AFS uses ACLs, a more elaborate permissions model than the traditional Unix rwx modes. (Although the advantage is not that great any more, with the availability of POSIX ACLs for Linux).
However, there are a few intrinsic AFS properties that must be mentioned:
- AFS ACLs are per directory. All contained files inherit directory's ACL. (A subdirectory can define its own ACLs, of course).
- When a subdirectory is created, it inherits ACL of its parent. (Much better approach than as with Unix filesystems where you need +s on the immediate parent directory to get this behavior).
- It's possible to make user files unreadable to an attacker, even if they break in the "root" account on the machine
Permissions and quota
To give $USER.daemon the actual permission in AFS space, for most common actions, fs setacl DIR $USER.daemon read or write are good. All subdirectories that get created within that toplevel directory for which you give permissions, will, as said, inherit all the permissions, and this is what you want in 99% of the cases.
Listing and setting quotas
To list volume quota, run
fs lq DIR
To set volume quota in 1-kilobyte blocks, run
fs sq DIR -max SIZE