Controlling access to your data#
The shared filesystem used in our clusters (GPFS) supports extended POSIX Access Control Lists (ACL). This guide explains how to set a POSIX ACLs to allow other users of the clusters to access your files or to keep them hidden should you so desire.
The basic commands are:
setfacl
getfacl
The first changes an ACL and the second shows the ACL in place.
There is extensive documentation available via the man pages. These are also viewable online for getfacl and setfacl.
These commands also show and change the traditional file mode permission bits as does the basic chmod tool.
Querying an ACL#
$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
group::r-x
other::r-x
Here we see that the directory belongs to scitas
user and taht is associated
to the scitas-ge
group.
There are 3 ACLs in place:
- The user
scitas
can read, write and execute - The group
scitas-ge
can read and execute - Other users (i.e. everybody) can read and execute
Permissions displayed with an empty middle field are the base ACL entries, such
as user::rwx
, which correspond to the standard permissions displayed with ls
-l
which can also be changed with chmod
.
The above example would result in ls -l
showing the permissions as
-rwxr-xr-x
or 755
in numeric notation.
ACLs allow us to apply much finer grained access control.
You can see if there is an extended ACL in place using ls
:
$ ls -ld /work/scitas-ge/scitas/
drwxr-s---+ 2 scitas scitas-ge 4096 Apr 4 11:15 /work/scitas-ge/scitas/
+
after the permissions shows the presence of an extended ACL.
Setting an ACL#
Here we give a few examples of the syntax for setting ACLs.
Allow a Unix group to read#
-R
means recursive-m
means modifyg:myfriends:rX
means the Unix groupmyfriends
and read/execute- note that we are using
X
(instead ofx
) for the execute permission as it will set the execute permission conditionally (only for directories and files for which another user already has execute permissions)
- note that we are using
We can check that the changes have been put in place with getfacl
:
$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
group::r-x
group:myfriends:r-x
mask::r-x
other::r-x
Note the presence of the new line group:myfriends:r-x
Allow a user to read and execute#
Here we want to allow the user bob
to have read and execute permissions on
the directory /work/scitas-ge/scitas
and everything inside of it:
u:bob:rX
means the user bob
and read/execute.
We can check that the changes have been put in place with getfacl
:
$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::r-x
user:bob:r-x
.
Prevent people who are not in your group from accessing files or directories#
The following command is equivalent to chmod -R o-rwx /work/scitas-ge/scitas
:
We now see that the others
have no permissions:
$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
group::r-x
mask::r-x
other::---
Removing an ACL#
Here we remove the ACL that gives bob
read and execute permissions:
$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::---
$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
group::r-x
mask::r-x
other::---