mirror of
https://git.openafs.org/openafs.git
synced 2025-01-19 15:30:14 +00:00
742 lines
36 KiB
HTML
742 lines
36 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 4//EN">
|
|
<HTML><HEAD>
|
|
<TITLE>User Guide</TITLE>
|
|
<!-- Begin Header Records ========================================== -->
|
|
<!-- /tmp/idwt3629/auusg000.scr converted by idb2h R4.2 (359) ID -->
|
|
<!-- Workbench Version (AIX) on 2 Oct 2000 at 14:38:44 -->
|
|
<META HTTP-EQUIV="updated" CONTENT="Mon, 02 Oct 2000 14:38:42">
|
|
<META HTTP-EQUIV="review" CONTENT="Tue, 02 Oct 2001 14:38:42">
|
|
<META HTTP-EQUIV="expires" CONTENT="Wed, 02 Oct 2002 14:38:42">
|
|
</HEAD><BODY>
|
|
<!-- (C) IBM Corporation 2000. All Rights Reserved -->
|
|
<BODY bgcolor="ffffff">
|
|
<!-- End Header Records ============================================ -->
|
|
<A NAME="Top_Of_Page"></A>
|
|
<H1>User Guide</H1>
|
|
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auusg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auusg007.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Bot_Of_Page"><IMG SRC="../bot.gif" BORDER="0" ALT="[Bottom of Topic]"></A> <A HREF="auusg009.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auusg013.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
|
|
<HR><H1><A NAME="HDRWQ60" HREF="auusg002.htm#ToC_112">Using Groups</A></H1>
|
|
<P>This chapter explains how to create groups and discusses
|
|
different ways to use them.
|
|
<HR><H2><A NAME="HDRWQ61" HREF="auusg002.htm#ToC_113">About Groups</A></H2>
|
|
<P>An AFS <I>group</I> is a list of specific users that you
|
|
can place on access control lists (ACLs). Groups make it much easier to
|
|
maintain ACLs. Instead of creating an ACL entry for every user
|
|
individually, you create one entry for a group to which the users
|
|
belong. Similarly, you can grant a user access to many directories at
|
|
once by adding the user to a group that appears on the relevant ACLs.
|
|
<P>AFS client machines can also belong to a group. Anyone logged into
|
|
the machine inherits the permissions granted to the group on an ACL, even if
|
|
they are not authenticated with AFS. In general, groups of machines are
|
|
useful only to system administrators, for specialized purposes like complying
|
|
with licensing agreements your cell has with software vendors. Talk
|
|
with your system administrator before putting a client machine in a group or
|
|
using a machine group on an ACL.
|
|
<A NAME="IDX1025"></A>
|
|
<A NAME="IDX1026"></A>
|
|
<P>To learn about AFS file protection and how to add groups to ACLs, see <A HREF="auusg007.htm#HDRWQ44">Protecting Your Directories and Files</A>.
|
|
<P><H3><A NAME="HDRWQ62" HREF="auusg002.htm#ToC_114">Suggestions for Using Groups Effectively</A></H3>
|
|
<P>There are three typical ways to use groups, each suited to a
|
|
particular purpose: private use, shared use, and group use. The
|
|
following are only suggestions. You are free to use groups in any way
|
|
you choose.
|
|
<UL>
|
|
<P><LI><I>Private use</I>: you create a group and place it on the ACL
|
|
of directories you own, without necessarily informing the group's members
|
|
that they belong to it. Members notice only that they can or cannot
|
|
access the directory in a certain way. You retain sole administrative
|
|
control over the group, since you are the owner.
|
|
<A NAME="IDX1027"></A>
|
|
<A NAME="IDX1028"></A>
|
|
<P>The existence of the group and the identity of its members is not
|
|
necessarily secret. Other users can see the group's name on an ACL
|
|
when they use the <B>fs listacl</B> command, and can use the <B>pts
|
|
membership</B> command to display + the groups to which they themselves
|
|
belong. You can, however, limit who can display the members of the
|
|
group, as described in <A HREF="#HDRWQ74">Protecting Group-Related Information</A>.
|
|
<P><LI><I>Shared use</I>: you inform the group's members that they
|
|
belong to the group, but you are the group's sole owner and
|
|
administrator. For example, the manager of a work group can create a
|
|
group of all the members in the work group, and encourage them to use it on
|
|
the ACLs of directories that house information they want to share with other
|
|
members of the group.
|
|
<A NAME="IDX1029"></A>
|
|
<A NAME="IDX1030"></A>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you place a group owned by someone else on your ACLs, the group's
|
|
owner can change the group's membership without informing you.
|
|
Someone new can gain or lose access in a way you did not intend and without
|
|
your knowledge.
|
|
</TD></TR></TABLE>
|
|
<P><LI><I>Group use</I>: you create a group and then use the <B>pts
|
|
chown</B> command to assign ownership to a group--either another group
|
|
or the group itself (the latter type is a <I>self-owned</I> group).
|
|
You inform the members of the owning group that they all can administer the
|
|
owned group. For instructions for the <B>pts chown</B> command, see
|
|
<A HREF="#HDRWQ73">To Change a Group's Owner</A>.
|
|
<A NAME="IDX1031"></A>
|
|
<A NAME="IDX1032"></A>
|
|
<A NAME="IDX1033"></A>
|
|
<A NAME="IDX1034"></A>
|
|
<A NAME="IDX1035"></A>
|
|
<P>The main advantage of designating a group as an owner is that several
|
|
people share responsibility for administering the group. A single
|
|
person does not have to perform all administrative tasks, and if the
|
|
group's original owner leaves the cell, there are still other people who
|
|
can administer it.
|
|
<P>However, everyone in the owner group can make changes that affect others
|
|
negatively: adding or removing people from the group inappropriately or
|
|
changing the group's ownership to themselves exclusively. These
|
|
problems can be particularly sensitive in a self-owned group. Using an
|
|
owner group works best if all the members know and trust each other; it
|
|
is probably wise to keep the number of people in an owner group small.
