Skip to content

File Permissions on HPCC

The HPCC offers several different types of storage for users. All of these filesystems make use of standard UNIX file permissions. Understanding how standard UNIX permissions and ownership works is an important way to control access to your files.

UNIX users and groups

Every user has a unique username on HPCC systems. This is typically your MSU NetID. Every user is also a member of at least one group. This group is typically the department the user is in (such as cse or plb). An user can be a member of additional groups. To see what groups you are a member of, run the groups command. If you feel you are in the wrong group, please contact HPCC staff.

UNIX file ownership

Every file and directory has two sets of ownership, the user and the group. The user owner is normally set to the user that created the file. Normally, the user owner of a file or directory is the only user that is able to change permissions or group ownership.

The group owner of a file or directory allows a user owner to grant permissions to a group of users for a particular file or directory. The user owner of a file can change the group ownership of a file to any group that they are a member of. Any file created by a user normally defaults to group owner being set to the user's primary group, unless the user or directory owner has changed the behavior (using procedures described below.)

The three types of basic UNIX permissions

Read

Read permission on a file allows the contents of a file to be read. The read permission, when applied to a directory, allows the contents of a directory to be listed. Referred to as "r" in the output of the ls -l command.

Write

Write permission on a file allows the file to be modified or deleted. Write permissions in a directory allow the creation of additional files in that directory. Referred to as "w" in the output of the ls -l command.

Execute

The execute permission allows a file to be run as an executable. When applied to a directory it allows traversal of that directory: the ablility to access files or subdirectories in that directory. Referred to as "x" in the output of the ls -l command.

Displaying permissions of files and directories

To display permissions in the current directory, run:

1
ls -l

Screenshot 1

You can also display the permissions of an individual file or directory by running:

1
ls -ld filename

For example, you can check the permissions of your home directory:

1
ls -ld ~

Applying these to the three types of users

In the normal UNIX security model, there are three levels that are evaluated when considering file or directory access: user owner, group owner, and everyone else on the system. These types are typically referred to as user (u), group (g) and other (o). Only the owner of a file or a directory is allowed to change its permissions or the group name (to one of his groups).

To change user permissions (in this case, add all permissions), run the following command:

1
chmod u+rwx FileName

Note that any file you create will already have the "rw" permission for your user account.   However to have a program script able to be run from the command line, you need to change the 'execute' permission

1
chmod u+x FileName

Group and other permissions can also be altered:

To allow anyone in the group that owns the file to be able to read that file, change  the group read permission:

1
chmod g+r FileName

To allow anyone in the group to read and write the file, you can change the read and write permission

1
chmod g+wr FileName

If you have a file that is currently read and writeable by the group (g+wr) and you want to make it private, remove those permissions:

1
chmod g-rw FileName

To add the ability for other users to write to a file or directory (this allows all users on the HPC to see and read this file if it's in a shared folder which we don't recommend).

1
chmod o+w FileName

Change group name:

To change the group ownership of a file or a directory, simply run

1
chgrp <GroupName> <FileName>

where <GroupName> is the group name which you would like to change to and <FileName> is the name and path of the file or directory.

Working with non-primary groups and permissions

If you have more than one group associated with your account, you can switch group owns the files created by default with the newgrp command: newgrp myothergroup. If you need to do this frequently, you can contact HPCC staff to change your primary group.
You can also change the default group for new files created in a directory by setting the set-group-ID setting. The /mnt/research HPCC Research file share spaces have this setting set by default.
To set the set-group-ID bit on a directory:

1
chmod g+s DirectoryName

To remove the set-group-ID bit on a directory:

1
chmod g-s DirectoryName

Other special permissions

There are other group permissions beyond the scope of this document, primarily the set-user-ID bit and the "sticky" bit. For more information about special permissions, please review the GNU documentation, available on any HPCC system:

1
info chmod

Filesystem-specific differences

Home

Your home directory has default permissions that allow only you to have access. Other users, whether they are in your primary group or not, are not allowed access to the contents of your home directory by default. If you wish to allow other users access to your home directory, you will need to change permissions on it.

To allow every member of a group access to read your home directory, use:

1
chmod g+rx ~

To allow every user outside your UNIX group to read your home directory, use:

1
chmod o+rx ~

To allow world-wide read access to your home directory

1
chmod a+rx ~

Scratch

Directories are created as private to you by default. If you do not wish this to be the case, you can use the technique for sharing directories (see below).

TMPDIR space

Directories are creates as world-readable by default, but the scheduler deletes the contents of $TMPDIR after a job exits. If you require additional security for this temporary space, manually setting the permissions of $TMPDIR is necessary. Here is an example to mimic the security of home directory space:

1
chmod go-rwx $TMPDIR

Sharing a single directory inside your home directory

If you wish to share only a single directory in your home directory and keep all other contents private,  you can use the following techinque:

1
2
3
4
5
6
7
8
9
# create the shared folder
cd ~
mkdir shared
chmod o+rwx shared
# create a shared file in the shared folder
echo "hello, iCER" > shared/sharefile.txt
chmod o+rw shared/sharefile.txt
# anyone can read this file using
cat /mnt/home/<netid>/shared/sharefile.txt

You can use the same technique for your $SCRATCH folder to share folders on that.   Note if there are other directories above your shared directory (e.g. it's a sub-sub-directory like \~/project/data/shared), then every directory in the path will need the execute bit set for everyone.

Other resources

This just covers the basics of UNIX file permissions. Here are some other resources for more in-depth information:
Software Carpentry - Permissions
The Linux Cookbook, 2nd ed., Chapter 9
https://www.computerhope.com/unix/uumask.htm