The Tech - Online EditionMIT's oldest and largest
newspaper & the first
newspaper published
on the web
Boston Weather: 43.0°F | A Few Clouds

Ask SIPB

Ever wondered how secure your files on Athena are, or exactly what Kerberos and AFS actually are? Or perhaps you would like to be more practical, and want to know how to easily share files with other users? In our final introductory orientation column, we discuss two related, but more advanced topics: Kerberos, and AFS.

Question: What is Kerberos?

Answer: Kerberos is a network authentication system developed at MIT. It allows users to prove their identities to servers, and in the process, also verifies the identities of these servers to the user, ensuring that they are not passing information to the wrong computer.

The Kerberos protocol allows this to happen even while passing information over insecure pathways. Your password is never actually sent across the network, for example. Furthermore, even if your packets are intercepted, those packets still cannot be used to impersonate you.

Question: What is AFS?

Answer: AFS, the Andrew File System, was developed at Carnegie Mellon University. Unlike other file systems, AFS is a distributed file system, storing data on many different file servers. Each server contains many volumes, which are units of space. Each volume has its own default Access Control List and quota. This provides AFS with many advantages over other file systems, in that it is more flexible and allows transparent moving of volumes between servers for load balancing, and replication of read-only data to allow users to continue to access it if a server fails or a portion of the network becomes unreachable.

At MIT, Kerberos is used to authenticate users to AFS, ensuring the security of your data. This, in conjunction with AFS’s flexible permissions, provides great power to users. Almost all Athena lockers are located in AFS, including your home directory. This allows you to easily maintain the permissions on files and directories, enabling and disabling access to various users of your choice.

Question: How can I use my Public and www directories?

Answer: By default, your Athena account has two directories, the Public and www directories, pre-configured to share files with other people.

The www directory is primarily intended to be used as a webpage. Anything you put in that directory is publicly accessible, and can be accessed with the URLs http://web.mit.edu/username/www/ and http://www.mit.edu/~username/.

The Public directory is primarily intended to be used to share files through Athena. Anything you put in that directory is also publicly accessible. To get to someone’s Public directory:

athena%cd ~username/Public

If for some reason your Public or www directories are missing or misconfigured, you can restore them by doing the following:

athena% cd

athena% mkdir Public

athena% mkdir www

athena% fs setacl -dir Public -acl system:anyuser rl

athena% fs setacl -dir www -acl system:anyuser rl

Question: How can I look at and set ACLs in AFS?

Answer: An ACL allows you to grant or deny users various read, write, and administrator permissions to various directories, such as your home directory. To look at the ACL for an AFS directory:

athena% fs listacl directoryname

If you simply wish to find out the ACL for the current directory, you may omit directoryname.

When looking at an ACL, you will find up to seven letters after each entry. These are:

r: read (allows users to read files)

l: list (allows users to list files)

i: insert (allows users to add new files)

d: delete (allows users to delete files)

w: write (allows users to write to files)

k: lock (allows users to lock files)

a: administer (allows users to administer the ACL of the directory

Looking at a sample ACL:

Access list for . is

system:anyuser l

system:samplegroup rl

sampleuser rlidwka

This indicates that system:anyuser, a special group that basically includes the entire Internet, can see a list of the files in your home directory, but not read them. This is required because in order to access a subdirectory, one needs to be able to see the list of the contents of its parent directory. This also indicates that system:samplegroup, the people on the Athena list samplegroup, have full read permissions, and the user sampleuser has full permissions, including setting the permissions of other users or groups.

Setting an ACL is similar to listing one. For example:

athena% fs setacl directoryname system:samplegroup rlidwka

This gives all seven permissions to the samplegroup group for directoryname, though does not refer to subdirectories of that directory.

For convenience, you can use read in place of rl, write in place of rlidwk, and all in place of rlidwka when setting ACLs, if you wish. You may also abbreviate listacl as la, and setacl as sa.

Question: How can I allow a group of people access to part of my home directory?

Answer: To allow a group of people access to part of your homedirectory, useful, for example, in group projects, or to share files with other users, you can do the following:

For a small number of people, you can individually grant them access by typing:

athena% fs setacl dirname username permissions

for each person you want to grant access to the directory.

For a larger number of people, you can use an Athena managed list, also known as a moira list to control access. To do this, first check and see if the list is an AFS group. To do this, type at the athena prompt:

athena% blanche listname -i

The output should have a line like the following:

asksipb is a maillist and is a group with GID 45072

If it doesn’t have a line indicating that it is a group, you can make it a group, by typing:

athena% blanche listname -G

After it is made into a group, you can grant it access to a particular directory in the manner mentioned before, replacing system:samplegroup with system:listname.

One thing to note is that if the mailing list is a mailman list, then it cannot be made an AFS group. The proper solution would be to ask for a new moira list by going to http://web.mit.edu/accounts and going the “Request a new list” webform.

To ask us a question, send e-mail to sipb@mit.edu. We’ll try to answer you quickly, and we might address your question in our next column. Copies of each column and pointers to additional information will be posted on our website: http://www.mit.edu/~asksipb/.