Get documents about "Techy Information
Shared by: yurtgc548
-
Stats
- views:
- 6
- posted:
- 6/5/2012
- language:
- pages:
- 18
Document Sample
Techy Information
Anandha Gopalan
September 13, 2006
Outline
AFS overview
Departmental software
Departmental machines
The ticket system
Help !!!
AFS overview
What is AFS ?
• Andrew File System
• 1984 - Developed at CMU as part of
Project Andrew
• 1989 - Transarc Corporation founded to
commercialize AFS
• 1998 - Transarc acquired by IBM
• 2000 - IBM releases OpenAFS under the
IBM Public License (IPL)
Why AFS ?
Security: authentication via Kerberos 4
Fine grained control over file permissions
• Can give individual users access to files and
directories
Accessible via both UNIX and Windows
More information about clients:
• http://www.openafs.org/
AFS permissions
Access Control Lists (ACLs) grant permissions on
a per user and group basis. Each directory has an
ACL that controls the directory and the files in it
There are seven permissions that may be
granted, to either groups of users or individuals
• System-defined groups exist, but you can define your
own groups
• ACLs always are applied to directories rather than to
individual files
Files are governed by the ACL on their directory
• If you change the ACL on a directory, access to all of its
files changes
• Subdirectories inherit the ACLs of their parent directory
AFS permissions
AFS ACLs work in conjunction with the
standard Unix "owner" permissions. Only
the owner permissions have an effect on
AFS file access
• Unix permissions for "group" and "other" do
not affect AFS file access.
• A user with appropriate AFS permissions can:
read a file only if the UNIX "owner read" mode is set.
write to a file only if the UNIX owner "read" and
"write" modes are set.
execute a file only if the UNIX owner "read" and
"execute" modes are set.
AFS permissions
Lookup: l, allows a user to list the contents of the AFS
directory, examine the ACL associated with the directory
and access subdirectories.
Insert: i, allows a user to add new files or subdirectories to
the directory.
Delete: d, allows a user to remove files and subdirectories
from the directory.
Administer: a, allows a user to change the ACL for the
directory. Users always have this right on their home
directory, even if they accidentally remove themselves from
the ACL.
Read: r, allows a user to look at the contents of files in a
directory and list files in subdirectories.
Write: w, allows a user to modify files in a directory.
Lock: k, allows the processor to run programs that need to
"flock" files in the directory.
AFS permissions
System-groups in AFS
• system:anyuser
Any user in the world who can gain access to your
cell. This is a very broad group, and caution should
always be used when granting any access to this
group
• system:authuser
Everyone who is currently authenticated in your cell
• system:administrators
A few users in the cell who have been designated as
AFS system administrators
AFS pitfalls
I have –rw------- on my file, but it
can still be read by others
• Check the directory permissions
• AFS works at the directory level, UNIX
permissions are ignored
• For a file to be executable, it still needs
to have the correct UNIX permissions !!!
AFS pitfalls
How do I check if I have safe
permissions ?
• /usr/local/bin/checkafsperms directory
This checks the permission on a directory
• /usr/local/bin/checkafshier directory
This checks the permission on a directory
hierarchy
• These commands only work on Linux
• These commands report if any directory
has permissions: i,d,w,k,a
AFS pitfalls
2 GB file size limitation
• Though you don’t really need this
Tokens expire after 24 hours
• A klog will get you new tokens
• tokens will show available tokens
• Use reauth to run programs > 24 hours
Cannot set recursive permissions
Workaround available
To give all permissions to user nemo recursively
$ find . -type d -exec fs sa {} nemo all \;
AFS directory setup
public
• Directory that can be read and listed by all
• Contains a directory html under which users
can create their web pages etc...
private
• Accessible only by the user
Backup
• Link in the home directory which contains the
backup that is a day old
• For older backups, ask tech
Special AFS user agents
mailserver
• Any process using the mail server has
this username
• Can be used for spam filtering using
spamassasin
webserver
• Any process using the http protocol
• Can be used for providing correct access
to user web pages, cgi programs etc…
Department software
Information about new software installed
on Linux/Solaris can be found at:
http://www.cs.pitt.edu/~tech/software
/usr/local/contrib contains software that is
used by a small number of people, its
either something new or experimental
• You can contribute by installing s/w in this
directory (ask tech about it)
/usr/local contains software that is needed
and used by the majority of people in the
department
Departmental machines
The Linux machines
• Can be accessed as: linux.cs.pitt.edu or
elements.cs.pitt.edu
Some machines are: arsenic, antimony,
oxygen, hydrogen, nitrogen, selenium
Solaris 9 machines
• Can be accessed as: blitz.cs.pitt.edu
and javalab.cs.pitt.edu, (need to use
your pitt account for javalab.cs.pitt.edu)
The ticket system
Any email sent to tech@cs.pitt.edu is
logged into the ticket system
• Issues a ticket number that is used to
keep track of this ticket
• Rather than sending an email, visit:
http://ticket.cs.pitt.edu and login with
your AFS username and password
Helps in keeping track of your tickets
Be clear when you ask for something
• If necessary, mention your machine name, OS,
room number Trust me, it helps
HELP !!!
In case you are wondering:
• How on this blue-green planet do I do
this ?????
Some answers are provided at:
http://www.cs.pitt.edu/~tech
Has a link to an FAQ with a lot of answers
Has a link to the tech newsletter
Has a link to the upgrades and software
installation by the software TA
?????
