NCI Help

Page tree

Versions Compared

Old Version 66

changes.mady.by.user Andrew Johnston

Saved on

compared with

New Version 67

changes.mady.by.user Andrew Johnston

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge
titleFile Access Permisions

At first, unix file access permissions may look confusing or intimidating, but when they are broken down, they are not only simple to understand, they are also incredibly useful.

With a system like Linux, there are multiple users accessing the same file. To control and protect data, we can use access permissions to ensure that we don't lose hours of work, or potentially much more. 

As was mentioned above it does look confusing at first but by remembering a few key things, scope and permissions, you'll be able to read them with ease. 

Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge
titleOn this page

File ownership can be split into three different scopes: Owner, group, and others. 

Anchor
File Ownership
File Ownership

Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge
titleOwner

When a user creates a file, they become the owner of that file. However, files can be transferred to other users, so be aware that the current owner may not have created the file

This will be represented as yellow in the screenshot below

Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge
titleGroup

The group is the project that the user who created the file belonged to at the time of its creation. Storage allocation for this file will also be taken from the project that owns the file.

This will be represented as red in the screenshot below

Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge
titleOthers

Others refers to users who who don't own the file, nor are they associated with the project that owns the file.

This will be represented as blue in the screenshot below

Warning
NCI recommends that you do not share data with users outside of the project 

Permissions are split into three different parameters. 

Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge
titleRead

An 'r' in the permission line is short for read. This means that the file can be opened and read.

Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge
titleWrite

'w' in the permission gives the ability to modify and save a file.

Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge
titleExecute

An'x' in the permission line stands for execute. This gives the ability to execute and run programs. This can also be replaced with an 's' or 't', which we will go over below.

How to see file access permissions 
Anchor
How to see file access permissions
How to see file access permissions

To see a long listing of a directory, run the command 'ls -la' and you will see something similar to this,




As you can see, our read, write, and execute, are represented by their abbreviated characters r,w,x. They are split into three different sections, or triads, owner, group, and other.

So in this example, the owner (yellow) of the file can read, write, and execute. The group (red) can read and execute, but not write, so they won't be able to save any changes to the file, and the same goes for the others (blue) group.  The 'd' at the beginning of beginning indicates the type of file, in this case a directory file. A 'l' would indicate that this is a symbolic link file, or a file that is designed to point at another file. '-' would tell us that this is a regular file. 

The space at the end of the line can be blank or filled with a '+' indicating that there are extended access controls outside of the regular unix permissions. If that is the case, run the command getfacl <filename> to see that file access control list.

In this example, we have a regular file that the owner can read and write, but there are no other permissions set. 

Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge

Setuid and setgid 

Anchor
Setuid and setgid
Setuid and setgid

Replacing the 'x' in either the owner or group with an 's' will change the permissions to match those of the owner of the file. This is considered a security hazard and will have no effect when doing so under the user triad.

Doing so in the group triad will also be ignored for security reasons. When used on directories it forces new files and directories created within them to inherit their group ownership.

Panel
borderColor#21618C
bgColor#F6F7F7
titleColor#17202A
borderWidth1
titleBGColor#FFB96A
borderStyleridge

Sticky bits 

Anchor
Sticky bits
Sticky bits

Sticky bit can be used as a form of deletion protection and is active when 'x' is replaced with a 't' in the others triad. This means that although the file will be able to be read and written, only the owner can rename or delete the file.

A permissions line of -rwxrwxrwt would ensure that the file couldn't be accidentally or maliciously deleted when sharing data with users outside of your project.

Panel
borderColor#21618C
bgColor#F6F7F7
borderWidth1
borderStyleridge

Changing file access permissions 
Anchor
Changing file access permissions
Changing file access permissions

'chmod' is the command used when you want to alter the file access permissions. Again, while this command can look complicated at first, there is a few steps you can take to simplify the process. 

  1. Who are you changing permissions for? Owner 'u', group 'g', or others 'o'.
  2. What permission change will you be making? Adding '+', removing '-', or replacing '='. Replace will remove all other permissions and replace them with your command. 
  3. What permissions are you referring to? read 'r', write 'w', or execute 'x'.

The basic command for this utility is 'chmod <permissions> <filename>'

For example

  • $ chmod g+w testfile.sh would grant write access 'w' to the group 'g'. 
  • $ chmod o-rw testfile.sh would remove read and write from others.
  • $ chmod g=rws testfile.sh will delete the access that the group has and replace it with r,w,s.

 You can also use command xargs, or extended arguments, to add these commands to a search, for example: 

Code Block
themeFadeToGrey
$ find /scratch/a00/aaa777 -type d | xargs chmod g=rws,o-rwx
 this searches for directories under /scratch/a00/aaa777 and then uses 'chmod' to give group permissions r,w,s, while removing r,w,x from others.

The permissions of these directories set for the file owner remain the same but can be modified. For example, to remove the owner's write permission, run

Code Block
themeFadeToGrey
 $ chmod u-w test
Please do not set files in your home directory to be readable by everyone as this could result in anyone using Gadi to read your personal files.

To set the deletion protection on the directory in which you have to allow others to write, run

Code Block
themeFadeToGrey
$ mkdir -p /scratch/public/$USER
$ chmod o=rwxt /scratch/public/$USER
so that it reserves the permission of deleting a file for the file owner and the owner of the parent directory only. 
Panel
borderColor#21618C
bgColor#F6F7F7
borderWidth1

Default file access Permissions 
Anchor
Default file access Permissions
Default file access Permissions

While access permissions can be represented as symbols, like above, they can also be represented with a short string of numbers that make up a 'umask'. On gadi, 'umask 022' is used as default permission for newly created files in /home, and is set as the inverse umask on files. 

The position of these three numbers corresponds to the user scopes

  • 0→owner
  • 2→ group
  • 2→ other 

If you look at the inverse column on the table to the right, you can see that 0= rwx and 2 =r-x.

This means as default, owners will be given rwx permissions, and everyone else will be given r-x.

This is a fast and simple way to set and read permissions. Users can change the default of 022 by modifying their ~/.bashrc file. 

symbolic 

octal 

inverse

---

0

7

--x

1

6

-w-

2

5

-wx

3

4

r--

4

3

r-x

5

2

rw-

6

1

rwx

7

0

Authors: Yue Sun, Adam Huttner-Koros, Mohsin Ali, Andrew Johnston