[hcoop/debian/openafs.git] / doc / man-pages / pod1 / fs_setcell.pod

=head1 NAME

fs_setcell - Configures permissions for setuid programs from specified cells

=head1 SYNOPSIS

=for html
<div class="synopsis">

B<fs setcell> S<<< B<-cell> <I<cell name>>+ >>> [B<-suid>] [B<-nosuid>] [B<-help>]

B<fs setce> S<<< B<-c> <I<cell name>>+ >>> [B<-s>] [B<-n>] [B<-h>]

=for html
</div>

=head1 DESCRIPTION

The B<fs setcell> command sets whether the Cache Manager allows programs
(and other executable files) from each cell named by the B<-cell> argument
to run with setuid permission. By default, the Cache Manager allows
programs from its home cell to run with setuid permission, but not
programs from any foreign cells. A program belongs to the same cell as the
file server machine that houses the volume in which the program's binary
file resides, as specified in the file server machine's
F</usr/afs/etc/ThisCell> file. The Cache Manager determines its own home
cell by reading the F</usr/vice/etc/ThisCell> file at initialization.

To enable programs from each specified cell to run with setuid permission,
include the B<-suid> flag. To prohibit programs from running with setuid
permission, include the B<-nosuid> flag, or omit both flags.

The B<fs setcell> command directly alters a cell's setuid status as
recorded in kernel memory, so rebooting the machine is unnecessary.
However, non-default settings do not persist across reboots of the machine
unless the appropriate B<fs setcell> command appears in the machine's AFS
initialization file.

To display a cell's setuid status, issue the B<fs getcellstatus> command.

=head1 CAUTIONS

AFS does not recognize effective UID: if a setuid program accesses AFS
files and directories, it does so using the current AFS identity of the
AFS user who initialized the program, not of the program's owner.  Only
the local file system recognizes effective UID.

Only members of the system:administrators group can turn on the setuid
mode bit on an AFS file or directory.

When the setuid mode bit is turned on, the UNIX C<ls -l> command displays
the third user mode bit as an C<s> instead of an C<x>. However, the C<s>
does not appear on an AFS file or directory unless setuid permission is
enabled for the cell in which the file resides.

=head1 OPTIONS

=over 4

=item B<-cell> <I<cell name>>+

Names each cell for which to set setuid status. Provide the fully
qualified domain name, or a shortened form that disambiguates it from the
other cells listed in the local F</usr/vice/etc/CellServDB> file.

=item B<-suid>

Allows programs from each specified cell to run with setuid
privilege. Provide it or the B<-nosuid> flag, or omit both flags to
disallow programs from running with setuid privilege.

=item B<-nosuid>

Prevents programs from each specified cell from running with setuid
privilege. Provide it or the B<-suid> flag, or omit both flags to disallow
programs form running with setuid privilege.

=item B<-help>

Prints the online help for this command. All other valid options are
ignored.

=back

=head1 EXAMPLES

The following command enables executable files from the Example Organization
cell to run with setuid privilege on the local machine:

   % fs setcell -cell example.org -suid

=head1 PRIVILEGE REQUIRED

The issuer must be logged in as the local superuser root.

=head1 SEE ALSO

L<fs_getcellstatus(1)>

=head1 COPYRIGHT

IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0.  It was
converted from HTML to POD by software written by Chas Williams and Russ
Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.
Commit	Line	Data
805e021f CE	1	=head1 NAME
	2
	3	fs_setcell - Configures permissions for setuid programs from specified cells
	4
	5	=head1 SYNOPSIS
	6
	7	=for html
	8	<div class="synopsis">
	9
	10	B<fs setcell> S<<< B<-cell> <I<cell name>>+ >>> [B<-suid>] [B<-nosuid>] [B<-help>]
	11
	12	B<fs setce> S<<< B<-c> <I<cell name>>+ >>> [B<-s>] [B<-n>] [B<-h>]
	13
	14	=for html
	15	</div>
	16
	17	=head1 DESCRIPTION
	18
	19	The B<fs setcell> command sets whether the Cache Manager allows programs
	20	(and other executable files) from each cell named by the B<-cell> argument
	21	to run with setuid permission. By default, the Cache Manager allows
	22	programs from its home cell to run with setuid permission, but not
	23	programs from any foreign cells. A program belongs to the same cell as the
	24	file server machine that houses the volume in which the program's binary
	25	file resides, as specified in the file server machine's
	26	F</usr/afs/etc/ThisCell> file. The Cache Manager determines its own home
	27	cell by reading the F</usr/vice/etc/ThisCell> file at initialization.
	28
	29	To enable programs from each specified cell to run with setuid permission,
	30	include the B<-suid> flag. To prohibit programs from running with setuid
	31	permission, include the B<-nosuid> flag, or omit both flags.
	32
	33	The B<fs setcell> command directly alters a cell's setuid status as
	34	recorded in kernel memory, so rebooting the machine is unnecessary.
	35	However, non-default settings do not persist across reboots of the machine
	36	unless the appropriate B<fs setcell> command appears in the machine's AFS
	37	initialization file.
	38
	39	To display a cell's setuid status, issue the B<fs getcellstatus> command.
	40
	41	=head1 CAUTIONS
	42
	43	AFS does not recognize effective UID: if a setuid program accesses AFS
	44	files and directories, it does so using the current AFS identity of the
	45	AFS user who initialized the program, not of the program's owner. Only
	46	the local file system recognizes effective UID.
	47
	48	Only members of the system:administrators group can turn on the setuid
	49	mode bit on an AFS file or directory.
	50
	51	When the setuid mode bit is turned on, the UNIX C<ls -l> command displays
	52	the third user mode bit as an C<s> instead of an C<x>. However, the C<s>
	53	does not appear on an AFS file or directory unless setuid permission is
	54	enabled for the cell in which the file resides.
	55
	56	=head1 OPTIONS
	57
	58	=over 4
	59
	60	=item B<-cell> <I<cell name>>+
	61
	62	Names each cell for which to set setuid status. Provide the fully
	63	qualified domain name, or a shortened form that disambiguates it from the
	64	other cells listed in the local F</usr/vice/etc/CellServDB> file.
65
66	=item B<-suid>
67
68	Allows programs from each specified cell to run with setuid
69	privilege. Provide it or the B<-nosuid> flag, or omit both flags to
70	disallow programs from running with setuid privilege.
71
72	=item B<-nosuid>
73
74	Prevents programs from each specified cell from running with setuid
75	privilege. Provide it or the B<-suid> flag, or omit both flags to disallow
76	programs form running with setuid privilege.
77
78	=item B<-help>
79
80	Prints the online help for this command. All other valid options are
81	ignored.
82
83	=back
84
85	=head1 EXAMPLES
86
87	The following command enables executable files from the Example Organization
88	cell to run with setuid privilege on the local machine:
89
90	% fs setcell -cell example.org -suid
91
92	=head1 PRIVILEGE REQUIRED
93
94	The issuer must be logged in as the local superuser root.
95
96	=head1 SEE ALSO
97
98	L<fs_getcellstatus(1)>
99
100	=head1 COPYRIGHT
101
102	IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.
103
104	This documentation is covered by the IBM Public License Version 1.0. It was
105	converted from HTML to POD by software written by Chas Williams and Russ
106	Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.