Administration Reference

pts

Purpose

Introduction to the pts command suite

Description

The commands in the pts command suite are the administrative interface to the Protection Server, which runs on each database server machine in a cell and maintains the Protection Database. The database stores the information that AFS uses to augment and refine the standard UNIX scheme for controlling access to files and directories.

Instead of relying only on the mode bits that define access rights for individual files, AFS associates an access control list (ACL) with each directory. The ACL lists users and groups and specifies which of seven possible access permissions they have for the directory and the files it contains. (It is still possible to set a directory or file's mode bits, but AFS interprets them in its own way; see the chapter on protection in the IBM AFS Administration Guide for details.)

AFS enables users to define groups in the Protection Database and place them on ACLs to extend a set of rights to multiple users simultaneously. Groups simplify administration by making it possible to add someone to many ACLs by adding them to a group that already exists on those ACLs. Machines can also be members of a group, so that users logged into the machine automatically inherit the permissions granted to the group.

There are several categories of commands in the pts command suite:

Commands to create and remove Protection Database entries: pts creategroup, pts createuser, and pts delete
Commands to administer and display group membership: pts adduser,
pts listowned, pts membership, and pts removeuser
Commands to administer and display properties of user and group entries other than membership: pts chown, pts examine, pts listentries, pts rename, and pts setfields
Commands to set and examine the counters used when assigning IDs to users and groups: pts listmax and pts setmax
Commands to obtain help: pts apropos and pts help

Options

The following arguments and flags are available on many commands in the pts suite. The reference page for each command also lists them, but they are described here in greater detail.

-cell <cell name>

Names the cell in which to run the command. It is acceptable to abbreviate the cell name to the shortest form that distinguishes it from the other entries in the /usr/vice/etc/CellServDB file on the local machine. If the -cell argument is omitted, the command interpreter determines the name of the local cell by reading the following in order:

The value of the AFSCELL environment variable
The local /usr/vice/etc/ThisCell file

-force

Enables the command to continue executing as far as possible when errors or other problems occur, rather than halting execution immediately. Without it, the command halts as soon as the first error is encountered. In either case, the pts command interpreter reports errors at the command shell. This flag is especially useful if the issuer provides many values for a command line argument; if one of them is invalid, the command interpreter continues on to process the remaining arguments.

-help

Prints a command's online help message on the standard output stream. Do not combine this flag with any of the command's other options; when it is provided, the command interpreter ignores all other options, and only prints the help message.

-noauth

Establishes an unauthenticated connection to the Protection Server, in which the server treats the issuer as the unprivileged user anonymous. It is useful only when authorization checking is disabled on the server machine (during the installation of a file server machine or when the bos setauth command has been used during other unusual circumstances). In normal circumstances, the Protection Server allows only privileged users to issue commands that change the Protection Database, and refuses to perform such an action even if the -noauth flag is provided.

Privilege Required

Members of the system:administrators group can issue all pts commands on any entry in the Protection Database.

Users who do not belong to the system:administrators group can list information about their own entry and any group entries they own. The privacy flags set with the pts setfields command control access to entries owned by other users.

Related Information