|
|
</UL>
|
|
<P><H3><A NAME="HDRWQ63" HREF="auusg002.htm#ToC_115">Group Names</A></H3>
|
|
<A NAME="IDX1036"></A>
|
|
<P>The groups you create must have names with two parts, in the following
|
|
format:
|
|
<P><VAR> owner_name</VAR><B>:</B><VAR>group_name</VAR>
|
|
<P>The <VAR>owner_name</VAR> prefix indicates which user or group owns the group
|
|
(naming rules appear in <A HREF="#HDRWQ69">To Create a Group</A>). The <VAR>group_name</VAR> part indicates the
|
|
group's purpose or its members' common interest. Group names
|
|
must always be typed in full, so a short <VAR>group_name</VAR> is most
|
|
practical. However, names like <B>terry:1</B> and
|
|
<B>terry:2</B> that do not indicate the group's purpose are
|
|
less useful than names like <B>terry:project</B>.
|
|
<P>Groups that do not have the <VAR>owner_name</VAR> prefix possibly appear on
|
|
some ACLs; they are created by system administrators only. All of
|
|
the groups you create must have an <VAR>owner_name</VAR> prefix.
|
|
<P><H3><A NAME="Header_116" HREF="auusg002.htm#ToC_116">Group-creation Quota</A></H3>
|
|
<A NAME="IDX1037"></A>
|
|
<A NAME="IDX1038"></A>
|
|
<P>By default, you can create 20 groups, but your system administrators can
|
|
change your <I>group-creation quota</I> if appropriate. When you
|
|
create a group, your group quota decrements by one. When a group that
|
|
you created is deleted, your quota increments by one, even if you are no
|
|
longer the owner. You cannot increase your quota by transferring
|
|
ownership of a group to someone else, because you are always recorded as the
|
|
creator.
|
|
<P>If you exhaust your group-creation quota and need to create more groups,
|
|
ask your system administrator. For instructions for displaying your
|
|
group-creation quota, see <A HREF="#HDRWQ67">To Display A Group Entry</A>.
|
|
<HR><H2><A NAME="HDRWQ64" HREF="auusg002.htm#ToC_117">Displaying Group Information</A></H2>
|
|
<A NAME="IDX1039"></A>
|
|
<A NAME="IDX1040"></A>
|
|
<A NAME="IDX1041"></A>
|
|
<P>You can use the following commands to display information about groups and
|
|
the users who belong to them:
|
|
<UL>
|
|
<P><LI>To display the members of a group, or the groups to which a user belongs,
|
|
use the <B>pts membership</B> command.
|
|
<P><LI>To display the groups that a user or group owns, use the <B>pts
|
|
listowned</B> command.
|
|
<P><LI>To display general information about a user or group, including its name,
|
|
AFS ID, creator, and owner, use the <B>pts examine</B> command.
|
|
</UL>
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">The <B>system:anyuser</B> and <B>system:authuser</B>
|
|
system groups do not appear in a user's list of group memberships, and
|
|
the <B>pts membership</B> command does not display their members.
|
|
For more information on the system groups, see <A HREF="auusg007.htm#HDRWQ50">Using the System Groups on ACLs</A>.
|
|
</TD></TR></TABLE>
|
|
<P><H3><A NAME="HDRWQ65" HREF="auusg002.htm#ToC_118">To Display Group Membership</A></H3>
|
|
<A NAME="IDX1042"></A>
|
|
<A NAME="IDX1043"></A>
|
|
<P>Issue the <B>pts membership</B> command to display the members of a
|
|
group, or the groups to which a user belongs.
|
|
<PRE> % <B>pts membership</B> <<VAR>user or group name or id</VAR>><SUP>+</SUP>
|
|
</PRE>
|
|
<P>where <VAR>user or group name or id</VAR> specifies the name or AFS UID of
|
|
each user for which to display group membership, or the name or AFS GID of
|
|
each group for which to display the members. If identifying a group by
|
|
its AFS GID, precede the GID with a hyphen (<B>-</B>) to indicate that it
|
|
is a negative number.
|
|
<P><H3><A NAME="Header_119" HREF="auusg002.htm#ToC_119">Example: Displaying the Members of a Group</A></H3>
|
|
<A NAME="IDX1044"></A>
|
|
<P>The following example displays the members of the group
|
|
<B>terry:team</B>.
|
|
<PRE> % <B>pts membership terry:team</B>
|
|
Members of terry:team (id: -286) are:
|
|
terry
|
|
smith
|
|
pat
|
|
johnson
|
|
</PRE>
|
|
<P><H3><A NAME="Header_120" HREF="auusg002.htm#ToC_120">Example: Displaying the Groups to Which a User Belongs</A></H3>
|
|
<P>The following example displays the groups to which users
|
|
<B>terry</B> and <B>pat</B> belong.
|
|
<PRE> % <B>pts membership terry pat</B>
|
|
Groups terry (id: 1022) is a member of:
|
|
smith:friends
|
|
pat:accounting
|
|
terry:team
|
|
Groups pat (id: 1845) is a member of:
|
|
pat:accounting
|
|
sam:managers
|
|
terry:team
|
|
</PRE>
|
|
<P><H3><A NAME="HDRWQ66" HREF="auusg002.htm#ToC_121">To Display the Groups a User or Group Owns</A></H3>
|
|
<A NAME="IDX1045"></A>
|
|
<A NAME="IDX1046"></A>
|
|
<A NAME="IDX1047"></A>
|
|
<A NAME="IDX1048"></A>
|
|
<A NAME="IDX1049"></A>
|
|
<P>Issue the <B>pts listowned</B> command to display the groups that a
|
|
user or group owns.
