Removing Obsolete AFS IDs from ACLs

When you remove a user or group entry from the Protection Database, the fs listacl command displays the user's AFS UID (or group's AFS GID) in ACL entries, rather than the name. In the following example, user terry has an ACL entry for the group terry:friends (AFS GID -567) on her home directory in the Example Corporation cell, and then removes the group from the Protection Database.

   % fs listacl /afs/example.com/usr/terry
   Access list for /afs/example.com/usr/terry is
   Normal permissions:
     terry:friends rlik
     system:anyuser l
     terry rlidwka
   % pts delete terry:friends
   % fs listacl /afs/example.com/usr/terry
   Access list for /afs/example.com/usr/terry is
   Normal permissions:
     -567 rlik
     system:anyuser l
     terry rlidwka

Leaving AFS IDs on ACLs serves no function, because the ID no longer corresponds to an active user or group. Furthermore, if the ID is ever assigned to a new user or group, then the new possessor of the ID gains access that the owner of the directory actually intended for the previous possessor. (Reusing AFS IDs is not recommended precisely for this reason.)

To remove obsolete AFS UIDs from ACLs, use the fs cleanacl command.

To clean obsolete AFS IDs from an ACL

  1. Verify that you have the a (administer) permission on each directory for which you are cleaning the ACL. If necessary, issue the fs listacl command, which is fully described in Displaying ACLs.

       % fs listacl [<dir/file path>]
    
  2. Issue the fs cleanacl command to remove entries for obsolete AFS IDs.

       % fs cleanacl [<dir/file path>+]
    

    where

    cl

    Is the shortest acceptable abbreviation of cleanacl.

    dir/file path

    Names each directory for which to clean the ACL. If this argument names a file, its directory's ACL is cleaned. Omit this argument to clean the current working directory's ACL.

    Specify the read/write path to each directory, to avoid the failure that results when you attempt to change a read-only volume. By convention, you indicate the read/write path by placing a period before the cell name at the pathname's second level (for example, /afs/.example.com). For further discussion of the concept of read/write and read-only paths through the filespace, see The Rules of Mount Point Traversal.

    You can also use the following notation on its own or as part of a pathname:

    .

    (A single period). If used by itself, cleans the current working directory's ACL.

    ..

    (Two periods). If used by itself, cleans the ACL on the current working directory's parent directory.

    *

    (The asterisk). Cleans the ACL of each of the subdirectories in the current working directory. However, if you use the asterisk and there are obsolete AFS IDs on any directory's ACL, the following error message appears for every file in the directory:

       fs: 'filename': Not a directory
    

If there are obsolete AFS IDs on a directory, the command interpreter displays its cleaned ACL under the following header.

   Access list for directory is now

If a directory's ACL has no obsolete AFS IDs on it, the following message appears for each.

   Access list for directory is fine.