Protecting your files on the AFS file system

The Andrew File System is a world-wide distributed file system linking hundreds of universities and organizations, including CERN. Files can be accessed from anywhere, via dedicated AFS client programs or via web interfaces that export the file contents on the web. Due to the ease of access to AFS it is of utmost importance to properly protect access to sensitive data in AFS. As the use of AFS access control mechanisms is not obvious to all users, passwords, private SSH keys or certificates have been exposed in the past. In one specific instance, this also led to bad publicity due to a journalist accessing supposedly "private" AFS folders (SonntagsZeitung 2009/11/08). This problem does not only affect the individual user but also has a bad impact on CERN's reputation when it comes to IT security.

Therefore, all departments and LHC experiments agreed in April 2010 to apply more stringent folder protections to all AFS user folders. The goal of this data protection policy is to assist users in protecting their data on AFS. In order to apply this policy, the AFS Service has started to perform regular compliance checks by scanning all AFS home directories at CERN (group, project and scratch folders are not affected). The access rights of these folders will be automatically and regularly reviewed and corrected in order to enforce the corresponding policy:

  • Access to "~/"(home)-folders will be limited such that anonymous users can only list the contents;
  • Access to "~/private"-folders will be fully blocked to anonymous users;
  • Access to "~/public"-folders can be opened to be readable for anonymous users;
  • Simultaneous read and write rights to any folder are prohibited for anonymous users;
  • Special care will be taken with "~/www"-folders.
  • (Anonymous users are defined to be any potentially very large group of people, for example all CERN or AFS users.)

The deployment has already started for the IT Department and will subsequently address all other departments during Spring 2011. Prior to any automatic action, users will receive an e-mail notification about upcoming corrections. A script in line with the aforementioned rules has been made available. It allows interactive correction of AFS ACLs on home folders:

/afs/cern.ch/project/afs/etc/correct_acls

Yours,
the AFS Service and the Computer Security Team

P.S. For the experts, note that AFS access protections are configured differently than for the Linux/Posix file system.