Protecting Your Files

File protection at the CSL is done with AFS access control lists, or ACLs. There are two aspects of protecting files: who has access to the files, and who can change the access rights to the files. Some things to remember about AFS ACLs:

• Access controls apply to all files in a directory
• Only the Unix "user" access bits apply to the file
• Administrator (a) access allows a user to modify the ACL
• Administrator access on a parent directory allows a user to modify the ACL of the directory
• The ACL is copied from the parent directory when a directory is created
• In is futile to dny rights that are granted to system:anyuser on the same ACL; all the user needs to do is issue the unlog command to receive the denied rights. Likewise for the network-address based groups listed below.

Here's a list of system wide AFS groups you can use in your ACLs:

CAUTION: The following groups should rarely, if ever, be granted write access, and read access should only be given if anyone is allowed to read your files.

• system:anyuser is any user of AFS, anywhere on the Internet
• system:authuser is any user authenticated (with a token) in our AFS cell (cs.wisc.edu)
• net:cs is any computer on the Computer Sciences Department networks
• net:inst is any computer on the Computer Sciences Department instructional networks
• net:stat is any computer on the Statistics Department network
• net:wisc is any computer on the University of Wisconsin - Madison campus networks
• host:www is the web server