Controlling access to your data#

The shared filesystem used in our clusters (GPFS) supports extended POSIX Access Control Lists (ACL). This guide explains how to set a POSIX ACLs to allow other users of the clusters to access your files or to keep them hidden should you so desire.

The basic commands are:

• setfacl
• getfacl

The first changes an ACL and the second shows the ACL in place.

There is extensive documentation available via the man pages. These are also viewable online for getfacl and setfacl.

These commands also show and change the traditional file mode permission bits as does the basic chmod tool.

Querying an ACL#

$ getfacl /work/scitas-ge/scitas 
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
group::r-x
other::r-x

Here we see that the directory belongs to scitas user and taht is associated to the scitas-ge group.

There are 3 ACLs in place:

1. The user scitas can read, write and execute
2. The group scitas-ge can read and execute
3. Other users (i.e. everybody) can read and execute

Permissions displayed with an empty middle field are the base ACL entries, such as user::rwx, which correspond to the standard permissions displayed with ls -l which can also be changed with chmod.

The above example would result in ls -l showing the permissions as -rwxr-xr-x or 755 in numeric notation.

ACLs allow us to apply much finer grained access control.

You can see if there is an extended ACL in place using ls:

$ ls -ld /work/scitas-ge/scitas/
drwxr-s---+ 2 scitas scitas-ge 4096 Apr 4 11:15 /work/scitas-ge/scitas/

Setting an ACL#

Here we give a few examples of the syntax for setting ACLs.

Allow a Unix group to read#

$ setfacl -R -m g:myfriends:rX /work/scitas-ge/acl_example

• -R means recursive
• -m means modify
• g:myfriends:rX means the Unix group myfriends and read/execute
  • note that we are using X (instead of x) for the execute permission as it will set the execute permission conditionally (only for directories and files for which another user already has execute permissions)

We can check that the changes have been put in place with getfacl:

$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
group::r-x
group:myfriends:r-x
mask::r-x
other::r-x

Note the presence of the new line group:myfriends:r-x

Allow a user to read and execute#

Here we want to allow the user bob to have read and execute permissions on the directory /work/scitas-ge/scitas and everything inside of it:

$ setfacl -R -m u:bob:rX /work/scitas-ge/scitas

We can check that the changes have been put in place with getfacl:

$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::r-x

Prevent people who are not in your group from accessing files or directories#

The following command is equivalent to chmod -R o-rwx /work/scitas-ge/scitas:

$ setfacl -R -m o::--- /work/scitas-ge/scitas

We now see that the others have no permissions:

$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
group::r-x
mask::r-x
other::---

Removing an ACL#

Here we remove the ACL that gives bob read and execute permissions:

$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::---

$ setfacl -R -x u:bob /work/scitas-ge/scitas/

$ getfacl /work/scitas-ge/scitas/
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas/
# owner: scitas
# group: scitas-ge
# flags: -s-
user::rwx
group::r-x
mask::r-x
other::---