Although AFS protects data primarily with ACLs rather than mode bits, it does not ignore the mode bits entirely. An explanation of how mode bits work in the UNIX file system is outside the scope of this document, and the following discussion assumes you understand them; if necessary, see your UNIX documentation. Also, the following discussion does not cover the setuid, setgid or sticky bits. If you need to understand how those bits work on AFS files, see the OpenAFS Administration Guide or ask your system administrator.
AFS uses the UNIX mode bits in the following way:
It uses the initial bit to distinguish files and directories. This is the bit that appears first in the output from
the ls -l command and shows the hyphen (
-) for a file or
d for a directory.
It does not use any of the mode bits on a directory. The AFS ACL alone controls directory access.
For a file, the owner (first) set of bits interacts with the ACL entries that apply to the file in the following way. AFS does not use the group or world (second and third sets) of mode bits at all.
If the first r mode bit is not set, no one (including the owner) can read the file, no matter what permissions they have on the ACL. If the bit is set, users also need the r and l permissions on the ACL of the file's directory to read the file.
If the first w mode bit is not set, no one (including the owner) can modify the file. If the w bit is set, users also need the w and l permissions on the ACL of the file's directory to modify the file.
There is no ACL permission directly corresponding to the x mode bit, but to execute a file stored in AFS, the user must also have the r and l permissions on the ACL of the file's directory.
When you issue the UNIX chmod command on an AFS file or directory, AFS changes the bits appropriately. To change a file's mode bits, you must have the AFS w permission on the ACL of the file's directory. To change a directory's mode bits, you must have the d, i, and l permissions on its ACL.
Suppose terry is chairing a committee that is writing a proposal. As each section is approved, she turns off write access to that file to prevent further changes. For example, the following chmod command turns off the w mode bits on the file proposal.chap2. This makes it impossible for anyone to change the file, no matter what permissions are granted on the directory ACL.
% chmod -w proposal.chap2 % ls -l -rw-r--r-- 1 terry 573 Nov 10 09:57 conclusion -r--r--r-- 1 terry 573 Nov 15 10:34 intro -r--r--r-- 1 terry 573 Dec 1 15:07 proposal.chap2 -rw-r--r-- 1 terry 573 Nov 10 09:57 proposal.chap3 -rw-r--r-- 1 terry 573 Nov 10 09:57 proposal.chap4