File Protections on AFS

2010/04/07 by ITSRM

These subsidiary rules to Operational Circular N°5 are for users of the AFS file system.

At CERN, owners of any kind of data (e.g. files, documents, Web pages), including users of file services, must protect their data from anonymous read and/or write access (see below for a definition of "anonymous").

AFS Data Protection Policy

In order to protect AFS data, the following access controls (ACLs) must be applied to all user folders hosted on AFS. Here, "HOME" is the path to the home folder of a particular user or his workspace.

  1. For all anonymous users, the default ACLs of the folder "~HOME/private" and all its sub-folders must be "none"-rights and nothing more open;
  2. For all anonymous users, the default ACLs of "~HOME/public" and all its sub-folders must not be more permissive than either combined "read"/"lookup" (i.e. "rl") rights or combined "lookup"/"insert"/"write" (i.e. "liw") rights;
  3. For the group "webserver:afs", the default ACLs of "~HOME/www" and all its sub-folders must not be more permissive than combined "read" / "lookup" / "insert" / "delete" / "write" / "lock" (i.e. "rlidwk") rights;
  4. For all anonymous users, the default ACLs of ~HOME and all its sub-folders not covered before must not be more permissive than "lookup" (i.e. "l") rights;
  5. For all anonymous users, the default ACLs of any folder must not allow for simultaneous "write" and "read" rights.

From these rules follows that all information supposed to be widely public must be stored in the "~HOME/public" folder. All Web sites must be stored in the "~HOME/www" folder.

These rules are automatically enforced on a regular basis by the AFS service for all "user" and "workspace" folders, unless the actual settings are more restrictive than the aforementioned defaults. For "project", "group" or "scratch"-spaces, only rule #5 is enforced. If adaptations have to be made, the corresponding users will be notified afterwards by the AFS service.

However, the data owner (i.e. the user) is still ultimately responsible for the proper ACLs of his folders and files. The AFS service is supposed to assist with this, but holds no responsibility.

Definition of "anonymous"

Access to a file or folder is defined to be "anonymous" when the group of people permitted such access can be potentially very large. For AFS, permissions for one or more of the following access control groups are considered to be "anonymous users":

system:anyuser (i.e. all AFS users)
system:authuser (i.e. all CERN users)
cern:nodes (i.e. all CERN hosts using AFS)
webserver:afs (i.e. all AFS Web servers)

Interactive Correction of AFS ACLs

The following script will interactively correct AFS ACLs on home directories to be in line with the aformentioned rules. It will update ACLs which are considered to be too permissive:

$ /afs/

(Try correct_acls -c for a check-only dry run. correct_acls -h gives some help.)

For other directories such as "project", "group" or "scratch"-space, the "afs_admin" command can be used both to list violations of CERN's policy, and to correct them:

$ afs_admin check_acl /path/to/your/project_or_dir
$ afs_admin clean_acl -r /path/to/your/project_or_dir

As a precaution, "afs_admin" will not cross AFS mount points, i.e. descend into other AFS volumes. See "afs_admin help" for more details on these commands.

ACLs for SSH public key authentication stored on AFS

If your are using SSH public key authentication, you need to make sure that your authorized_keys file is made public. The easiest way is to put this file into your ~/public folder and produce a symbolic link from your ~/.ssh folder:

$ mv ~/.ssh/authorized_keys ~/public
$ ln -s ~/public/authorized_keys ~/.ssh/authorized_keys

These two steps are considered to be sufficient. If necessary, you might need to repeat the same steps for your public SSH keys (e.g.,

ACLs for AFS-hosted Web sites

AFS-hosted Web sites must be stored in the ~/www folder (note the use of small letters). In order to do so, three basic steps are needed:

  1. The ~/www folder needs to be created and the contents need to copyied inside;
  2. The appropriate access rights need to be set: $ fs sa ~/www webserver:afs rl. Depending on the Web site, one might need to put up to rlidwk but be careful !
  3. The AFS Web service need to be informed about the new location:, choose your site and click on 'AFS Path: [CHANGE]'. Put here the full path.

If everything is fine, you might consider deleting the old stuff. If you think that this Web site is not needed anymore at all, please delete it.

Further details on the different options of Web site creation & management at CERN can be found here.

More Information

A detailed description on AFS ACLs can be found here.