|
|
<PRE> % <B>pts listowned</B> <<VAR>user or group name or id</VAR>><SUP>+</SUP>
|
|
</PRE>
|
|
<P>where <VAR>user or group name or id</VAR> specifies the name or AFS UID of
|
|
each user, or the name or AFS GID of each group, for which to display group
|
|
ownership. If identifying a group by its AFS GID, precede the GID with
|
|
a hyphen (<B>-</B>) to indicate that it is a negative number.
|
|
<P><H3><A NAME="Header_122" HREF="auusg002.htm#ToC_122">Example: Displaying the Groups a Group Owns</A></H3>
|
|
<A NAME="IDX1050"></A>
|
|
<P>The following example displays the groups that the group
|
|
<B>terry:team</B> owns.
|
|
<PRE> % <B>pts listowned -286</B>
|
|
Groups owned by terry:team (id: -286) are:
|
|
terry:project
|
|
terry:planners
|
|
</PRE>
|
|
<P><H3><A NAME="Header_123" HREF="auusg002.htm#ToC_123">Example: Displaying the Groups a User Owns</A></H3>
|
|
<A NAME="IDX1051"></A>
|
|
<P>The following example displays the groups that user <B>pat</B>
|
|
owns.
|
|
<PRE> % <B>pts listowned pat</B>
|
|
Groups owned by pat (id: 1845) are:
|
|
pat:accounting
|
|
pat:plans
|
|
|
|
</PRE>
|
|
<P><H3><A NAME="HDRWQ67" HREF="auusg002.htm#ToC_124">To Display A Group Entry</A></H3>
|
|
<A NAME="IDX1052"></A>
|
|
<A NAME="IDX1053"></A>
|
|
<A NAME="IDX1054"></A>
|
|
<A NAME="IDX1055"></A>
|
|
<A NAME="IDX1056"></A>
|
|
<A NAME="IDX1057"></A>
|
|
<A NAME="IDX1058"></A>
|
|
<A NAME="IDX1059"></A>
|
|
<A NAME="IDX1060"></A>
|
|
<P>Issue the <B>pts examine</B> command to display general information
|
|
about a user or group, including its name, AFS ID, creator, and owner.
|
|
<PRE> % <B>pts examine</B> <<VAR>user or group name or id</VAR>><SUP>+</SUP>
|
|
</PRE>
|
|
<P>where <VAR>user or group name or id</VAR> specifies the name or AFS UID of
|
|
each user, or the name or AFS GID of each group, for which to display
|
|
group-related information. If identifying a group by its AFS GID,
|
|
precede the GID with a hyphen (<B>-</B>) to indicate that it is a negative
|
|
number.
|
|
<P>The output includes information in the following fields:
|
|
<DL>
|
|
<P><DT><B><TT>Name</TT>
|
|
</B><DD>For users, this is the character string typed when logging in. For
|
|
machines, the name is the IP address; a zero in address field acts as a
|
|
wildcard, matching any value. For most groups, this is a name of the
|
|
form <VAR>owner_name</VAR><B>:</B><VAR>group_name</VAR>. Some
|
|
groups created by your system administrator do not have the
|
|
<VAR>owner_name</VAR> prefix. See <A HREF="#HDRWQ63">Group Names</A>.
|
|
<P><DT><B><TT>id</TT>
|
|
</B><DD>This is a unique identification number that the AFS server processes use
|
|
internally. It is similar in function to a UNIX UID, but operates in
|
|
AFS rather than the UNIX file system. Users and machines have positive
|
|
integer AFS user IDs (UIDs), and groups have negative integer AFS group IDs
|
|
(GIDs).
|
|
<A NAME="IDX1061"></A>
|
|
<A NAME="IDX1062"></A>
|
|
<A NAME="IDX1063"></A>
|
|
<P><DT><B><TT>owner</TT>
|
|
</B><DD>This is the user or group that owns the entry and so can administer
|
|
it.
|
|
<P><DT><B><TT>creator</TT>
|
|
</B><DD>The name of the user who issued the <B>pts createuser</B> and <B>pts
|
|
creategroup</B> command to create the entry. This field is useful
|
|
mainly as an audit trail and cannot be changed.
|
|
<P><DT><B><TT>membership</TT>
|
|
</B><DD>For users and machines, this indicates how many groups the user or machine
|
|
belongs to. For groups, it indicates how many members belong to the
|
|
group. This number cannot be set explicitly.
|
|
<P><DT><B><TT>flags</TT>
|
|
</B><DD>This field indicates who is allowed to list certain information about the
|
|
entry or change it in certain ways. See <A HREF="#HDRWQ74">Protecting Group-Related Information</A>.
|
|
<P><DT><B><TT>group quota</TT>
|
|
</B><DD>This field indicates how many more groups a user is allowed to
|
|
create. It is set to 20 when a user entry is created. The
|
|
creation quota for machines or groups is meaningless because it not possible
|
|
to authenticate as a machine or group.
|
|
</DL>
|
|
<P><H3><A NAME="Header_125" HREF="auusg002.htm#ToC_125">Example: Listing Information about a Group</A></H3>
|
|
<A NAME="IDX1064"></A>
|
|
<P>The following example displays information about the group
|
|
<B>pat:accounting</B>, which includes members of the department that
|
|
<B>pat</B> manages. Notice that the group is self-owned, which
|
|
means that all of its members can administer it.
|
|
<PRE> % <B>pts examine pat:accounting</B>
|
|
Name: pat:accounting, id: -673, owner: pat:accounting, creator: pat,
|
|
membership: 15, flags: S-M--, group quota: 0
|
|
</PRE>
|
|
<P>
|
|
<P><H3><A NAME="Header_126" HREF="auusg002.htm#ToC_126">Example: Listing Group Information about a User</A></H3>
|
|
<A NAME="IDX1065"></A>
|
|
<P>The following example displays group-related information about user
|
|
<B>pat</B>. The two most interesting fields are
|
|
<TT>membership</TT>, which shows that <B>pat</B> belongs to 12 groups,
|
|
and <TT>group quota</TT>, which shows that <B>pat</B> can create another
|
|
17 groups.
