Versionen im Vergleich

Version Alte Version 4 Neue Version 5
Änderungen wurden vorgenommen von

HPC Administrator01

HPC Administrator01

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.
Inhalt
typeflat

Project and share group directories can be used to share data. Unix groups, file modes and access control lists are available to configure permissions.

Unix Groups

Each user is a member of one or more groups. Group memberships can be checked with the groups command.

Codeblock
titleShow group memberships
blogin4:~ $ groups
myaccount prj00012

You can change the group ownership of a file with the chgrp command:

...

titleChange group ownership

...

groups:

  • a personal group (the group name is the same as the user name)

  • project groups

  • share groups

Use the groups  command to get a list of your groups.

The amount of disk space that can be used by a group is limited. show-quota lists your groups together with their disk usage and limits. See System Quota for more information on Quotas.

File Modes

File modes are the traditional way to control read, write and execute permissions. A file is owned by exactly one group, and the file mode controls access for the group members.

Use chgrp to change the group of a file:

Codeblock
languagebash
$ chgrp -c prj00012 /scratch/projects/prj00012/somefile.txt

Use chgrp -R  to recursively change the group of a whole directory:

Codeblock
$ chgrp -Rfc prj00012 /scratch/projects/prj00012

The file mode contains three sets of permissions: for the owning user, the owning group, and for other users. ls -l  shows modes, owners, and groups:

Codeblock
$ ls -l somefile.txt
-rw-------   1 myaccount prj00012 237271040 JulJul   3  2020 somefile.txt

To recursively change the group of all Note: Execute permission on directories means the ability to enter a directory and to list the contents (also called "search" in the chmod man page). If you want other users to access files in a directory, use chgrp -R.

Codeblock
titleChange group ownership of a directory and everything it contains
blogin4:~ $ chgrp -R prj00012 somedirectory

Access for group members

Once a file (or a complete directory) has the desired group ownership, the file may be accessed by other users in the group.

...

titleFile access for group

...

they need execute permission on the directory and all parent directories.

Use chmod to allow group members to read a file:

Codeblock
$ chmod -c g+r /scratch/projects/prj00012/somefile.txt

Use chmod -R to recursively allow group members to read and write access to a whole directory:

Codeblock
$ chmod -Rfc g+rwX prj00012 /scratch/projects/prj00012

Note: The X  permission allows execute ("search") for directories.

If the "set group ID" bit is set on directories, newly created files will automatically be owned by the project group. If not already the case, you can use find to list all subdirectories and run chmod on them:

Codeblock
$ find /scratch/projects/prj00012 -type d -exec chmod -fc g+s {} \;

Note that the above commands can only adjust files and directories you own. The other project members need to run the commands on the files they own.

For more information, see the man pages of chgrp and chmod.

The Rocky Linux System Administrator's Guide has a section on "File attributes": https://docs.rockylinux.org/books/admin_guide/07-file-systems/#file-attributes

The Arch Linux wiki also has documentation on file permisssions: https://wiki.archlinux.org/title/File_permissions_and_attributes

Access Control Lists (ACL)

Access control lists (ACL) offer a more flexible, but also significantly more complex approach. With ACLs, permissions can be set for more than one group, and you can share files with groups that you are not a member of.

ls -l  will show a +  sign at the end of the mode string for files and directories that have an ACL.

Codeblock
$ ls -l somefile.txt
-rw-r------ + 1 myaccount prj00012 23727104019 JulJul   3  2020 somefile.txt
blogin4:~
$ chmod g+r somefile.txt
blogin4:~ $ ls -l somefile.txt
-rw-r-----  1 myaccount prj00012 237271040 Jul  3  2020 somefile.txt
Codeblock
titleDirectory access for group
blogin4:~ $ ls -ld somedirectory
drwx------  1 myaccount  prj00012      4096 Jul  3  2020 somedirectory
blogin4:~ $ find somedirectory |xargs chmod g+rX
blogin4:~ $ ls -ld somedirectory
drwxr-x---  1 myaccount  prj00012      4096 Jul  3  2020 somedirectory ls -ld /scratch/projects/prj00012
drwxrws---+ 3 root prj00012 4096 Jul 11 11:27 /scratch/projects/prj00012

Use getfacl  to show an ACL:

Codeblock
$ getfacl somefile.txt
# file: somefile.txt
# owner: myaccount
# group: prj00012
user::rw-
group::---
group:prj00034:rw-
mask::rw-
other::---

Use setfacl -m  to modify an ACL, and allow read access for a project group:

Codeblock
$ setfacl -m g:prj00012:r /scratch/projects/prj00012/somefile.txt

Use setfacl -R -m to modify ACLs recursively, and allow read, write and execute ("search") permissions for group members:

Codeblock
$ setfacl -R -m g:prj00012:rwX /scratch/projects/prj00012

Use getfacl to show an ACL:

Codeblock
$ getfacl /scratch/projects/prj00012/somefile.txt
...
group:prj00012:r
...

A default ACL can be configured on directories that is later applied to newly created files. Use setfacl -R -d -m to create a default ACL recursively:

Codeblock
$ setfacl -R -d -m g:prj00012:rwX /scratch/projects/prj00012/somedir

getfacl will show the default ACL as follows:

Codeblock
$ getfacl /scratch/projects/prj00012/somedir/
...
default:user::rwx
default:group::r-x
default:group:prj00012:rwx
default:mask::rwx
default:other::---

With ACLs, you can allow access to files for other users and groups, even if you're not a member of the group. For instance, to make a file in your home directory available to the members of project prj00034, give execute permission for the directory, and read permission for the file:

Codeblock
$ setfacl -m g:prj00034:X ~
$ setfacl -m g:prj00034:r ~/somefile.txt

For more information, see the man pages of getfacl, setfacl, and acl.

The Rocky Linux System Administrator's Guide has a section on "ACL permissions": https://docs.rockylinux.org/books/admin_guide/14-special-authority/#acl-permissions

The Arch Linux wiki also has documentation on access control lists: https://wiki.archlinux.org/title/Access_Control_Lists

Project and Share Group Directories

For new project and share directories, the default permissions are set as follows:

  • Owning user is root

  • Owning group is the project or share group

  • Mode is 2770 (rwxrws---)

  • Default ACL is group:GID:rwx

getfacl will show this as follows:

Codeblock
blogin9:~ $ getfacl /scratch/projects/prj00012
# file: scratch/projects/prj00012
# owner: root
# group: prj00012
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:prj00012:rwx
default:mask::rwx
default:other::---

Because the top-level project and share group directories in HOME and WORK are owned by root, you cannot change their mode or ACL directly, but need the help of an administrator. Please send your requests to support@nhr.zib.de

World-Writable Files and Directories

It is not allowed to make user, project or share directories world-writable (e.g. using chmod 777 ). Instead, adjust permissions as outlined above.

Nach Stichwort filtern
showLabelsfalse
max5
spacesPUB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ( "files" , "file" , "inode" , "inodes" , "quota" ) and type = "page" and space = "PUB"
labelshuge files invalid file format