www.clubs.psu.edu | ORGS | LINKS | SPECS | NEWS | Contact us

General | Tutorials | CGI | DFS info | Upgrade info
General | Important Changes | Using the backup server | Advanced DFS Notes

This page is out of date

The Student Activity Server has been renamed to the Penn State Student Organizations Web Service and is under new management. These Web pages are out of date and will be removed in the near future. Please read http://www.clubs.psu.edu/info/ for information about the new service.

Advanced DCE/DFS Notes

DCE/DFS Service - Information page managed by the CAC.

Logging into DCE

  1. How do I log into DCE from the Hammond ptph cluster?
    dce_login - no longer required (5-3-00)
    Enter Principal Name: xyz123
    Enter Password:

  2. How do I see what DCE/kerberos credentials I have?

  3. How can I refresh my credentials before or after they expire?

  4. How can I destroy my credentials or leave DCE?
    kdestroy or
    exit the shell. (dce_login starts a new shell)

  5. Where can I get the client for NT?

DFS layout

  1. Where is my club's directory located? My club is on the web at http://www.clubs.psu.edu/my_club/.
    /.../dce.psu.edu/fs/services/www/clubs/wwwroot/my_club or
    /.:/fs/services/www/clubs/wwwroot/my_club or
    /:/services/www/clubs/wwwroot/my_club or
    /clubs/my_club (symbolic link) when you are uploading over FTP.

Changing permissions on DFS

  1. Is there a quick synopsis of the acl subcommand of dcecp?
    command      verb   object   opt argument principal        chmod   affects
    ------------ ------ -------- --- -------- ---------------- -----   -------
    dcecp -c acl show   <object>     -add     mask_obj:rwxcid  group - masks the bits of other principals in the ACL
                 modify .        -io -change  user_obj:rwxcid  user  - UID of file or directory (ls -l file)
                        myfile   -ic -remove  group_obj:rwxcid       - GID of the file or directory
                                              other_obj:rwxcid other - others in the default cell
                                              any_other:rwxcid       - foreign cells, web server requests...
                                              user:xxx111:rwxcid     - the user principal xxx111
                                              group:sa.clubs:rwxcid  - the group principal sa.clubs

    Note: Each column shows a list of interchangeable options.

    Examples: dcecp -c acl show ., shows acl info for current directory ".".
    dcecp -c acl modify . -add user:xxx111:rwxcid, give xxx111 full access to the current directory.
    dcecp -c acl modify . -ic -change mask_obj:rwxc--, set the mask_obj to restrict insert and delete priviliges on users, groups, the GID (group_obj), and any_other for new directories created in "."

  2. Is there another command for editing the ACL?

    Try acl_edit:

  3. How do I view the ACL for an object?
    acl_edit <object> -l or
    dcecp -c acl show <object>

  4. How do I add an ACL to an object?
    dcecp -c acl modify <object> -add {user:xyz123:rwxcid}

  5. How do I change an ACL for an object?
    dcecp -c acl modify <object> -change {user:xyz123:rwxcid}

  6. How do I remove an ACL to an object?
    dcecp -c acl modify <object> -remove {user:xyz123}

  7. What are the permissions available?

    These are available for all objects:

    For directories, the next two permissions are available:

    In addition to having a 6 bit permission scheme (rwxcid) for each directory, directories also hold two kinds of ACL defaults:

    Both of these are each an Access Control List and also inherited by subdirectories.

  8. How to set an ACL to no access, without deleting it entirely?
    dcecp -c acl modify <dir> -change {group_obj -}

  9. How do I access the initial container and initial object ACL's for a directory?
    Use <directory_name> -ic or <directory_name> -io.
    eg, dcecp -c acl modify somedir -io -change user:xyz123:rw--id

  10. Can I still use chmod? What effect does it have?
    chmod still effects permissions like you would expect by revoking and granting permission, but it does so by creating another "mask" of permissions on top of the DFS Access Control List (ACL). The "owner" permission bits are mapped to the DFS "user_obj", the "group" is mapped to "mask_obj" and "other" is mapped to "other_obj".

