Creating and Using Protection (pts) Groups for AFS

Overview

A protection group (pts) is a collection of uniqnames or other pts groups which are used to control directory access (folders) in the AFS. You can specify pts group read access, write access, both, or neither.

Together, the collection of pts groups and the rights of each group are called an Access Control List, or ACL. Properly used, ACLs will save you a great deal of work if you are using a shared AFS space or wish to share files with others.

For example, suppose you are part of a student organization and have a web site stored in AFS. You wish to grant permissions so that anyone in the organization can view the files, but only your webmasters can actually change them. To do this, you need to create two pts groups. The first group will consist of everyone in the organization, the second of only the webmasters. You can add and remove individuals from the appropriate pts group as they come and go. When a new webmaster joins the team, he/she should be added to the pts group. This immediately gives full access—you don't have to examine every directory and grant him full rights to each one. When a webmaster leaves, he/she should be removed from the webmaster pts group, and will be demoted to the rights of an ordinary user.

The rest of this document explains how to set up and use pts groups and ACLs.

We spell the acronym "pts" in lower-case because the commands to manage pts groups are in lower-case.

pts Group Names

The format for the name of any pts group is <creator's uniqname>:<name of group>. For example, if your uniqname is "bjensen" and you created a pts group to give a friend access to files in one of your AFS folders, you might name it bjensen:friends.

Connect to the ITS Login Service to Enter pts Commands

To create and work with pts groups, you need to enter pts commands. You can do this from the ITS Login Service (login.itd.umich.edu) using secure software. We recommend the following programs available to the U-M community members at no cost:

Windows: PuTTY is available at no cost from the U-M Blue Disc Web site. Refer to Use PuTTY to Connect to Host Computers [Windows].

1. On your desktop, open the U-M Internet Access Kit folder.

2. Double-click ITS Login (terminal).

3. In the User Name box, type your uniqname.

4. In the Password box, type your UMICH Kerberos password.

5. At the Linux prompt (%), type a pts command, then press ENTER or RETURN.

6. When you are finished with your ITS Login Service session, at the Linux (%) prompt, type logout and press ENTER or RETURN.

MAC OS X: Terminal, a Mac OS X application located within the Applications folder, available in the Utilities folder .
Tip From the U-M Blue Disc Web site, you can obtain a pre-configured shortcut that will appear in the Dock. Download the U-M SSH Connections item. If you use the Login shortcut, proceed to step 2 in the following steps.

1. In Terminal, type ssh login.itd.umich.edu and press ENTER or RETURN.

2. At the Password prompt, type your UMICH Kerberos password and press ENTER or RETURN.

3. At the Linux prompt (%), type a pts command, then press ENTER or RETURN.

4. When you are finished with your ITS Login Service session, at the Linux (%) prompt, type logout and press ENTER or RETURN.

pts Commands

Notes

In the examples below, <uniqname> is an actual uniqname, <ptsgroup> is the name of a group. Be sure not to use the brackets "<" or ">".

To make changes to or delete a pts group, you must be an owner.

When entering a command, do not include the < and > brackets and provide the requested information rather than the text within the brackets. For example, if your uniqname is "bjensen", you would replace <youruniqname> with bjensen.

Use lower-case characters. Commands entered in upper-case do not work. The only exception is the name of a pts group if it was created with an upper-case character. You should type it that way.

After typing a command, always complete it by pressing ENTER or RETURN.

