Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
At first, unix file access permissions may look confusing or intimidating, but when they are broken down, they are not only simple to understand, they are also incredibly useful. With a system like Linux, there are multiple users accessing the same file. To control and protect data, we can use access permissions to ensure that we don't lose hours of work, or potentially much more. As was mentioned above it does look confusing at first but by remembering a few key things, scope and permissions, you'll be able to read them with ease. |
Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
File ownership can be split into three different scopes: Owner, group, and others. Anchor File Ownership File Ownership
Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
When a user creates a file, they become the owner of that file. However, files can be transferred to other users, so be aware that the current owner may not have created the file This will be represented as yellow in the screenshot below |
Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
The group is the project that the user who created the file belonged to at the time of its creation. Storage allocation for this file will also be taken from the project that owns the file. This will be represented as red in the screenshot below |
Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
Others refers to users who who don't own the file, nor are they associated with the project that owns the file. This will be represented as blue in the screenshot below |
Warning |
---|
NCI recommends that you do not share data with users outside of the project |
Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
An ' |
Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
' |
Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
An |
Anchor | ||||
---|---|---|---|---|
|
To see a long listing of a directory, run the command 'ls -la
' and you will see something similar to this,
As you can see, our read, write, and execute, are represented by their abbreviated characters r,w,x
. They are split into three different sections, or triads, owner, group, and other.
So in this example, the owner (yellow) of the file can read, write, and execute. The group (red) can read and execute, but not write, so they won't be able to save any changes to the file, and the same goes for the others (blue) group. The 'd'
at the beginning of beginning indicates the type of file, in this case a directory file. A 'l'
would indicate that this is a symbolic link file, or a file that is designed to point at another file. '-'
would tell us that this is a regular file.
The space at the end of the line can be blank or filled with a '+
' indicating that there are extended access controls outside of the regular unix permissions. If that is the case, run the command getfacl <filename>
to see that file access control list.
In this example, we have a regular file that the owner can read and write, but there are no other permissions set.
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Setuid and setgid Replacing the 'x' in either the owner or group with an ' Doing so in the group triad will also be ignored for security reasons. When used on directories it forces new files and directories created within them to inherit their group ownership. |
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Sticky bits Sticky bit can be used as a form of deletion protection and is active when A permissions line of - |
Panel | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||
Changing file access permissions Anchor |
The basic command for this utility is ' For example
You can also use command xargs, or extended arguments, to add these commands to a search, for example:
/scratch/a00/aaa777 and then uses 'chmod ' to give group permissions r,w,s , while removing r,w,x from others .The permissions of these directories set for the file owner remain the same but can be modified. For example, to remove the owner's write permission, run
To set the deletion protection on the directory in which you have to allow others to write, run
|