    Let's see how chmod can have an effect. First we look at the stardard Unix permissions of a sample directory:

    [jcd144@h11 ~/sas]$ ls -ld newlook
    drwxrwx--x   2 jrj120   1000         320 Jan 24 17:10 newlook/

    And we look at the Access Control List:

    [jcd144@h11 ~/sas]$ dcecp -c acl show newlook
    {mask_obj rwxcid}
    {user_obj rwxcid}
    {user cell_admin rwxcid}
    {user jcd144 rwxcid}
    {group_obj r-x---}
    {other_obj --x---}
    {any_other r-x---}

    Now let's remove the group execute (directory content access) bit in chmod:

    [jcd144@h11 ~/sas]$ chmod g-x newlook

    and look at the changes to standard Unix permissions:

    [jcd144@h11 ~/sas]$ ls -ld newlook
    drwxrw---x   2 jrj120   1000         320 Jan 24 17:10 newlook/

    and to the ACL:

    [jcd144@h11 ~/sas]$ dcecp -c acl show newlook
    {mask_obj rw-cid}
    {user_obj rwxcid}
    {user cell_admin rwxcid effective rw-cid}
    {user jcd144 rwxcid effective rw-cid}
    {group_obj r-x--- effective r-----}
    {other_obj --x---}
    {any_other r-x--- effective r-----}

    We can notice that the change to the mask_obj affects any other DCE objects, additional users and groups (aka user:jcd144 and user:cell_admin). It also affects group_obj and any_other.

    Now let's get creative and try a more complex permission scheme:

    [jcd144@h11 ~/sas]$ chmod 671 newlook/

    We see the changes in standard Unix:

    [jcd144@h11 ~/sas]$ ls -dl newlook
    drw-rwx--x   2 jrj120   1000         320 Jan 24 17:10 newlook/

    and in the ACL:

    [jcd144@h11 ~/sas]$ dcecp -c acl show newlook
    {mask_obj rwxcid}
    {user_obj rw-cid}
    {user cell_admin rwxcid}
    {user jcd144 rwxcid}
    {group_obj r-x---}
    {other_obj --x---}
    {any_other r-x---}

    We notice above that with all bits of the mask_obj set, we don't need to translate between given and effective permissions for the ACL.

    Here's another. Full access to all but the owner:

    [jcd144@h11 ~/sas]$ chmod 077 newlook/
    [jcd144@h11 ~/sas]$ ls -dl newlook
    d---rwxrwx   2 jrj120   1000         320 Jan 24 17:10 newlook/
    [jcd144@h11 ~/sas]$ dcecp -c acl show newlook
    {mask_obj rwxcid}
    {user_obj ---cid}
    {user cell_admin rwxcid}
    {user jcd144 rwxcid}
    {group_obj r-x---}
    {other_obj rwx---}
    {any_other r-x---}

    You may notice that the mask_obj has a say in what permissions are actually given out. Say for user jcd144 to have access to the "newlook" directory, the directory access bit (x) on both user:jcd144 and mask_obj must be set high. Otherwise, user jcd144 is denied access to the directory. Some ACL items were pruned from the above example for brevity.

  11. Can I apply changes to the Access Control List (ACL) recursively?
    The CAC Unix group has a recursive DCE ACL script that is kept in /.../dce.psu.edu/fs/solaris/usr/local/bin for Solaris and /.../dce.psu.edu/fs/rs_aix/usr/local/bin for AIX called dcerchacl. Here is the script header:
    # rchacl: A recursive ACL listing and editing utility. Allows to list, modify and
    #         delete ACL entries for all files and/or directories beneath a given
    #         directory. As with any recursive tools, use only with care!
    # Modify or delete ACL entries:
    #   rchacl <DFS-Dir> {-m|-d} <acl_entry> [-io|-ic|-f|-d]
    # List ACL entries:
    #   rchacl <DFS-Dir> -l [-io|-ic|-f|-d]
    # Flags: -m  modify specified ACL entries
    #        -d  delete specified ACL entries
    #        -l  list ACLs
    #        -io 'initial object' (directories only)
    #        -ic 'initial container' (directories only)
    #        -f  files only, do not list/modify/delete directory ACLs
    #        -d  directories only, do not list/modify/delete file ACLs
    #        acl_entry is an ACL entry, e.g. user:foo:rwx---
    # Note: The recursive processing does NOT follow symbolic links. If, for
    #       example, /: is specified as directory, rchacl will not change/list
    #       any ACLs of files or directories beneath it (since /: is a symbolic
    #       link to /.../<cell name>/fs).
    # This tools is provided AS IS, use at your own risk.

Last modified Thursday, 27-Mar-2003 12:39:57 EST. Student Activity Server Committee