Controlling access to your data#
The shared filesystem used in our clusters (GPFS) supports extended POSIX Access Control Lists (ACL). This guide explains how to set a POSIX ACLs to allow other users of the clusters to access your files or to keep them hidden should you so desire.
The basic commands are:
setfacl
getfacl
The first changes an ACL and the second shows the ACL in place.
There is extensive documentation available via the man pages. These are also viewable online for getfacl and setfacl.
These commands also show and change the traditional file mode permission bits as does the basic chmod tool.
Querying an ACL#
$ getfacl /work/scitas-ge
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge
# owner: root
# group: scitas-ge-unit
# flags: -st
user::rwx
group::rwx
mask::rwx
other::---
Here we see that the directory belongs to scitas
user and that is associated
to the scitas-ge-unit
group.
There are 3 ACLs in place:
- The user
root
can read, write and execute - The group
scitas-ge-unit
can read, write and execute - Other users (i.e. everybody) can't do anything
Permissions displayed with an empty middle field are the base ACL entries, such
as user::rwx
, which correspond to the standard permissions displayed with ls
-l
which can also be changed with chmod
.
The above example would result in ls -l
showing the permissions as
-rwxrwx---
or 770
in numeric notation.
ACLs allow us to apply much finer grained access control.
You can see if there is an extended ACL in place using ls
:
+
after the permissions shows the presence of an extended ACL.
Setting an ACL#
Here we give a few examples of the syntax for setting ACLs.
Allow a Unix group to read#
Add permission to the sub-folder you want to give access to#
-R
means recursive-m
means modifyg:myfriends:rX
means the Unix groupmyfriends
and read/execute- note that we are using
X
(instead ofx
) for the execute permission as it will set the execute permission conditionally (only for directories and files for which another user already has execute permissions)
- note that we are using
We can check that the changes have been put in place with getfacl
:
$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
group::r-x
group:myfriends:r-x
mask::r-x
other::---
Note the presence of the new line group:myfriends:r-x
Allow the group to traverse the root folder /work/scitas-ge
#
Since /work/scitas-ge
has no execution permission (x
) for other, members of the group myfriends
won't be allowed to traverse it. We need to give myfriends
group the x
permission (not recursively this time) :
Here we can see the new acl line group:myfriends:--x
$ getfacl /work/scitas-ge
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge
# owner: scitas
# group: scitas-ge-unit
# flags: -st
user::rwx
group::rwx
group:myfriends:--x
mask::rwx
other::---
Allow a user to read and execute#
Here we want to allow the user bob
to have read and execute permissions on
the directory /work/scitas-ge/scitas
and everything inside of it.
Add permission to the sub-folder you want to give access to#
Here, u:bob:rX
means the user bob
and read/execute.
We can check that the changes have been put in place with getfacl
:
$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::r-x
Note the presence of the new line user:bob:r-x
.
Allow the user to traverse the root folder /work/scitas-ge
#
Since /work/scitas-ge
has no execution permission (x
) for other, bob
won't be able to traverse it. We need to give bob
the x
permission (not recursively this time) :
Here we can see the new permission line user:bob:--x
$ getfacl /work/scitas-ge
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge
# owner: root
# group: scitas-ge-unit
# flags: -st
user::rwx
user:bob:--x
group::rwx
mask::rwx
other::---
Prevent people who are not in your group from accessing files or directories#
The following command is equivalent to chmod -R o-rwx /work/scitas-ge/scitas
:
We now see that the others
have no permissions:
$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
group::r-x
mask::r-x
other::---
Removing an ACL#
Here we want to remove the ACL that gives bob
read and execute permissions:
$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::---
-x
option with setfacl
to delete permissions:
Here you can see the acl line user:bob:r-x
is not present anymore as desired: