Skip to content

Controlling access to your data#

The shared filesystem used in our clusters (GPFS) supports extended POSIX Access Control Lists (ACL). This guide explains how to set a POSIX ACLs to allow other users of the clusters to access your files or to keep them hidden should you so desire.

The basic commands are:

  • setfacl
  • getfacl

The first changes an ACL and the second shows the ACL in place.

There is extensive documentation available via the man pages. These are also viewable online for getfacl and setfacl.

These commands also show and change the traditional file mode permission bits as does the basic chmod tool.

Querying an ACL#

$ getfacl /work/scitas-ge
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge
# owner: root
# group: scitas-ge-unit
# flags: -st
user::rwx
group::rwx
mask::rwx
other::---

Here we see that the directory belongs to scitas user and that is associated to the scitas-ge-unit group.

There are 3 ACLs in place:

  1. The user root can read, write and execute
  2. The group scitas-ge-unit can read, write and execute
  3. Other users (i.e. everybody) can't do anything

Permissions displayed with an empty middle field are the base ACL entries, such as user::rwx, which correspond to the standard permissions displayed with ls -l which can also be changed with chmod.

The above example would result in ls -l showing the permissions as -rwxrwx--- or 770 in numeric notation.

ACLs allow us to apply much finer grained access control.

You can see if there is an extended ACL in place using ls:

$ ls -ld /work/scitas-ge/
drwxrws--T+ 67 root scitas-ge-unit 4096 Aug 28 11:18 /work/scitas-ge/

The + after the permissions shows the presence of an extended ACL.

Setting an ACL#

Here we give a few examples of the syntax for setting ACLs.

Allow a user to read and execute#

Add permission to the sub-folder you want to give access to#

Folders you own

Please note you can only do this to folders you own. You cannot give additional permissions to a folder created by another lab member.

setfacl -R -m u:bob:rX /work/scitas-ge/acl_example

where:

  • -R means recursive, which means all files in that sub-folder will also get this ACL set.
  • -m means modify.
  • u:bob:rX means the user bob gets read/execute permissions.
  • note that we are using X (instead of x) for the execute permission as it will set the execute permission conditionally (only for directories and files for which another user already has execute permissions)

We can check that the changes have been put in place with getfacl:

$ getfacl /work/scitas-ge/acl_example
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/acl_example
# owner: alice
# group: scitas-ge-unit
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::---

Note the presence of the new line user:bob:r-x.

If you want to give access to an entire group of people (e.g. hpc-<another-lab>) you could replace u:bob:rX in the setfacl command with g:hpc-<another-lab>:rX) for an equivalent result.

Allow the user to traverse the root folder /work/scitas-ge#

Root permissions needed

Since the /work/<lab> directories belong to root, this operation has to be done by SCITAS. Please contact us through 1234@epfl.ch. Note that changing these permissions requires the approval from the head of the lab, so they will need to be added to the ticket.

Since /work/scitas-ge has no execution permission (x) for others, bob won't be allowed to traverse it. We need to give that user the x permission (not recursively this time, since we want the change to be specific to the base directory, not everything else inside).

We will need to run setfacl -m u:bob:x /work/scitas-ge on our side. Please note we are not adding read permissions (i.e. r as above) which means bob will not be able to see the contents of /work/scitas-ge directly. He will however be able to traverse that directory and read/execute the sub-folder we gave him access to.

Once the operation has been completed on our side, you will see the new acl line user:bob:--x:

$ getfacl /work/scitas-ge
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge
# owner: root
# group: scitas-ge-unit
# flags: -st
user::rwx
user:bob:--x
group::rwx
mask::rwx
other::---

Removing an ACL#

Here we want to remove the ACL that gives bob read and execute permissions:

$ getfacl /work/scitas-ge/acl_example
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/acl_example
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::---

Just use the -x option with setfacl to delete permissions:

setfacl -R -x u:bob /work/scitas-ge/acl_example

Please note that only u:bob is given in the command, not the specific permissions. We are removing everything relating to that user, not one concrete permission.

If you run the getfacl command once more will see the line user:bob:r-x is not present anymore.

Removing root folder permissions

Do not forget you may still have a x permission for bob in the root folder (/work/scitas-ge in the examples above). Depending on the status of the collaboration with bob it may be worth contacting us to remove that permission.