|
|
<PRE> % <B>pts examine pat</B>
|
|
Name: pat, id: 1045, owner: system:administrators, creator: admin,
|
|
membership: 12, flags: S-M--, group quota: 17
|
|
</PRE>
|
|
<HR><H2><A NAME="HDRWQ68" HREF="auusg002.htm#ToC_127">Creating Groups and Adding Members</A></H2>
|
|
<A NAME="IDX1066"></A>
|
|
<A NAME="IDX1067"></A>
|
|
<A NAME="IDX1068"></A>
|
|
<A NAME="IDX1069"></A>
|
|
<A NAME="IDX1070"></A>
|
|
<P>Use the <B>pts creategroup</B> command to create a group and the
|
|
<B>pts adduser</B> command to add members to it. Users and machines
|
|
can belong to groups, but other groups cannot.
|
|
<P>When you create a group, you normally become its owner
|
|
automatically. This means you alone can administer it: add and
|
|
remove members, change the group's name, transfer ownership of the group,
|
|
or delete the group entirely. If you wish, you can designate another
|
|
owner when you create the group, by including the <B>-owner</B> argument
|
|
to the <B>pts creategroup</B> command. If you assign ownership to
|
|
another group, the owning group must already exist and have at least one
|
|
member. You can also change a group's ownership after creating it
|
|
by using the <B>pts chown</B> command as described in <A HREF="#HDRWQ72">Changing a Group's Owner or Name</A>.
|
|
<P><H3><A NAME="HDRWQ69" HREF="auusg002.htm#ToC_128">To Create a Group</A></H3>
|
|
<A NAME="IDX1071"></A>
|
|
<A NAME="IDX1072"></A>
|
|
<P>Issue the <B>pts creategroup</B> command to create a group. Your
|
|
group-creation quota decrements by one for each group.
|
|
<PRE> % <B>pts creategroup -name</B> <<VAR>group name</VAR>>+ [<B>-owner</B> <<VAR>owner of the group</VAR>>]
|
|
</PRE>
|
|
<P>where
|
|
<DL>
|
|
<P><DT><B>cg
|
|
</B><DD>Is an alias for <B>creategroup</B> (and <B>createg</B> is the
|
|
shortest acceptable abbreviation).
|
|
<P><DT><B>-name
|
|
</B><DD>Names each group to create. The name must have the following
|
|
format:
|
|
<P><VAR>owner_name</VAR><B>:</B><VAR>group_name</VAR>
|
|
<P>The <VAR>owner_name</VAR> prefix must accurately indicate the group's
|
|
owner. By default, you are recorded as the owner, and the
|
|
<VAR>owner_name</VAR> must be your AFS username. You can include the
|
|
<B>-owner</B> argument to designate another AFS user or group as the
|
|
owner, as long as you provide the required value in the <VAR>owner_name</VAR>
|
|
field:
|
|
<A NAME="IDX1073"></A>
|
|
<A NAME="IDX1074"></A>
|
|
<UL>
|
|
<P><LI>If the owner is a user, it must be the AFS username.
|
|
<P><LI>If the owner is another regular group, it must match the owning
|
|
group's <VAR>owner_name</VAR> field. For example, if the owner is
|
|
the group <B>terry:associates</B>, the owner field must be
|
|
<B>terry</B>.
|
|
<P><LI>If the owner is a group without an <VAR>owner_name</VAR> prefix, it must be
|
|
the owning group's name.
|
|
</UL>
|
|
<P>The name can include up to 63 characters including the colon. Use
|
|
numbers and lowercase letters, but no spaces or punctuation characters other
|
|
than the colon.
|
|
<P><DT><B>-owner
|
|
</B><DD>Is optional and assigns ownership to a user other than yourself, or to a
|
|
group. If you specify a group, it must already exist and have at least
|
|
one member. (This means that to make a group self-owned, you must issue
|
|
the <B>pts chown</B> command after using this command to create the group,
|
|
and the <B>pts adduser</B> command to add a member. See <A HREF="#HDRWQ72">Changing a Group's Owner or Name</A>.)
|
|
<P>Do not name a machine as the owner. Because no one can authenticate
|
|
as a machine, there is no way to administer a group owned by a machine.
|
|
</DL>
|
|
<P><H3><A NAME="Header_129" HREF="auusg002.htm#ToC_129">Example: Creating a Group</A></H3>
|
|
<P><B></B>
|
|
<A NAME="IDX1075"></A>
|
|
<P>In the following example user <B>terry</B> creates a group to include
|
|
all the other users in his work team, and then examines the new group
|
|
entry.
|
|
<PRE> % <B>pts creategroup terry:team</B>
|
|
group terry:team has id -286
|
|
% <B>pts examine terry:team</B>
|
|
Name: terry:team, id: -286, owner: terry, creator: terry,
|
|
membership: 0, flags: S----, group quota: 0.
|
|
</PRE>
|
|
<P><H3><A NAME="HDRWQ70" HREF="auusg002.htm#ToC_130">To Add Members to a Group</A></H3>
|
|
<A NAME="IDX1076"></A>
|
|
<A NAME="IDX1077"></A>
|
|
<A NAME="IDX1078"></A>
|
|
<A NAME="IDX1079"></A>
|
|
<P>Issue the <B>pts adduser</B> command to add one or more users to one or
|
|
more groups. You can always add members to a group you own (either
|
|
directly or because you belong to the owning group). If you belong to a
|
|
group, you can add members if its fourth privacy flag is the lowercase letter
|
|
<B>a</B>; see <A HREF="#HDRWQ74">Protecting Group-Related Information</A>.
|
|
<PRE> % <B>pts adduser -user</B> <<VAR>user name</VAR>><SUP>+</SUP> <B>-group</B> <<VAR>group name</VAR>><SUP>+</SUP>
|
|
</PRE>
|
|
<P>You must add yourself to groups that you own, if that is
|
|
appropriate. You do not belong automatically just because you own the
|
|
group.
