Unix File Permissions¶
Every file (and directory) has an owner, an associated Unix group, and a set of permission flags that specify separate read, write, and execute permissions for the "user" (owner), "group", and "other". Group permissions apply to all users who belong to the group associated with the file. "Other" is also sometimes known as "world" permissions, and applies to all users who can login to the system. The command
ls -l displays the permissions and associated group for any file. Here is an example of the output of this command:
drwx------ 2 elvis elvis 2048 Jun 12 2012 private -rw------- 2 elvis elvis 1327 Apr 9 2012 try.f90 -rwx------ 2 elvis elvis 12040 Apr 9 2012 a.out drwxr-x--- 2 elvis bigsci 2048 Oct 17 2011 share drwxr-xr-x 3 elvis bigsci 2048 Nov 13 2011 public
From left to right, the fields above represent:
- set of ten permission flags
- link count (irrelevant to this topic)
- associated group
- date of last modification
- name of file
The permission flags from left to right are:
|1||"d" if a directory, "-" if a normal file|
|2, 3, 4||read, write, execute permission for user (owner) of file|
|5, 6, 7||read, write, execute permission for group|
|8, 9, 10||read, write, execute permission for other (world)|
and have the following meanings:
|-||Flag is not set.|
|r||File is readable.|
|w||File is writable. For directories, files may be created or removed.|
|x||File is executable. For directories, files may be listed.|
|s||Set group ID (sgid). For directories, files created therein will be associated with the same group as the directory, rather than default group of the user. Subdirectories created therein will not only have the same group, but will also inherit the sgid setting.|
These definitions can be used to interpret the example output of
ls -l presented above:
drwx------ 2 elvis elvis 2048 Jun 12 2012 private
This is a directory named "private", owned by user elvis and associated with Unix group elvis. The directory has read, write, and execute permissions for the owner, and no permissions for any other user.
-rw------- 2 elvis elvis 1327 Apr 9 2012 try.f90
This is a normal file named "try.f90", owned by user elvis and associated with group elvis. It is readable and writable by the owner, but is not accessible to any other user.
-rwx------ 2 elvis elvis 12040 Apr 9 2012 a.out
This is a normal file named "a.out", owned by user elvis and associated with group elvis. It is executable, as well as readable and writable, for the owner only.
drwxr-x--- 2 elvis bigsci 2048 Oct 17 2011 share
This is a directory named "share", owned by user elvis and associated with group bigsci. The owner can read and write the directory; all members of the file group bigsci can list the contents of the directory. Presumably, this directory would contain files that also have "group read" permissions.
drwxr-xr-x 3 elvis bigsci 2048 Nov 13 2011 public
This is a directory named "public", owned by user elvis and associated with group bigsci. The owner can read and write the directory; all other users can only read the contents of the directory. A directory such as this would most likely contain files that have "world read" permissions.
Useful File Permission Commands¶
When a file is created, the permission flags are set according to the file mode creation mask, which can be set using the "umask" command. The file mode creation mask (sometimes referred to as "the umask") is a three-digit octal value whose nine bits correspond to fields 2-10 of the permission flags. The resulting permissions are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the default permissions specified by the shell (typically 666 for files and 777 for directories). Common useful values are:
|umask value||File Permissions||Directory Permissions|
Note that at NERSC, a default umask of 007 is set in .bash_profile. This is read after .bashrc, so setting umask in your .bashrc won't work, you will need to set it in your .bash_profile.
The chmod ("change mode") command is used to change the permission flags on existing files. It can be applied recursively using the "-R" option. It can be invoked with either octal values representing the permission flags, or with symbolic representations of the flags. The octal values have the following meaning:
|Octal Digit||Binary Representation (rwx)||Permission|
|3||011||write and execute|
|5||101||read and execute|
|6||110||read and write|
|7||111||read, write, and execute (full permissions)|
Here is an example of chmod using octal values:
nersc$ umask 0077 nersc$ touch foo nersc$ ls -l foo -rw------- 1 elvis elvis 0 Nov 19 14:49 foo nersc$ chmod 755 foo nersc$ ls -l foo -rwxr-xr-x 1 elvis elvis 0 Nov 19 14:49 foo
In the above example, the umask for user elvis results in a file that is read-write for the user, with no other permissions. The chmod command specifies read-write-execute permissions for the user, and read-execute permissions for group and other.
