[ 1 Unix Groups ] [ 2 File Modes ] [ 3 Access Control Lists (ACL) ] [ 4 Project and Share Group Directories ] [ 5 World-Writable Files and Directories ] [ 5.1 Related articles ]

Project and share group directories can be used to share data. Unix groups, file modes and access control lists are available to configure permissions.

Unix Groups

Each user is a member of one or more groups:

a personal group (the group name is the same as the user name)
project groups
share groups

Use the groups command to get a list of your groups.

The amount of disk space that can be used by a group is limited. show-quota lists your groups together with their disk usage and limits. See System Quota for more information on Quotas.

File Modes

File modes are the traditional way to control read, write and execute permissions. A file is owned by exactly one group, and the file mode controls access for the group members.

Use chgrp to change the group of a file:

$ chgrp -c prj00012 /scratch/projects/prj00012/somefile.txt

Use chgrp -R to recursively change the group of a whole directory:

$ chgrp -Rfc prj00012 /scratch/projects/prj00012

The file mode contains three sets of permissions: for the owning user, the owning group, and for other users. ls -l shows modes, owners, and groups:

$ ls -l somefile.txt
-rw-------  1 myaccount prj00012 237271040 Jul  3  2020 somefile.txt

Note: Execute permission on directories means the ability to enter a directory and to list the contents (also called "search" in the chmod man page). If you want other users to access files in a directory, they need execute permission on the directory and all parent directories.

Use chmod to allow group members to read a file:

$ chmod -c g+r /scratch/projects/prj00012/somefile.txt

Use chmod -R to recursively allow group members to read and write access to a whole directory:

$ chmod -Rfc g+rwX prj00012 /scratch/projects/prj00012

Note: The X permission allows execute ("search") for directories.

If the "set group ID" bit is set on directories, newly created files will automatically be owned by the project group. If not already the case, you can use find to list all subdirectories and run chmod on them:

$ find /scratch/projects/prj00012 -type d -exec chmod -fc g+s {} \;

Note that the above commands can only adjust files and directories you own. The other project members need to run the commands on the files they own.

For more information, see the man pages of chgrp and chmod.

The Rocky Linux System Administrator's Guide has a section on "File attributes": File System - Documentation

The Arch Linux wiki also has documentation on file permisssions: File permissions and attributes - ArchWiki

Access Control Lists (ACL)

Access control lists (ACL) offer a more flexible, but also significantly more complex approach. With ACLs, permissions can be set for more than one group, and you can share files with groups that you are not a member of.

ls -l will show a + sign at the end of the mode string for files and directories that have an ACL.

$ ls -l somefile.txt
-rw-r-----+ 1 myaccount prj00012 19 Jul  3 2020 somefile.txt

$ ls -ld /scratch/projects/prj00012
drwxrws---+ 3 root prj00012 4096 Jul 11 11:27 /scratch/projects/prj00012

Use getfacl to show an ACL:

$ getfacl somefile.txt
# file: somefile.txt
# owner: myaccount
# group: prj00012
user::rw-
group::---
group:prj00034:rw-
mask::rw-
other::---

Use setfacl -m to modify an ACL, and allow read access for a project group:

$ setfacl -m g:prj00012:r /scratch/projects/prj00012/somefile.txt

Use setfacl -R -m to modify ACLs recursively, and allow read, write and execute ("search") permissions for group members:

$ setfacl -R -m g:prj00012:rwX /scratch/projects/prj00012

Use getfacl to show an ACL:

$ getfacl /scratch/projects/prj00012/somefile.txt
...
group:prj00012:r
...

A default ACL can be configured on directories that is later applied to newly created files. Use setfacl -R -d -m to create a default ACL recursively:

$ setfacl -R -d -m g:prj00012:rwX /scratch/projects/prj00012/somedir

getfacl will show the default ACL as follows:

$ getfacl /scratch/projects/prj00012/somedir/
...
default:user::rwx
default:group::r-x
default:group:prj00012:rwx
default:mask::rwx
default:other::---

With ACLs, you can allow access to files for other users and groups, even if you're not a member of the group. For instance, to make a file in your home directory available to the members of project prj00034, give execute permission for the directory, and read permission for the file:

$ setfacl -m g:prj00034:X ~
$ setfacl -m g:prj00034:r ~/somefile.txt

For more information, see the man pages of getfacl, setfacl, and acl.

The Rocky Linux System Administrator's Guide has a section on "ACL permissions": Special Authority - Documentation

The Arch Linux wiki also has documentation on access control lists: Access Control Lists - ArchWiki

Project and Share Group Directories

For new project and share directories, the default permissions are set as follows:

Owning user is root
Owning group is the project or share group
Mode is 2770 (rwxrws---)
Default ACL is group:GID:rwx

getfacl will show this as follows:

$ getfacl /scratch/projects/prj00012
# file: scratch/projects/prj00012
# owner: root
# group: prj00012
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:prj00012:rwx
default:mask::rwx
default:other::---

Because the top-level project and share group directories in HOME and WORK are owned by root, you cannot change their mode or ACL directly, but need the help of an administrator. Please send your requests to support@nhr.zib.de

World-Writable Files and Directories

It is not allowed to make user, project or share directories world-writable (e.g. using chmod 777 ). Instead, adjust permissions as outlined above.

Sharing data

Unix Groups

File Modes

Access Control Lists (ACL)

Project and Share Group Directories

World-Writable Files and Directories

Related articles