[sf-lug] Linux rapper at Stanford
asheesh at asheesh.org
Tue Feb 2 17:57:11 PST 2010
On Tue, 2 Feb 2010, Alex Kleider wrote:
> man fs makes no mention of sa or s or a
> man 'fs sa' --> no man entry for ..
> Can you suggest any other reference?
Here's a decent one: http://help.ncsu.edu/solutions/all/819.php
"fs sa" is short for "file system set access control list". Users of AFS
can configure the permissions on the directories they own.
AFS is a network filesystem -- one of the strangest one in wide use.
Aggressive client-side caching makes it seem fast, even if your connection
to the server is slow. It's pretty secure, using Kerberos to authenticate
(It uses the old, insecure Kerberosv4 internally, but it can be configured
to work through a v4->v5 mapper for Kerberos so that it gains much of the
security of Kerberos v5.)
Systems with AFS have a /afs directory by which you can access any
AFS-ified system on the Internet. So, something I used to do for a few
$ cd /afs/laroia.net/
would show me domain's data. But if I wanted to read publicly-shared data
from Carnegie Mellon, I might do:
$ cd /afs/andrew.cmu.edu/
The /afs/ directory is tied to a kernel-level hook that makes the above
magic possible. And if I want to authenticate using a Carnegie-Mellon ID,
I might do:
$ kinit paulproteus at andrew.cmu.edu
and then I would be able to "cd" into my personal directory. "kinit" will
let me authenticate to multiple different Kerberos realms.
Also, in AFS, permissions inherit -- so if you set your home directory's
permissions one way, every new file and subdirectory in there gets the
same permissions unless you set it otherwise. This makes sharing access a
*breeze* -- just "fs sa" the permissions on a directory so you and a
friend can read and write, and everything underneath there is that way.
Having tasted this sweet joy of AFS permissions back in 2001, I still
can't bring myself to struggle with umask and UNIX groups.
> Google left me with an impression regarding the evil that can be done
> but no details.
This is a frame-worthy quote.
P.S. Running an AFS server on a cable modem, and the AFS client on an
Xbox running Linux, is an interesting experience.
P.P.S. If you decide you want to try this, openafs.org has more info, and
the Debian/Ubuntu packages are rather helpful.
The inherent vice of capitalism is the unequal sharing of blessings;
the inherent virtue of socialism is the equal sharing of misery.
More information about the sf-lug