Here is the format of the chmod command when using symbolic values:
chmod [-R] [classes][operator][modes] file ...
The classes determine to which combination of user/group/other the operation will apply, the operator specifies whether permissions are being added or removed, and the modes specify the permissions to be added or removed. Classes are formed by combining one or more of the following letters:
|u||user||Owner of the file|
|g||group||Users who are members of the file's group|
|o||other||Users who are not the owner of the file or members of the file's group|
|a||all||All of the above (equivalent to "ugo")|
The following operators are supported:
|+||Add the specified modes to the specified classes.|
|-||Remove the specified modes from the specified classes.|
|=||The specified modes are made the exact modes for the specified classes.|
The modes specify which permissions are to be added to or removed from the specified classes. There are three primary values which correspond to the basic permissions, and two less frequently-used values that are useful in specific circumstances:
|r||read||Read a file or list a directory's contents.|
|w||write||Write to a file or directory.|
|x||execute||Execute a file or traverse a directory.|
|X||"special" execute||This is a slightly more restrictive version of "x". It applies execute permissions to directories in all cases, and to files only if at least one execute permission bit is already set. It is typically used with the "+" operator and the "-R" option, to give group and/or other access to a large directory tree, without setting execute permissions on normal (non-executable) files (e.g., text files). For example, |
|s||setgid or sgid||This setting is typically applied to directories. If set, any file created in that directory will be associated with the directory's group, rather than with the default file group of the owner. This is useful in setting up directories where many users share access. This setting is sometimes referred to as the "sticky bit", although that phrase has a historical meaning unrelated to this context.|
Sets of class/operator/mode may separated by commas. Using the above definitions, the previous (octal notation) example can be done symbolically:
nersc$ umask 0077 nersc$ touch foo nersc$ ls -l foo -rw------- 1 elvis elvis 0 Nov 19 14:49 foo nersc$ chmod u+x,go+rx foo nersc$ ls -l foo -rwxr-xr-x 1 elvis elvis 0 Nov 19 14:49 foo
Unix File Groups¶
Unix file groups provide a means to control access to shared data on disk and tape.
Overview of Unix Groups¶
Every user on a Unix system is a member of one or more Unix groups, including their primary or default group. Every file (or directory) on the system has an owner and an associated group. When a user creates a file, the file's associated group will be the user's default group. The user (owner) has the ability to change the associated group to any of the groups to which the user belongs. Unix groups can be defined that allow users to share data with other users who belong to the same group.
Unix Groups at NERSC¶
Group names are limited to eight characters. A user's default group is the same as their username. NERSC users usually belong to several other groups, including groups associated with specific research projects. For example, consider a NERSC user named "elvis", who is working with the "Big Science" research project. This project has an allocation on NERSC's MPP systems, controlled by the repository (repo) "bigsci". Associated with this the repo is the Unix group "bigsci". The user (elvis) would then be a member of two file groups, elvis and bigsci. Because a NERSC user can be a member of more than one research project, such a user would be a member of more than one repo-associated Unix groups.
NERSC PIs, PI Proxies, and Project Managers can manage group membership within Iris. Continuing with the example above, if user elvis wants to collaborate with another user "jimi", but does not want other members of bigsci to be able to see the data, the PI for Big Science could create a new group (for example, "ejdata", for elvis and jimi's data). The PI would then add elvis and jimi to the ejdata group. Those two users could then use "group permissions" on directories and files to share data with one another. Currently, PIs who wish to create a new Unix group should contact NERSC Consulting.
Useful Unix Group Commands¶
|groups username||List group membership|
|id username||List group membership|
|ls -l||List group associated with file or directory|
|chgrp||Change group associated with file or directory|
|newgrp||Create new shell with different default group|
|sg||Execute command with different default group|
Permission Adjustment at NERSC¶
PIs and PI Proxies can use the PI Toolbox to adjust permissions in their CFS directories. They can use this portal to change group permissions, make files and directory group readable (or writable), and change ownership of files.