|
|
<TABLE><TR><TD ALIGN="LEFT" VALIGN="TOP"><B>Note:</B></TD><TD ALIGN="LEFT" VALIGN="TOP">If you already have a token when you are added to a group, you must issue the
|
|
<B>klog</B> command to reauthenticate before you can exercise the
|
|
permissions granted to the group on ACLs.
|
|
</TD></TR></TABLE>
|
|
<P>where
|
|
<DL>
|
|
<P><DT><B>-user
|
|
</B><DD>Specifies the username of each user to add to the groups named by the
|
|
<B>-group</B> argument. Groups cannot belong to other
|
|
groups.
|
|
<P><DT><B>-group
|
|
</B><DD>Names each group to which to add users.
|
|
</DL>
|
|
<P><H3><A NAME="Header_131" HREF="auusg002.htm#ToC_131">Example: Adding Members to a Group</A></H3>
|
|
<A NAME="IDX1080"></A>
|
|
<P>In this example, user <B>terry</B> adds himself, <B>pat</B>,
|
|
<B>indira</B>, and <B>smith</B> to the group he just created,
|
|
<B>terry:team</B>, and then verifies the new list of members.
|
|
<PRE> % <B>pts adduser -user terry pat indira smith -group terry:team</B>
|
|
% <B>pts members terry:team</B>
|
|
Members of terry:team (id: -286) are:
|
|
terry
|
|
pat
|
|
indira
|
|
smith
|
|
</PRE>
|
|
<HR><H2><A NAME="HDRWQ71" HREF="auusg002.htm#ToC_132">Removing Users from a Group and Deleting a Group</A></H2>
|
|
<A NAME="IDX1081"></A>
|
|
<A NAME="IDX1082"></A>
|
|
<A NAME="IDX1083"></A>
|
|
<A NAME="IDX1084"></A>
|
|
<A NAME="IDX1085"></A>
|
|
<A NAME="IDX1086"></A>
|
|
<A NAME="IDX1087"></A>
|
|
<A NAME="IDX1088"></A>
|
|
<P>You can use the following commands to remove groups and their
|
|
members:
|
|
<UL>
|
|
<P><LI>To remove a user from a group, use the <B>pts removeuser</B> command
|
|
<P><LI>To delete a group entirely, use the <B>pts delete</B> command
|
|
<P><LI>To remove deleted groups from ACLs, use the <B>fs cleanacl</B> command
|
|
</UL>
|
|
<P>When a group that you created is deleted, your group-creation quota
|
|
increments by one, even if you no longer own the group.
|
|
<P>When a group or user is deleted, its AFS ID appears on ACLs in place of its
|
|
AFS name. You can use the <B>fs cleanacl</B> command to remove
|
|
these obsolete entries from ACLs on which you have the <B>a</B>
|
|
(<B>administer</B>) permission.
|
|
<P><H3><A NAME="Header_133" HREF="auusg002.htm#ToC_133">To Remove Members from a Group</A></H3>
|
|
<A NAME="IDX1089"></A>
|
|
<A NAME="IDX1090"></A>
|
|
<P>Issue the <B>pts removeuser</B> command to remove one or more members
|
|
from one or more groups. You can always remove members from a group
|
|
that you own (either directly or because you belong to the owning
|
|
group). If you belong to a group, you can remove members if its fifth
|
|
privacy flag is the lowercase letter <B>r</B>; see <A HREF="#HDRWQ74">Protecting Group-Related Information</A>. (To display a group's owner, use the <B>pts
|
|
examine</B> command as described in <A HREF="#HDRWQ67">To Display A Group Entry</A>.)
|
|
<PRE> % <B>pts removeuser -user</B> <<VAR>user name</VAR>><SUP>+</SUP> <B>-group</B> <<VAR>group name</VAR>><SUP>+</SUP>
|
|
</PRE>
|
|
<P>where
|
|
<DL>
|
|
<P><DT><B>-user
|
|
</B><DD>Specifies the username of each user to remove from the groups named by the
|
|
<B>-group</B> argument.
|
|
<P><DT><B>-group
|
|
</B><DD>Names each group from which to remove users.
|
|
</DL>
|
|
<P><H3><A NAME="Header_134" HREF="auusg002.htm#ToC_134">Example: Removing Group Members</A></H3>
|
|
<A NAME="IDX1091"></A>
|
|
<P>The following example removes user <B>pat</B> from both the
|
|
<B>terry:team</B> and <B>terry:friends</B> groups.
|
|
<PRE> % <B>pts removeuser pat -group terry:team terry:friends</B>
|
|
</PRE>
|
|
<P><H3><A NAME="Header_135" HREF="auusg002.htm#ToC_135">To Delete a Group</A></H3>
|
|
<A NAME="IDX1092"></A>
|
|
<A NAME="IDX1093"></A>
|
|
<P>Issue the <B>pts delete</B> command to delete a group. You can
|
|
always delete a group that you own (either directly or because you belong to
|
|
the owning group). To display a group's owner, use the <B>pts
|
|
examine</B> command as described in <A HREF="#HDRWQ67">To Display A Group Entry</A>.
|
|
<PRE> % <B>pts delete</B> <<VAR>user or group name or id</VAR>><SUP>+</SUP>
|
|
</PRE>
|
|
<P>where <VAR>user or group name or id</VAR> specifies the name or AFS UID of
|
|
each user, or the name or AFS GID of each group, to delete. If
|
|
identifying a group by its AFS GID, precede the GID with a hyphen
|
|
(<B>-</B>) to indicate that it is a negative number.
|
|
<P><H3><A NAME="Header_136" HREF="auusg002.htm#ToC_136">Example: Deleting a Group</A></H3>
|
|
<P><B></B>
|
|
<A NAME="IDX1094"></A>
|
|
<P>In the following example, the group <B>terry:team</B> is
|
|
deleted.
