Users, Groups and ACLs

The standalone AMGA server comes with a powerful system to manage users as well as to control access to entries and metadata. If AMGA is run as an add on to a file catalogue, however, these features are not available and the access controls of the file catalogue is used instead.

The permission schema tries to copy the semantics of POSIX APIs. Some of the semantics are different from the POSIX semantics for a file system as AMGA is a metadata catalogue. As an example, it is necessary to have the 'x' permission for a directory to read the attribute list, while 'r' permissions for any file are necessary to read the values of the attributes for a file. The exact behaviour is described together with the respective commands.

Users

The size of a username is limited to 64 lower-case latin alphabet characters.

Groups

Any user can create groups. Group names are scoped with the name of the user creating them. A fully qualified group name has the form user:groupname. If the user scope of the group is the current user, it does not need to be specified in a command. The size of groupname is limited to 64 lower-case latin alphabet characters.

A special group exists and is maintained by AMGA internally, the system:anyuser group which contains automatically any user which is authenticated to the system. Using this group it is possible to emulate the permissions for 'other'-users in a Unix filesystem which are missing in AMGA.

The following commands can be used to manage groups:

grp_create groupname: Creates a new group with name groupname. It is not possible to create groups belonging to others.
grp_delete groupname: Deletes a group with name groupname. Only root can delete groups of other users.
grp_show groupname: Shows all the members belonging to group groupname. You can only look into groups of which you are a member or your own groups. Root can list all groups.
grp_adduser groupname user: Adds a user to a group. Only owners of a group or root can change group memebership.
grp_removeuser groupname user: Removes a user from a group. Only owners of a group or root can change group memebership.
grp_member [user]: Shows to which groups a user belongs. Only root can ask this question for other users.
grp_list [-a] [user]: Shows the groups owned by user, by default the current user. If the -a option is given, all groups are shown.

Access Control Lists

ACLs (Access Control Lists) can be assigned to any directory.

The following commands exist to manipulate ACLs of a directory.

acl_add directory group rights
acl_remove directory group: You can use the "*" to remove all ACLs of a directory.
acl_show directory

On MySQL5 or PostgreSQL you can create directories with the "acls" option, which will allow you to put ACLs also on individual files.

The sudo command

Since AMGA 2.0 a sudo command exists, which allows the root user to become any other user. The syntax is: sudo <user>

The sticky bit

Since AMGA 2.0 a sticky bit exists, which allows an entry inside a directory to be renamed or deleted only by the entry's owner, or superuser when it is set. To set a sticky bit on a directory, use chmod command with permission "t".

      Query>   chmod  /test   rwt

Generated on Mon Apr 16 13:59:18 2012 for AMGA by

1.4.7