File Permissions on HPCC
The HPCC offers several different types of storage for users. All of these filesystems make use of standard UNIX file permissions. Understanding how standard UNIX permissions and ownership works is an important way to control access to your files.
UNIX users and groups
Every user has a unique username on HPCC systems. This is typically your
MSU NetID. Every user is also a member of at least one group. This group
is typically the department the user is in (such as cse or plb). An user
can be a member of additional groups. To see what groups you are a
member of, run the
groups command. If you feel you are in the wrong
group, please contact HPCC staff.
UNIX file ownership
Every file and directory has two sets of ownership, the user and the group. The user owner is normally set to the user that created the file. Normally, the user owner of a file or directory is the only user that is able to change permissions or group ownership.
The group owner of a file or directory allows a user owner to grant permissions to a group of users for a particular file or directory. The user owner of a file can change the group ownership of a file to any group that they are a member of. Any file created by a user normally defaults to group owner being set to the user's primary group, unless the user or directory owner has changed the behavior (using procedures described below.)
The three types of basic UNIX permissions
Read permission on a file allows the contents of a file to be read. The
read permission, when applied to a directory, allows the contents of a
directory to be listed. Referred to as "r" in the output of the
Write permission on a file allows the file to be modified or deleted.
Write permissions in a directory allow the creation of additional files
in that directory. Referred to as "w" in the output of the
The execute permission allows a file to be run as an executable. When
applied to a directory it allows traversal of that directory: the
ablility to access files or subdirectories in that directory. Referred
to as "x" in the output of the
ls -l command.
Displaying permissions of files and directories
To display permissions in the current directory, run:
You can also display the permissions of an individual file or directory by running:
For example, you can check the permissions of your home directory:
Applying these to the three types of users
In the normal UNIX security model, there are three levels that are
evaluated when considering file or directory access: user owner, group
owner, and everyone else on the system. These types are typically
referred to as user (
u), group (
g) and other (
o). Only the owner
of a file or a directory is allowed to change its permissions or the
group name (to one of his groups).
To change user permissions (in this case, add all permissions), run the following command:
Note that any file you create will already have the "rw" permission for your user account. However to have a program script able to be run from the command line, you need to change the 'execute' permission
Group and other permissions can also be altered:
To allow anyone in the group that owns the file to be able to read that file, change the group read permission:
To allow anyone in the group to read and write the file, you can change the read and write permission
If you have a file that is currently read and writeable by the group (g+wr) and you want to make it private, remove those permissions:
To add the ability for other users to write to a file or directory (this allows all users on the HPC to see and read this file if it's in a shared folder which we don't recommend).
Change group name:
To change the group ownership of a file or a directory, simply run
<GroupName> is the group name which you would like to change to
<FileName> is the name and path of the file or directory.
Working with non-primary groups and permissions
If you have more than one group associated with your account, you can
switch group owns the files created by default with the
newgrp myothergroup. If you need to do this frequently, you
can contact HPCC staff to change your primary group.
You can also change the default group for new files created in a directory by setting the set-group-ID setting. The /mnt/research HPCC Research file share spaces have this setting set by default.
To set the set-group-ID bit on a directory:
To remove the set-group-ID bit on a directory:
Other special permissions
There are other group permissions beyond the scope of this document, primarily the set-user-ID bit and the "sticky" bit. For more information about special permissions, please review the GNU documentation, available on any HPCC system:
Your home directory has default permissions that allow only you to have access. Other users, whether they are in your primary group or not, are not allowed access to the contents of your home directory by default. If you wish to allow other users access to your home directory, you will need to change permissions on it.
To allow every member of a group access to read your home directory, use:
To allow every user outside your UNIX group to read your home directory, use:
To allow world-wide read access to your home directory
Directories are created as private to you by default. If you do not wish this to be the case, you can use the technique for sharing directories (see below).
Directories are creates as world-readable by default, but the scheduler deletes the contents of $TMPDIR after a job exits. If you require additional security for this temporary space, manually setting the permissions of $TMPDIR is necessary. Here is an example to mimic the security of home directory space:
Sharing a single directory inside your home directory
If you wish to share only a single directory in your home directory and keep all other contents private, you can use the following techinque:
1 2 3 4 5 6 7 8 9
You can use the same technique for your $SCRATCH folder to share folders on that. Note if there are other directories above your shared directory (e.g. it's a sub-sub-directory like \~/project/data/shared), then every directory in the path will need the execute bit set for everyone.
This just covers the basics of UNIX file permissions. Here are some
other resources for more in-depth information:
Software Carpentry - Permissions
The Linux Cookbook, 2nd ed., Chapter 9