|
|
<PRE> % <B>pts delete terry:team</B>
|
|
</PRE>
|
|
<P><H3><A NAME="Header_137" HREF="auusg002.htm#ToC_137">To Remove Obsolete ACL Entries</A></H3>
|
|
<A NAME="IDX1095"></A>
|
|
<A NAME="IDX1096"></A>
|
|
<P>Issue the <B>fs cleanacl</B> command to remove obsolete entries from
|
|
ACLs after the corresponding user or group has been deleted.
|
|
<PRE> % <B>fs cleanacl</B> [<<VAR>dir/file path</VAR>><SUP>+</SUP>]
|
|
</PRE>
|
|
<P>where <VAR>dir/file path</VAR> name each directory for which to clean the
|
|
ACL. If you omit this argument, the current working directory's
|
|
ACL is cleaned.
|
|
<P><B></B>
|
|
<A NAME="IDX1097"></A>
|
|
<P><H3><A NAME="Header_138" HREF="auusg002.htm#ToC_138">Example: Removing an Obsolete ACL Entry</A></H3>
|
|
<P>After the group <B>terry:team</B> is deleted, its AFS GID
|
|
(-286) appears on ACLs instead of its name. In this example, user
|
|
<B>terry</B> cleans it from the ACL on the plans directory in his home
|
|
directory.
|
|
<PRE> % <B>fs listacl plans</B>
|
|
Access list for plans is
|
|
Normal rights:
|
|
terry rlidwka
|
|
-268 rlidwk
|
|
sam rliw
|
|
% <B>fs cleanacl plans</B>
|
|
% <B>fs listacl plans</B>
|
|
Access list for plans is
|
|
Normal rights:
|
|
terry rlidwka
|
|
sam rliw
|
|
</PRE>
|
|
<HR><H2><A NAME="HDRWQ72" HREF="auusg002.htm#ToC_139">Changing a Group's Owner or Name</A></H2>
|
|
<A NAME="IDX1098"></A>
|
|
<A NAME="IDX1099"></A>
|
|
<A NAME="IDX1100"></A>
|
|
<A NAME="IDX1101"></A>
|
|
<P>To change a group's owner, use the <B>pts chown</B>
|
|
command. To change its name, use the <B>pts rename</B>
|
|
command.
|
|
<P>You can change the owner or name of a group that you own (either directly
|
|
or because you belong to the owning group). You can assign group
|
|
ownership to another user, another group, or the group itself. If you
|
|
are not already a member of the group and need to be, use the <B>pts
|
|
adduser</B> command before transferring ownership, following the
|
|
instructions in <A HREF="#HDRWQ70">To Add Members to a Group</A>.
|
|
<P>The <B>pts chown</B> command automatically changes a group's
|
|
<VAR>owner_name</VAR> prefix to indicate the new owner. If the new owner
|
|
is a group, only its <VAR>owner_name</VAR> prefix is used, not its entire
|
|
name. However, the change in <VAR>owner_name</VAR> prefix command does
|
|
not propagate to any groups owned by the group whose owner is changing.
|
|
If you want their <VAR>owner_name</VAR> prefixes to indicate the correct owner,
|
|
you must use the <B>pts rename</B> command.
|
|
<P>Otherwise, you normally use the <B>pts rename</B> command to change
|
|
only the <VAR>group_name</VAR> part of a group name (the part that follows the
|
|
colon). You can change the <VAR>owner_name</VAR> prefix only to reflect
|
|
the actual owner.
|
|
<P><H3><A NAME="HDRWQ73" HREF="auusg002.htm#ToC_140">To Change a Group's Owner</A></H3>
|
|
<A NAME="IDX1102"></A>
|
|
<A NAME="IDX1103"></A>
|
|
<P>Issue the <B>pts chown</B> command to change a group's
|
|
name.
|
|
<PRE> % <B>pts chown</B> <<VAR>group name</VAR>> <<VAR>new owner</VAR>>
|
|
</PRE>
|
|
<P>where
|
|
<DL>
|
|
<P><DT><B><VAR>group name</VAR>
|
|
</B><DD>Specifies the current name of the group to which to assign a new
|
|
owner.
|
|
<P><DT><B><VAR>new owner</VAR>
|
|
</B><DD>Names the user or group that is to own the group.
|
|
</DL>
|
|
<P><H3><A NAME="Header_141" HREF="auusg002.htm#ToC_141">Example: Changing a Group's Owner to Another User</A></H3>
|
|
<A NAME="IDX1104"></A>
|
|
<P>In the following example, user <B>pat</B> transfers ownership of the
|
|
group <B>pat:staff</B> to user <B>terry</B>. Its name
|
|
changes automatically to <B>terry:staff</B>, as confirmed by the
|
|
<B>pts examine</B> command.
|
|
<PRE> % <B>pts chown pat:staff terry</B>
|
|
% <B>pts examine terry:staff</B>
|
|
Name: terry:staff, id: -534, owner: terry, creator: pat,
|
|
membership: 15, flags: SOm--, group quota: 0.
|
|
</PRE>
|
|
<P><H3><A NAME="Header_142" HREF="auusg002.htm#ToC_142">Example: Changing a Group's Owner to Itself</A></H3>
|
|
<A NAME="IDX1105"></A>
|
|
<P>In the following example, user <B>terry</B> makes the
|
|
<B>terry:team</B> group a self-owned group. Its name does not
|
|
change because its <VAR>owner_name</VAR> prefix is already
|
|
<B>terry</B>.
|
|
<PRE> % <B>pts chown terry:team terry:team</B>
|
|
% <B>pts examine terry:team</B>
|
|
Name: terry:team, id: -286, owner: terry:team, creator: terry,
|
|
membership: 6, flags: SOm--, group quota: 0.
|
|
</PRE>
|
|
<P><H3><A NAME="Header_143" HREF="auusg002.htm#ToC_143">Example: Changing a Group's Owner to a Group</A></H3>
|
|
<P>In this example, user <B>sam</B> transfers ownership of the group
|
|
<B>sam:project</B> to the group <B>smith:cpa</B>.
