Protecting Group-Related Information

A group's privacy flags control who can administer it in various ways. The privacy flags appear in the flags field of the output from the pts examine command command; see To Display A Group Entry. To set the privacy flags for a group you own, use the pts setfields command as instructed in To Set a Group's Privacy Flags.

Interpreting the Privacy Flags

The five privacy flags always appear, and always must be set, in the following order:

s

Controls who can issue the pts examine command to display the entry.

o

Controls who can issue the pts listowned command to list the groups that a user or group owns.

m

Controls who can issue the pts membership command to list the groups a user or machine belongs to, or which users or machines belong to a group.

a

Controls who can issue the pts adduser command to add a user or machine to a group.

r

Controls who can issue the pts removeuser command to remove a user or machine from a group.

Each flag can take three possible types of values to enable a different set of users to issue the corresponding command:

  • A hyphen (-) means that the group's owner can issue the command, along with the administrators who belong to the system:administrators group.

  • The lowercase version of the letter means that members of the group can issue the command, along with the users indicated by the hyphen.

  • The uppercase version of the letter means that anyone can issue the command.

For example, the flags SOmar on a group entry indicate that anyone can examine the group's entry and list the groups that it owns, and that only the group's members can list, add, or remove its members.

The default privacy flags for groups are S-M--, meaning that anyone can display the entry and list the members of the group, but only the group's owner and members of the system:administrators group can perform other functions.

To Set a Group's Privacy Flags

Issue the pts setfields command to set the privacy flags on one or more groups.

   % pts setfields -nameorid <user or group name or id>+
                   -access <set privacy flags>

where

-nameorid

Specifies the name or AFS GID of each group for which to set the privacy flags. If identifying a group by its AFS GID, precede the GID with a hyphen (-) to indicate that it is a negative number.

-access

Specifies the privacy flags to set for each group. Observe the following rules:

  • Provide a value for all five flags in the order somar.

  • Set the first flag to lowercase s or uppercase S only.

  • Set the second flag to the hyphen (-) or uppercase O only. For groups, AFS interprets the hyphen as equivalent to lowercase o (that is, members of a group can always list the groups that it owns).

  • Set the third flag to the hyphen (-), lowercase m, or uppercase M.

  • Set the fourth flag to the hyphen (-), lowercase a, or uppercase A. The uppercase A is not a secure choice, because it permits anyone to add members to the group.

  • Set the fifth flag to the hyphen (-) or lowercase r only.

Example: Setting a Group's Privacy Flags

The following example sets the privacy flags on the terry:team group to set the indicated pattern of administrative privilege.

   % pts setfields terry:team -access SOm--

  • Everyone can issue the pts examine command to display general information about it (uppercase S).

  • Everyone can issue the pts listowned command to display the groups it owns (uppercase O).

  • The members of the group can issue the pts membership command to display the group's members (lowercase m).

  • Only the group's owner, user terry, can issue the pts adduser command to add members (the hyphen).

  • Only the group's owner, user terry, can issue the pts removeuser command to remove members (the hyphen).