Using the System Groups on ACLs

AFS defines two system groups that grant access to a large number of users at once when placed on an ACL. However, you cannot control the membership of these groups, so consider carefully what kind of permissions you wish to give them. (You do control the membership of the groups you own; see Using Groups.)

system:anyuser

Includes anyone who can access the cell's file tree, including users who have tokens in the local cell, users who have logged in on a local AFS client machine but have not obtained tokens (such as the local superuser root), and users who have connected to a local machine from outside the cell. Creating an ACL entry for this group is the only way to extend access to AFS users from foreign cells, unless your system administrator creates local authentication accounts for them.

system:authuser

Includes all users who have a valid AFS token obtained from the local cell's AFS authentication service.

The third system group, system:administrators, includes a small group of administrators who have extensive permissions in the cell. You do not generally need to put this group on your ACLs, because its members always have the a (administer) permission on every ACL, even if the group does not appear on it.

Enabling Access to Subdirectories

A user must have the l permission on a directory to access its subdirectories in any way. Even if users have extensive permissions on a subdirectory, they cannot access it if the parent directory's ACL does not grant the l permission.

You can grant the l permission in one of three ways: grant it to a system group (system:anyuser or system:authuser), grant it to individual users, or grant it to one or more groups of users defined by you or other users (see Using Groups). Granting the l permission to the system:anyuser group is the easiest option and is generally secure because the permission only enables users to list the contents of the directory, not to read the files in it. If you want to enable only locally authenticated users to list a directory's contents, substitute the system:authuser group for the system:anyuser group. Your system administrator has possibly already created an entry on your home directory's ACL that grants the r and l permissions to the system:anyuser group.

Extending Access to Service Processes

It is sometimes necessary to grant more extensive permissions to the system:anyuser group so that processes that provide printing and mail delivery service can work correctly. For example, printing processes sometimes need the r permission in addition to the l permission. A mail delivery process possibly needs the i permission to place new messages in your mail directory. Your system administrator has probably already created the necessary ACL entries. If you notice an ACL entry for which the purpose is unclear, check with your system administrator before removing it.

Extending Access to Users from Foreign Cells

The only way to grant access to users from foreign cells who do not have an account in your cell is to put the system:anyuser group on an ACL. Remember, however, that such an entry extends access to everyone who can reach your cell, not just the AFS users from foreign cells that you have in mind.