|
|
Its name changes automatically to <B>smith:project</B>, because
|
|
<B>smith</B> is the <VAR>owner_name</VAR> prefix of the group that now owns
|
|
it. The <B>pts examine</B> command displays the group's status
|
|
before and after the change.
|
|
<PRE> % <B>pts examine sam:project</B>
|
|
Name: sam:project, id: -522, owner: sam, creator: sam,
|
|
membership: 33, flags: SOm--, group quota: 0.
|
|
% <B>pts chown sam:project smith:cpa</B>
|
|
% <B>pts examine smith:project</B>
|
|
Name: smith:project, id: -522, owner: smith:cpa, creator: sam,
|
|
membership: 33, flags: SOm--, group quota: 0.
|
|
</PRE>
|
|
<P><H3><A NAME="Header_144" HREF="auusg002.htm#ToC_144">To Change a Group's Name</A></H3>
|
|
<A NAME="IDX1106"></A>
|
|
<A NAME="IDX1107"></A>
|
|
<P>Issue the <B>pts rename</B> command to change a group's
|
|
name.
|
|
<PRE> % <B>pts rename</B> <<VAR>old name</VAR>> <<VAR>new name</VAR>>
|
|
</PRE>
|
|
<P>where
|
|
<DL>
|
|
<P><DT><B><VAR>old name</VAR>
|
|
</B><DD>Specifies the group's current name.
|
|
<P><DT><B><VAR>new name</VAR>
|
|
</B><DD>Specifies the complete new name to assign to the group. The
|
|
<VAR>owner_name</VAR> prefix must correctly indicate the group's
|
|
owner.
|
|
</DL>
|
|
<P><H3><A NAME="Header_145" HREF="auusg002.htm#ToC_145">Example: Changing a Group's <VAR>group_name</VAR> Suffix</A></H3>
|
|
<A NAME="IDX1108"></A>
|
|
<P>The following example changes the name of the
|
|
<B>smith:project</B> group to
|
|
<B>smith:fiscal-closing</B>. The group's
|
|
<VAR>owner_name</VAR> prefix remains <B>smith</B> because its owner is not
|
|
changing.
|
|
<PRE> % <B>pts examine smith:project</B>
|
|
Name: smith:project, id: -522, owner: smith:cpa, creator: sam,
|
|
membership: 33, flags: SOm--, group quota: 0.
|
|
% <B>pts rename smith:project smith:fiscal-closing</B>
|
|
% <B>pts examine smith:fiscal-closing</B>
|
|
Name: smith:fiscal-closing, id: -522, owner: smith:cpa, creator: sam,
|
|
membership: 33, flags: SOm--, group quota: 0.
|
|
</PRE>
|
|
<P><H3><A NAME="Header_146" HREF="auusg002.htm#ToC_146">Example: Changing a Group's <VAR>owner_name</VAR> Prefix</A></H3>
|
|
<P>In a previous example, user <B>pat</B> transferred ownership of the
|
|
group <B>pat:staff</B> to user <B>terry</B>. Its name
|
|
changed automatically to <B>terry:staff</B>. However, a group
|
|
that <B>terry:staff</B> owns is still called
|
|
<B>pat:plans</B>, because the change to a group's
|
|
<VAR>owner_name</VAR> that results from the <B>pts chown</B> command does
|
|
not propagate to any groups it owns. In this example, a member of
|
|
<B>terry:staff</B> uses the <B>pts rename</B> command to change
|
|
the name to <B>terry:plans</B> to reflect its actual
|
|
ownership.
|
|
<PRE> % <B>pts examine pat:plans</B>
|
|
Name: pat:plans, id: -535, owner: terry:staff, creator: pat,
|
|
membership: 8, flags: SOm--, group quota: 0.
|
|
% <B>pts rename pat:plans terry:plans</B>
|
|
% <B>pts examine terry:plans</B>
|
|
Name: terry:plans, id: -535, owner: terry:staff, creator: pat,
|
|
membership: 8, flags: SOm--, group quota: 0.
|
|
</PRE>
|
|
<HR><H2><A NAME="HDRWQ74" HREF="auusg002.htm#ToC_147">Protecting Group-Related Information</A></H2>
|
|
<A NAME="IDX1109"></A>
|
|
<A NAME="IDX1110"></A>
|
|
<A NAME="IDX1111"></A>
|
|
<A NAME="IDX1112"></A>
|
|
<A NAME="IDX1113"></A>
|
|
<A NAME="IDX1114"></A>
|
|
<A NAME="IDX1115"></A>
|
|
<A NAME="IDX1116"></A>
|
|
<P>A group's <I>privacy flags</I> control who can administer it in
|
|
various ways. The privacy flags appear in the <TT>flags</TT> field of
|
|
the output from the <B>pts examine</B> command command; see <A HREF="#HDRWQ67">To Display A Group Entry</A>. To set the privacy flags for a group you own, use
|
|
the <B>pts setfields</B> command as instructed in <A HREF="#HDRWQ75">To Set a Group's Privacy Flags</A>.
|
|
<P><H3><A NAME="HDRPRIVACY-FLAGS" HREF="auusg002.htm#ToC_148">Interpreting the Privacy Flags</A></H3>
|
|
<P>The five privacy flags always appear, and always
|
|
must be set, in the following order:
|
|
<DL>
|
|
<P><DT><B>s
|
|
</B><DD>Controls who can issue the <B>pts examine</B> command to display the
|
|
entry.
|
|
<P><DT><B>o
|
|
</B><DD>Controls who can issue the <B>pts listowned</B> command to list the
|
|
groups that a user or group owns.
|
|
<P><DT><B>m
|
|
</B><DD>Controls who can issue the <B>pts membership</B> command to list the
|
|
groups a user or machine belongs to, or which users or machines belong to a
|
|
group.
