Ask SIPB - August 28, 2003

Ever wondered how secure your files on Athena are, or exactly what Kerberos and AFS actually are? Or perhaps you would like to be more practical, and want to know how to easily share files with other users? In our final introductory orientation column, we discuss two related, but more advanced topics: Kerberos, and AFS.

What is Kerberos?

Kerberos is a network authentication system developed at MIT. It allows users to prove their identities to servers running various network services, and in the process, also verifies the identities of these servers to the user, ensuring that they are not passing information to the wrong computer.

The Kerberos protocol enables this to happen even while passing information over insecure pathways. Your password is never actually sent across the network, for example. Furthermore, even if your packets are intercepted, those packets still cannot be used to impersonate you.

What is AFS?

AFS, the Andrew File System, was developed at Carnegie Mellon University. Unlike other file systems, AFS is a distributed filesystem, storing data on many different file servers. Each server contains many volumnes, which are units of space, each with its own default ACL (Access Control List), and quota. This provides AFS with many advantages over other file system, in that it is more flexible and allows transparent moving of volumes between servers for load balancing, and replication of read-only data to allow users to continue to access it if a server fails or a portion of the network becomes unreachable.

At MIT, Kerberos is used to authenticate users to AFS, ensuring the security of your data. This, in conjunction with AFS's flexible permissions, provides great power to users. Almost all Athena lockers are located in AFS, including your home directory. This allows you to easily maintain the permissions on files and directories, enabling and disabling access to various users of your choice.

How can I use my Public and www directories?

By default, your Athena account has two directories, the Public and www directories, pre-configured to share files with other people.

The www directory is primarily intended to be used as a web page. Anything you put in that directory is publicly accessible, and can be accessed with the URLs: and

The Public directory is primarily intended to be used to share files through Athena. Anything you put in that directory is also publicly accessible. To get to someone's Public directory, type:

athena% cd ~username/Public

Public directories can also be accessed at the URL:

If for some reason your Public or www directories are missing or misconfigured, you can restore them with the following:

athena% cd
athena% mkdir Public
athena% mkdir www
athena% fs setacl -dir Public -acl system:anyuser rl
athena% fs setacl -dir www -acl system:anyuser rl

How can I look at and set ACLs in AFS?

An ACL (Access Control List) allows you to grant or deny users various read, write, and administrator permissions to various directories, such as your home directory. To look at the ACL for an AFS directory, type:
athena% fs listacl directoryname
If you simply wish to find out the ACL for the current directory, you may omit directoryname.

When looking at an ACL, you will find up to 7 letters after each entry. These are:

rread (allows users to read files)
llist (allows users to list files)
iinsert (allows users to add new files)
ddelete (allows users to delete files)
wwrite (allows users to write to files)
klock (allows users to lock files)
aadminister (allows users to administer the ACL of the directory

Looking at a sample ACL:

Access list for . is
  system:anyuser l
  system:samplegroup rl
  sampleuser rlidwka
This indicates that system:anyuser, a special group that basically includes the entire internet, can list, but not read, the files in your home directory. This is required because in order to access a subdirectory, one needs to be able to list the contents of its parent directory. This also indicates that system:samplegroup, the people on the athena list samplegroup, have full read permissions, and the user sampleuser has full permissions, including setting the permissions of other users or groups.

Setting an ACL is similar to listing one. For example:

athena% fs setacl directoryname system:samplegroup rlidwka
This gives full permissions to the samplegroup group for directoryname, though does not refer to subdirectories of that directory.

For convenience, you can use read in place of rl, write in place of rlidwk, and all in place of rlidwka when setting ACLs, if you wish. You may also abbreviate listacl as la, and setacl as sa.

How can I allow a group of people access to part of my home directory?

To allow a group of people access to part of your homedirectory, useful, for example, in group projects, or to share files with other users, you can do the following:

For a small number of of people, you can individually grant them access, by typing

athena% fs setacl dirname username permissions
for each person you want to grant access to the directory.

For a larger number of people, you can use an Athena managed list, also known as a moira list to control access. To do this, first check and see if the list is an AFS group. To do this, type at the athena prompt:

athena% blanche listname -i
The output should have a line like the following:
asksipb is a maillist and is a group with GID 45072
If it doesn't have a line indicating that it is a group, you can make it a group, by typing the following command:
athena% blanche listname -G
After it is made into a group, you can grant it access to a particular directory, in the way mentioned in the previous question, replacing system:samplegroup with system:listname

One thing to note is that if the mailing list is a mailman list, then, it cannot be made an AFS group. The proper solution would be to ask for a new moira list by going to and going the "Request a new list" webform.

To ask us a question, send email to We'll try to answer you quickly, and we can address your question in our next column. You can also stop by our office in W20-557 or call us at x3-7788 if you need help. Copies of each column and pointers to additional information are posted on our website: