University Computer Centre
AFS Access Protection

Access Protection for Web Documents in the AFS File System

In addition to access protection via the web, access protection in the file system must also be considered.

The web space, i.e. the storage space for web documents and scripts for the central web servers of the TU Chemnitz, is located in the AFS file system, a distributed file system, which is accessible from many computers. When accessing the documents conventionaly through web browsers the web server evaluates the access restrictions set via .htaccess. When accessing through the AFS file system, only the set AFS rights apply - see also What is an ACL?.

For example, in a folder with lecture notes read permission are granted to everyone, therefore everyone may read this data in the AFS file system, even if web access is restricted. Since the web server always needs read permissions, in principle all web applications can also read all files.

Therefore the urgent recommendation:
  • Either encrypt files with sensitive content or make them available via a dedicated web server, e.g. on an own virtual server.
  • Protect web applications with secrets, e.g. PHP scripts with database passwords, with the secure secrets procedure.

The AFS access rights are to be set as follows (these rights then apply to all files in the directory):

Data worth protecting should not have read permission to everybody:
  • "User" system:anyuser should not have any rights, e.g. remove rights for current directory:
    • Linux command: fs setacl . system:anyuser none

For the central web server www.tu-chemnitz.de the "user" ip:www-server should be granted appropriate rights:

  • Reading and listing permitted: ip:www-server rl
  • This means that all programs on the web server have read permission, including scripts from other areas. This is therefore not a secure protection for sensitive data.
  • If write permissions are required for an application, please read Notes on risks and protective measures.

For the web server of the homepages of our users www-user.tu-chemnitz.de the following rights are to be granted to the "user" ip:www-user:

  • Reading and listing permitted: ip:www-user rl
  • This means that all programs on the web server have read permission, including scripts from other users. This is therefore not a secure protection for sensitive data.
  • If necessary, additionally allow writing permissions: ip:www-user rlidwk
    Attention: Every application on the server is then allowed to write!

Set AFS Access Rights

There are several possibilities for setting AFS access rights:

  • Via the Web-based file manager WFM in the web browser: https://login.tu-chemnitz.de/wfm/:
    • Move to the relevant directory
    • Under "AFS-Zugriffsrechte ... -> Details / Ă„ndern" (engl.: AFS access rights ... -> details / change), e.g.:
AFS access rights in the WFM
  • Log into a Linux system (e.g. login.tu-chemnitz.de), there, the corresponding shell commands can be issued, e.g.
    • fs setacl directory name user rights
    • e.g. fs setacl /afs/tu-chemnitz.de/www/root/urz/auth ip:www-server rl
  • For Windows (in the Admin Service of the URZ) via the Windows file manager (Explorer):
    • Move to the corresponding directory (network drive)
    • There via right mouse key -> AFS -> Access Control lists...