

  HINT: You can publish your own home page on the web by using your Public folder. Create a folder called html inside your Public folder, and put your web page(s) inside. For more detail, see Create Your Own UM Web Page. Do not change the ACLs on your Public folder if you use it to publish on the Web.

• Shared. The ACLs for your Shared folder are:

  system:authuser l
  <youruniqname> rlidwka

  This means that any U-M IFS user can see that you have a Shared folder inside your IFS home directory. No one other than you, however, can make changes to, add, or delete documents.

• Private. The ACLs for your Private folder are:

  system:anyuser l
  <your uniqname> rlidwka

  This means that any IFS user can see that you have a Private folder inside your IFS home directory. If they open that folder and look inside, they will see the names of folders, but will not be able to see the contents. No one other than you can make changes to, add, or delete documents.

• Network Trash Folder. This folder is for Mac system use only. Do not delete it, and do not change its ACLs.

Other Folders

If you use Pine for e-mail or trn for Usenet news, other folders (for example, mail and news) may be created for you when you use those programs. It's best to just leave these folders alone; they are for the use of those programs only.

You can create folders inside your home directory and inside the pre-set folders. When you create a folder, it inherits the ACLs of the folder inside which it is created (that is, it inherits the ACLs of its parent folder).

Connect to the Login Service to Check and Set ACLs

To check and set ACLs, you must issue Unix commands. You can do this from the Login Service.

1. Use secure software to connect to the Login Service (login.itd.umich.edu).

   • Windows. Use PuTTY software. For information about obtaining and using PuTTY, see Use PuTTY to Connect to Host Computers [Windows] (s4386).

   • Mac OS X. Mac OS X comes with SSH software called Terminal. Open the Applications folder, then the Utilities folder to find it. Open Terminal and enter this command: ssh login.itd.umich.edu

     Note: The Blue Disc installs an icon in your dock that you can click to connect to the Login Service.

2. At the login prompt, type your uniqname and press RETURN or ENTER.
3. At the AFS Password prompt, type your UMICH password and press RETURN or ENTER.

Checking ACLs

First connect to the Login Service (see directions above).

Checking ACLs for Your Home Directory

1. At the % prompt, type fs listacl and press RETURN or ENTER. If you don't specify a directory, your IFS home directory will be checked. Here's a sample of how that might look:

   galaga% fs listacl

2. The ACLs for your home directory will be displayed:

   Access list for . is
   Normal rights:
   system:anyuser l
   <youruniqname> rlidwka

   This means that anyone using IFS has lookup rights to your home directory and that you have read, lookup, insert, delete, write, lock, and admin rights to your own home directory. Because system:anyuser does not have read access, no one can read files and documents inside your home directory.

   Note: "System:anyuser" is a pts group that includes all IFS users. Your own uniqname will be substituted for <youruniqname>.

Checking ACLs for Folders Inside Your Home Directory

To see ACLs for a specific folder inside your home directory, you must specify the folder name when you issue the command to list ACLs.

1. At the % prompt, type fs listacl <foldername> (where you have substituted the actual folder name for <foldername>) and press RETURN or ENTER. For example, here is a % prompt followed by the command you would enter to see the ACLs on your Shared folder:

   galaga% fs listacl Shared

2. The ACLs will be displayed:

   Access list for Shared is
   Normal rights:
   system:anyuser rl
   <youruniqname> rlidwka

   Note: Your own uniqname will be substituted for <youruniqname>.

IMPORTANT! Be sure to get the capitalization exact when you specify a folder name. If you ask for ACLs for a "shared" folder instead of a "Shared" folder, for example, you may get a message saying that the folder doesn't exist.

Checking ACLs on Other IFS Directories

As long as you know the path to an IFS directory or folder, you can find out its ACLs. For example, to see the ACLs for the Software Distribution Directory, type the following at the % prompt on the Login Service:

fs listacl /afs/umich.edu/group/itd/swdist

HINT: In many cases, you can abbreviate the pathname by using a tilde (~). For example, you can also check the ACLs on the Software Distribution Directory by typing fs listacl ~swdist at the % prompt. And you can see the ACLs for the home directory of anyone at U-M by typing fs listacl ~<uniqname> (where you have substituted the person's uniqname for <uniqname>) at the % prompt. Omit the angle brackets.

Setting ACLs

First connect to the Login Service (see directions above). Note that you can only set ACLs on folders for which you have admin rights.

HINT: New folders inherit ACLs from the folders in which they are created. If you create a folder in the Shared folder inside your IFS home directory, for example, it automatically gets the same ACLs as your Shared folder. However, if you later change the ACLs of your Shared folder, the ACLs of the folders inside will not automatically change to match.

TIP: If you find yourself needing to set ACLs on a folder to more than three or four people, consider using a protection (pts) group. A pts group is a lot like an e-mail group, except that it is a list of uniqnames rather than a list of e-mail addresses. You can use pts groups to give access rights to groups of people. This can be especially helpful if members of the group to which you want to grant access changes over time. See Creating and Administering Protection (pts) Groups (S4033) for how to create a pts group. You then use the pts group name instead of individual uniqnames when setting ACLs.

Giving People Access Rights

You issue the fs setacl command at the % prompt to set ACLs. Here's how you indicate which folder, to whom you want to give access, and which rights:

For example, if you want to give Barbara Jensen (a fictitious person whose uniqname is bjensen) full access to the files in a folder called labwork inside your home directory, you would type the following at the % prompt on the Login Service:

fs setacl labwork bjensen write

After typing the command and pressing RETURN or ENTER, you will be returned to the % prompt. You can check the change by typing fs listacl labwork at the % prompt. If you are setting ACLs for a folder outside your home directory, list the full path instead of just the folder name (for example, list /afs/umich.edu/user/b/j/bjensen/ instead of bjensen).

Taking Away Access Rights

To remove access rights, set the ACLs to that person (or group) to none. For example, to take away Barbara Jensen's access rights to the labwork folder in your home directory, type the following at the % prompt:

fs setacl labwork bjensen none

Denying Access Rights to Particular People in a Group

You may want to grant access rights to all the members of a pts group except one or two individuals. You do this by first setting ACLs to grant the appropriate rights to the pts group (for example, fs setacl <folder> <pts group name> read), then setting negative ACLs for the one or two individuals. This example shows how to set negative ACLs denying Barbara Jensen access to a folder:

fs setacl -negative <folder> bjensen all

If you change your mind and want to restore access, you would issue the following command to remove the negative rights:

fs setacl -negative <folder> bjensen none

Appendix: Changing ACLs on Many Folders at Once (Advanced)

It is possible to set ACLs on all the folders inside a particular folder with just one command. However, we recommend you not try this unless you are comfortable using Unix and confident in your ability to enter everything correctly.

To change ACLs on all the folders inside a given folder, issue the following command at the % prompt:

find <folder> -type d -exec fs sa {} <uniqname or pts group> <permissions> \;

Make the following substitutions, and do not type the angle brackets:

Additional Resources

Visit ITS's Information System to obtain ITS computer documentation and other resources. A list of relevant documents follows:

• PuTTY to Connect to Host Computers [Windows] (s4386)
• Creating and Administering Protection (pts) Groups (S4033)
• IFS Overview (R1070)

The ITS Service Center provides a variety of computing help resources.

For further help with this or any other topic, call 734-764-HELP [4357] or submit an online service request.