Setting Permissions with Macintosh

Overview

Permissions determine who's allowed to see, change, or move your AFS files. The permissions you set don't work on the files themselves: they work on the folders that hold the files. On this page we show you how to add, remove, and edit permissions using Macintosh OS X computers.

The following example shows how to set permissions on a folder located inside your personal WWW folder.

• Get to your destination
• Are you allowed to set permissions?
• How to set permissions
• Commonly used permissions
• Setting pickier file permissions
• Setting group permissions
• Tips and tricks
• What each permission means

Note: You can also set folder permissions from the UNIX command line. First, make sure you are logged into Kerberos. Then, log into one of the shared UNIX workstations. See Setting Permissions with UNIX for more information.

Get to your destination

Follow the instructions below, replacing the "rocketscience" example with the name of the directory where you want to set permissions.

1. On your Mac, open Terminal. (AuriStorFS for Mac must be installed to proceed.)
2. Be sure you have an AFS token by issuing these two commands:

kinit <yoursunetid>@stanford.edu

(and enter your password when prompted)

aklog

3. Go to the directory where you'd like to set permissions.
a.) In this example, you'd type:

cd /afs/ir/dept/rocketscience/WWW/

b.) You can always tell if you're in the right directory because the command prompt will be augmented with your present location. In other words, a command prompt that used to look something like this:

cardinal4:>

shows your location in AFS like this:

cardinal4: /afs/ir/dept/rocketscience/WWW/>

Commonly used ACLs

This page tells you which ACLs to assign based on what you want to do. Don't forget to read the Tips and Tricks section of the Intermediate AFS Info page; it gives you real shortcuts for saving time when setting ACLs.

We'll presume that you're inside the folder or directory you want to set ACLs in, know that you possess the administrative privileges to do so and, for the sake of example, want to give ACLs to someone with the SUNet ID of "jsmith".

fs sa . system:anyuser lik

fs sa . system:anyuser lik

Look but don't touch (known as "Read" permissions) - Type:

fs sa . <sunetid> read

In our example, you'd have typed "fs sa . jsmith read" (don't forget the "space dot space" between "sa" and the SUNet ID). This lets people list your files, and open your files so they can read them, but prevents them from changing anything. It's the same as "fs sa . rl". Double check your work by typing "fs la": you should see "<sunetid> rl".

 

Almost total power (known as "Write" permissions) - Type:

fs sa . <sunetid> write

This is the most popular ACL. It lets someone work in your folder, change files, delete them, add new files, etcetera, but prevents them from letting other people into your folder(s). In our example, you'd have typed "fs sa . jsmith write" (don't forget the "space dot space" between "sa" and the SUNet ID). This is the most popular ACL. It's the same as "fs sa . rlidwk". Double check your work by typing "fs la": you should see "<sunetid> rlidwk".

 

Total power (known as "All" permissions) - Type:

fs sa . <sunetid> all

Be stingy when granting administrative permissions! The wrong person can wreak havoc in your and other directories. In our example you'd have typed "fs sa . jsmith all" (don't forget the "space dot space" between "sa" and the SUNet ID). It's the same as "fs sa . rlidwka". Double check your work by typing "fs la": you should see "<sunetid> rlidwka".

 

To kick someone out of a directory (this permission is called "None") - Type:

fs sa . <sunetid> none

In our example you'd have typed "fs sa . jsmith none" (don't forget the "space dot space" between "sa" and the SUNet ID). This removes all of a person's permissions for a directory, even if they had admin perms (rlidwka). Double check your work by typing "fs la": you should not see the SUNet ID of the person whose permissions you removed anywhere in the ACL list.

 

If you're an instructor and are having many students submit tests, papers, homework, etc. into a single directory, you'll want to prevent the files they submit from being altered once they're added to the directory, and also prevent students from accidentally reading or deleting other students' work. Type:

fs sa . system:anyuser lik

Don't forget the "space dot space" between "sa" and the word "system:anyuser", nor the colon in the word "system:anyuser". Double check your work by typing "fs la": you should see "system:anyuser lik".