Task	Command	Example
List information about a pts group (for example, owner, creator, and so on)	pts examine <pts group name or uniqname> The first part of the command can be abbreviated to pts e.	$ pts examine bjensen:docs pts: User or group doesn't exist so couldn't look up id for bjensen:docs $ In this example, there is no pts group named "bjensen:docs".
Display list of pts commands available	pts help
Create a pts group of which you are the owner	pts creategroup <youruniqname:name of pts group> The first part of the command can be abbreviated to pts cg. For example, if your uniqname is "bjensen" and you want to create a pts group called bjensen:docs, you would type: pts cg bjensen:docs	$ pts creategroup bjensen:docs group bjensen:docs has id -172382 $ pts examine bjensen:docs Name: bjensen:docs, id: -172382, owner: bjensen, creator: bjensen,   membership: 0, flags: SOM--, group quota: 0. $ pts examine bjensen:docs In this example, we create the group "bjensen:docs" and then use the "pts examine" command to look at it. We are particularly interested in these components:   * Who owns it   * Who created it   * How many people or other groups are in the group In this case, bjenson is both owner and creator, and there is currently no-one in the group.
List all pts groups of which a given uniqname is a member or list all members of a given pts group	pts membership <uniqname or name of pts group> The first part of the command can be abbreviated to pts m.	pts membership test100:members Members of test100:members (id: -21826) are:   gpcctest   pjessel
Add an individual or a pts group to a pts group	pts adduser <uniqname or name of pts group you want to add> <name of pts group> The first part of the command can be abbreviated to pts ad. Note: There is a default limit to the number of pts groups that can be added to another pts group. For assistance with adding pts groups to another pts group, send an e-mail to [email protected].	$ pts adduser bjensen bjensen:docs $ pts adduser bjones bjensen:docs $ pts examine bjensen:docs Name: bjensen:docs, id: -172382, owner: bjensen, creator: bjensen,   membership: 2, flags: SOM--, group quota: 0. $ In this example, we now see that there are two members in the group.
Remove an individual or a pts group from a pts group	pts removeuser <uniqname or name of pts group you want to remove> <name of pts group> The first part of the command can be abbreviated to pts rem.	pts removeuser pjessel test100:members pts membership test100:members Members of test100:members (id: -21826) are:   gpcctest
Change the owner of a pts group	pts chown <name of pts group> <new owner's uniqname or name of owner pts group> The first part of the command can be abbreviated to chown.
Delete a pts group	pts delete <name of pts group> The first part of the command can be abbreviated to pts del.	pts delete test100:members pts listowned test100 Groups owned by test100 (id: -21825) are:   test100:members
List all pts groups owned by a given uniqname or pts group	pts listowned <uniqname or name of pts group> The first part of the command can be abbreviated to pts listo.

 

Other pts commands

apropos	search by help text
chown	change ownership of a group
createuser	create a new user
interactive	enter interactive mode
listentries	list users/groups in the protection database
listmax	list max id
quit	exit program
rename	rename user or group
setfields	set fields for an entry
setmax	set max id
sleep	pause for a bit
source	read commands from file

Tips for Using pts Groups

Remember to add yourself

You are not automatically a member of any group you create. If you wish to be excluded from a pts group you create, you must add yourself with the adduser command.

Groups can own groups

It is often helpful to share ownership of a pts group, especially one that is large or that changes frequently, so that more than one person can make changes when needed. You do this by making a pts group the owner of the group rather than an individual.

For example, you might create a pts group of three or four people who have been designated to administer a Web site; you name the group owner:webmaster. Then, use the "pts chown command" to change ownership of the group from your uniqname to the owner:webadmin group. You (or anyone else in that group) could then create a larger group (owned by owner:webadmin) called webmembers that includes individuals who have update access to the website's files. The members of owner:webadmin could then share administration of the webmembers group, making changes as needed.

Group Quotas

If a pts group has been used to repeatedly to create other pts groups, the quota number may hit zero. When this occurs, no additional groups can be created. At that point, send an e-mail to [email protected] to add an appropriate amount to the quota so that additional groups can be created.

The quota number is kept small so that the PTS uid space isn't exhausted by accident. The quota number can be checked with this command from the command line: pts examine<pts group> The group quota is the last field returned. It can be changed by the pts group owner: pts setfields<group> -groupquota<number> If the number is zero, on the next attempt to create a new PTS group you will see this error: pts: may not create more groups ; unable to create group<group> with id<id> owned by '<owner>' If this error appears, send an e-mail to [email protected] for assistance.

Get a Group AFS Directory

You can use pts groups with an AFS home directory and with other directories/folders in AFS. You can also arrange to have a group AFS directory, either as a shared workspace or as a means of publishing on the web. To obtain a group AFS directory, you will need to fill out a form; the directory will be created and a directory name assigned to your group. The form can be downloaded from the web; see AFS Group or Course Home Directory Application .

For details about using your AFS home directory or a group directory to publish materials online, see the Create Your Own U-M Web Page instructions.