Sharing data

Sharing data

 

Project and share group directories can be used to share data. Unix groups, file modes and access control lists are available to configure permissions.

 

Unix Groups

 

Each user is a member of one or more groups:

  • a personal group (the group name is the same as the user name)

  • project groups

  • share groups

Use the groups  command to get a list of your groups.

 

The amount of disk space that can be used by a group is limited. show-quota lists your groups together with their disk usage and limits. See System Quota for more information on Quotas.

 

File Modes

 

File modes are the traditional way to control read, write and execute permissions. A file is owned by exactly one group, and the file mode controls access for the group members.

 

Use chgrp to change the group of a file:

$ chgrp -c prj00012 /scratch/projects/prj00012/somefile.txt

 

Use chgrp -R  to recursively change the group of a whole directory:

$ chgrp -Rfc prj00012 /scratch/projects/prj00012

 

The file mode contains three sets of permissions: for the owning user, the owning group, and for other users. ls -l  shows modes, owners, and groups:

$ ls -l somefile.txt -rw-------  1 myaccount prj00012 237271040 Jul  3  2020 somefile.txt

 

Note: Execute permission on directories means the ability to enter a directory and to list the contents (also called "search" in the chmod man page). If you want other users to access files in a directory, they need execute permission on the directory and all parent directories.

 

Use chmod to allow group members to read a file:

$ chmod -c g+r /scratch/projects/prj00012/somefile.txt

 

Use chmod -R to recursively allow group members to read and write access to a whole directory:

$ chmod -Rfc g+rwX prj00012 /scratch/projects/prj00012

 

Note: The X  permission allows execute ("search") for directories.

 

If the "set group ID" bit is set on directories, newly created files will automatically be owned by the project group. If not already the case, you can use find to list all subdirectories and run chmod on them:

$ find /scratch/projects/prj00012 -type d -exec chmod -fc g+s {} \;

 

Note that the above commands can only adjust files and directories you own. The other project members need to run the commands on the files they own.

 

For more information, see the man pages of chgrp and chmod.

The Rocky Linux System Administrator's Guide has a section on "File attributes": File System - Documentation

The Arch Linux wiki also has documentation on file permisssions: https://wiki.archlinux.org/title/File_permissions_and_attributes

 

Access Control Lists (ACL)

 

Access control lists (ACL) offer a more flexible, but also significantly more complex approach. With ACLs, permissions can be set for more than one group, and you can share files with groups that you are not a member of.

 

ls -l  will show a +  sign at the end of the mode string for files and directories that have an ACL.

$ ls -l somefile.txt -rw-r-----+ 1 myaccount prj00012 19 Jul  3 2020 somefile.txt $ ls -ld /scratch/projects/prj00012 drwxrws---+ 3 root prj00012 4096 Jul 11 11:27 /scratch/projects/prj00012

 

Use getfacl  to show an ACL:

$ getfacl somefile.txt # file: somefile.txt # owner: myaccount # group: prj00012 user::rw- group::--- group:prj00034:rw- mask::rw- other::---

 

Use setfacl -m  to modify an ACL, and allow read access for a project group:

$ setfacl -m g:prj00012:r /scratch/projects/prj00012/somefile.txt

 

Use setfacl -R -m to modify ACLs recursively, and allow read, write and execute ("search") permissions for group members:

$ setfacl -R -m g:prj00012:rwX /scratch/projects/prj00012

 

Use getfacl to show an ACL:

$ getfacl /scratch/projects/prj00012/somefile.txt ... group:prj00012:r ...

 

A default ACL can be configured on directories that is later applied to newly created files. Use setfacl -R -d -m to create a default ACL recursively:

$ setfacl -R -d -m g:prj00012:rwX /scratch/projects/prj00012/somedir

 

getfacl will show the default ACL as follows:

$ getfacl /scratch/projects/prj00012/somedir/ ... default:user::rwx default:group::r-x default:group:prj00012:rwx default:mask::rwx default:other::---

 

With ACLs, you can allow access to files for other users and groups, even if you're not a member of the group. For instance, to make a file in your home directory available to the members of project prj00034, give execute permission for the directory, and read permission for the file:

$ setfacl -m g:prj00034:X ~ $ setfacl -m g:prj00034:r ~/somefile.txt

 

For more information, see the man pages of getfacl, setfacl, and acl.

The Rocky Linux System Administrator's Guide has a section on "ACL permissions": Special Authority - Documentation

The Arch Linux wiki also has documentation on access control lists: https://wiki.archlinux.org/title/Access_Control_Lists

 

Project and Share Group Directories

 

For new project and share directories, the default permissions are set as follows:

  • Owning user is root

  • Owning group is the project or share group

  • Mode is 2770 (rwxrws---)

  • Default ACL is group:GID:rwx

 

getfacl will show this as follows:

$ getfacl /scratch/projects/prj00012 # file: scratch/projects/prj00012 # owner: root # group: prj00012 # flags: -s- user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:group:prj00012:rwx default:mask::rwx default:other::---

 

Because the top-level project and share group directories in HOME and WORK are owned by root, you cannot change their mode or ACL directly, but need the help of an administrator. Please send your requests to support@nhr.zib.de

 

World-Writable Files and Directories

 

It is not allowed to make user, project or share directories world-writable (e.g. using chmod 777 ). Instead, adjust permissions as outlined above.

 

 

Related articles