Managing file permissions on HPCC

This is a list of techniques to manage file permissions and groups on the HPCC. For background on the concepts, please see the page on file permissions.

Displaying permissions of files and directories with `ls -l`

To display permissions in the current directory, run:

ls -l

Screenshot 1

You can also display the permissions of an individual file or directory by running:

1	`ls -ld filename`

For example, you can check the permissions of your home directory:

1	`ls -ld ~`

Changing file permissions with `chmod`

In the normal UNIX security model, there are three levels that are evaluated when considering file or directory access: user owner, group owner, and everyone else on the system. These types are typically referred to as user (u), group (g) and other (o). Only the owner of a file or a directory is allowed to change its permissions or the group name (to one of the owner's groups).

Change user permissions

To add all permissions for the user owner, run the following command:

1	`chmod u+rwx FileName`

Note that any file you create will already have the rw permission for your user account so that you will have the "read" and "write" permissions respectively. However to have a program script able to be run from the command line, you need to change the 'execute', or x, permission with

1	`chmod u+x FileName`

Changing group and other permissions

To allow anyone in the group that owns the file to be able to read that file, change the group read permission:

1	`chmod g+r FileName`

To allow anyone in the group to read and write the file, you can change the read and write permission

1	`chmod g+wr FileName`

If you have a file that is currently read and writeable by the group (g+wr) and you want to make it private, remove those permissions:

1	`chmod g-rw FileName`

To add the ability for other users to write to a file or directory (this allows all users on the HPC to see and read this file if it's in a shared folder which we don't recommend).

1	`chmod o+w FileName`

Changing group ownership with `chgrp`

To change the group ownership of a file or a directory, simply run

1	`chgrp <GroupName> <FileName>`

where <GroupName> is the group name which you would like to change to and <FileName> is the name and path of the file or directory.

Working with non-primary groups and permissions

Switching groups with `newgrp`

If you have more than one group associated with your account, you can switch which group owns the files created by default with the newgrp command: newgrp myothergroup. If you need to do this frequently, you can contact HPCC staff to change your primary group or see the page on changing your primary group.

Changing default group for new files with the set-group-ID bit and `chmod`

You can also change the default group for new files created in a directory by setting the set-group-ID setting. The /mnt/research HPCC Research file share spaces have this setting set by default.
To set the set-group-ID bit on a directory:

1	`chmod g+s DirectoryName`

To remove the set-group-ID bit on a directory:

1	`chmod g-s DirectoryName`

Other special permissions

There are other group permissions beyond the scope of this document, primarily the set-user-ID bit and the "sticky" bit. For more information about special permissions, please review the GNU documentation, available on any HPCC system:

1	`info chmod`

Filesystem-specific differences

Home

Your home directory has default permissions that allow only you to have access. Other users, whether they are in your primary group or not, are not allowed access to the contents of your home directory by default. If you wish to allow other users access to your home directory, you will need to change permissions on it.

To allow every member of a group access to read your home directory, use:

1	`chmod g+rx ~`

It is strongly recommended that you do not allow all users to read the contents of your home directory. Instead, to allow users outside of your UNIX group to read contents within your home directory, it is suggested that you create a subdirectory within your home directory that is readable by all users, and then set the execute permission on your home directory to allow users to access the subdirectory. For example:

#Create a subdirectory in your home directory called "my_sub_directory"
mkdir ~/my_sub_directory
#Make the subdirectory readable by everyone
chmod a+rx ~/my_sub_directory
#Set the execute permission on your home directory to allow others to access the new subdirectory
chmod o+x ~/

To allow every user outside your UNIX group to read your home directory, use (NOT RECOMMENDED):

1	`chmod o+rx ~`

To allow world-wide read access to your home directory (NOT RECOMMENDED):

1	`chmod a+rx ~`

If you wish to share only a single directory in your home directory and keep all other contents private, you can use the following technique (This is the recommended method for sharing home directory contents with users outside of your UNIX group):

# create the shared folder
cd ~
mkdir shared
chmod o+rwx shared
# create a shared file in the shared folder
echo "hello, iCER" > shared/sharefile.txt
chmod o+rw shared/sharefile.txt
# anyone can read this file using
cat /mnt/home/<netid>/shared/sharefile.txt

Scratch

Directories are created as private to you by default. If you do not wish this to be the case, you can use the technique for sharing a single directory in your home directory above. Note if there are other directories above your shared directory (e.g. it's a sub-sub-directory like ~/project/data/shared), then every directory in the path will need the execute bit set for everyone.

TMPDIR space

Directories are created as world-readable by default, but the scheduler deletes the contents of $TMPDIR after a job exits. If you require additional security for this temporary space, manually setting the permissions of $TMPDIR is necessary. Here is an example to mimic the security of home directory space:

chmod go-rwx $TMPDIR