[sf-lug] Linux rapper at Stanford

Asheesh Laroia asheesh at asheesh.org
Tue Feb 2 17:57:11 PST 2010

On Tue, 2 Feb 2010, Alex Kleider wrote:

> man fs makes no mention of sa or s or a
> man 'fs sa' --> no man entry for ..
> Can you suggest any other reference?

Here's a decent one: http://help.ncsu.edu/solutions/all/819.php

"fs sa" is short for "file system set access control list". Users of AFS 
can configure the permissions on the directories they own.

AFS is a network filesystem -- one of the strangest one in wide use. 
Aggressive client-side caching makes it seem fast, even if your connection 
to the server is slow. It's pretty secure, using Kerberos to authenticate 

(It uses the old, insecure Kerberosv4 internally, but it can be configured 
to work through a v4->v5 mapper for Kerberos so that it gains much of the 
security of Kerberos v5.)

Systems with AFS have a /afs directory by which you can access any 
AFS-ified system on the Internet. So, something I used to do for a few 

$ cd /afs/laroia.net/

would show me domain's data. But if I wanted to read publicly-shared data 
from Carnegie Mellon, I might do:

$ cd /afs/andrew.cmu.edu/

The /afs/ directory is tied to a kernel-level hook that makes the above 
magic possible. And if I want to authenticate using a Carnegie-Mellon ID, 
I might do:

$ kinit paulproteus at andrew.cmu.edu

and then I would be able to "cd" into my personal directory. "kinit" will 
let me authenticate to multiple different Kerberos realms.

Also, in AFS, permissions inherit -- so if you set your home directory's 
permissions one way, every new file and subdirectory in there gets the 
same permissions unless you set it otherwise. This makes sharing access a 
*breeze* -- just "fs sa" the permissions on a directory so you and a 
friend can read and write, and everything underneath there is that way.

Having tasted this sweet joy of AFS permissions back in 2001, I still 
can't bring myself to struggle with umask and UNIX groups.

> Google left me with an impression regarding the evil that can be done 
> but no details.

This is a frame-worthy quote.

-- Asheesh.

P.S. Running an AFS server on a cable modem, and the AFS client on an 
Xbox running Linux, is an interesting experience.

P.P.S. If you decide you want to try this, openafs.org has more info, and 
the Debian/Ubuntu packages are rather helpful.

The inherent vice of capitalism is the unequal sharing of blessings;
the inherent virtue of socialism is the equal sharing of misery.
 		-- Churchill

More information about the sf-lug mailing list