|
|
<P><DT><B>a
|
|
</B><DD>Controls who can issue the <B>pts adduser</B> command to add a user or
|
|
machine to a group.
|
|
<P><DT><B>r
|
|
</B><DD>Controls who can issue the <B>pts removeuser</B> command to remove a
|
|
user or machine from a group.
|
|
</DL>
|
|
<P>Each flag can take three possible types of values to enable a different set
|
|
of users to issue the corresponding command:
|
|
<UL>
|
|
<P><LI>A hyphen (<B>-</B>) means that the group's owner can issue the
|
|
command, along with the administrators who belong to the
|
|
<B>system:administrators</B> group.
|
|
<P><LI>The lowercase version of the letter means that members of the group can
|
|
issue the command, along with the users indicated by the hyphen.
|
|
<P><LI>The uppercase version of the letter means that anyone can issue the
|
|
command.
|
|
</UL>
|
|
<P>For example, the flags <TT>SOmar</TT> on a group entry indicate that
|
|
anyone can examine the group's entry and list the groups that it owns,
|
|
and that only the group's members can list, add, or remove its
|
|
members.
|
|
<P>The default privacy flags for groups are <TT>S-M--</TT>, meaning that
|
|
anyone can display the entry and list the members of the group, but only the
|
|
group's owner and members of the <B>system:administrators</B>
|
|
group can perform other functions.
|
|
<P><H3><A NAME="HDRWQ75" HREF="auusg002.htm#ToC_149">To Set a Group's Privacy Flags</A></H3>
|
|
<A NAME="IDX1117"></A>
|
|
<A NAME="IDX1118"></A>
|
|
<P>Issue the <B>pts setfields</B> command to set the privacy flags on one
|
|
or more groups.
|
|
<PRE> % <B>pts setfields -nameorid</B> <<VAR>user or group name or id</VAR>><SUP>+</SUP>
|
|
<B>-access</B> <<VAR>set privacy flags</VAR>>
|
|
</PRE>
|
|
<P>where
|
|
<DL>
|
|
<P><DT><B>-nameorid
|
|
</B><DD>Specifies the name or AFS GID of each group for which to set the privacy
|
|
flags. If identifying a group by its AFS GID, precede the GID with a
|
|
hyphen (<B>-</B>) to indicate that it is a negative number.
|
|
<P><DT><B>-access
|
|
</B><DD>Specifies the privacy flags to set for each group. Observe the
|
|
following rules:
|
|
<UL>
|
|
<P><LI>Provide a value for all five flags in the order <B>somar</B>.
|
|
<P><LI>Set the first flag to lowercase <B>s</B> or uppercase <B>S</B>
|
|
only.
|
|
<P><LI>Set the second flag to the hyphen (<B>-</B>) or uppercase <B>O</B>
|
|
only. For groups, AFS interprets the hyphen as equivalent to lowercase
|
|
<B>o</B> (that is, members of a group can always list the groups that it
|
|
owns).
|
|
<P><LI>Set the third flag to the hyphen (<B>-</B>), lowercase <B>m</B>,
|
|
or uppercase <B>M</B>.
|
|
<P><LI>Set the fourth flag to the hyphen (<B>-</B>), lowercase <B>a</B>,
|
|
or uppercase <B>A</B>. The uppercase <B>A</B> is not a secure
|
|
choice, because it permits anyone to add members to the group.
|
|
<P><LI>Set the fifth flag to the hyphen (<B>-</B>) or lowercase <B>r</B>
|
|
only.
|
|
</UL>
|
|
</DL>
|
|
<P><H3><A NAME="Header_150" HREF="auusg002.htm#ToC_150">Example: Setting a Group's Privacy Flags</A></H3>
|
|
<A NAME="IDX1119"></A>
|
|
<P>The following example sets the privacy flags on the
|
|
<B>terry:team</B> group to set the indicated pattern of
|
|
administrative privilege.
|
|
<PRE> % <B>pts setfields terry:team -access SOm--</B>
|
|
|
|
</PRE>
|
|
<UL>
|
|
<P><LI>Everyone can issue the <B>pts examine</B> command to display general
|
|
information about it (uppercase <B>S</B>).
|
|
<P><LI>Everyone can issue the <B>pts listowned</B> command to display the
|
|
groups it owns (uppercase <B>O</B>).
|
|
<P><LI>The members of the group can issue the <B>pts membership</B> command
|
|
to display the group's members (lowercase <B>m</B>).
|
|
<P><LI>Only the group's owner, user <B>terry</B>, can issue the <B>pts
|
|
adduser</B> command to add members (the hyphen).
|
|
<P><LI>Only the group's owner, user <B>terry</B>, can issue the <B>pts
|
|
removeuser</B> command to remove members (the hyphen).
|
|
</UL>
|
|
<HR><P ALIGN="center"> <A HREF="../index.htm"><IMG SRC="../books.gif" BORDER="0" ALT="[Return to Library]"></A> <A HREF="auusg002.htm#ToC"><IMG SRC="../toc.gif" BORDER="0" ALT="[Contents]"></A> <A HREF="auusg007.htm"><IMG SRC="../prev.gif" BORDER="0" ALT="[Previous Topic]"></A> <A HREF="#Top_Of_Page"><IMG SRC="../top.gif" BORDER="0" ALT="[Top of Topic]"></A> <A HREF="auusg009.htm"><IMG SRC="../next.gif" BORDER="0" ALT="[Next Topic]"></A> <A HREF="auusg013.htm#HDRINDEX"><IMG SRC="../index.gif" BORDER="0" ALT="[Index]"></A> <P>
|
|
<!-- Begin Footer Records ========================================== -->
|
|
<P><HR><B>
|
|
<br>© <A HREF="http://www.ibm.com/">IBM Corporation 2000.</A> All Rights Reserved
|
|
</B>
|
|
<!-- End Footer Records ============================================ -->
|
|
<A NAME="Bot_Of_Page"></A>
|
|
</BODY></HTML>
|