Skip to content

Controlling access to your data#

The shared filesystem used in our clusters (GPFS) supports extended POSIX Access Control Lists (ACL). This guide explains how to set a POSIX ACLs to allow other users of the clusters to access your files or to keep them hidden should you so desire.

The basic commands are:

  • setfacl
  • getfacl

The first changes an ACL and the second shows the ACL in place.

There is extensive documentation available via the man pages. These are also viewable online for getfacl and setfacl.

These commands also show and change the traditional file mode permission bits as does the basic chmod tool.

Querying an ACL#

$ getfacl /work/scitas-ge
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge
# owner: root
# group: scitas-ge-unit
# flags: -st
user::rwx
group::rwx
mask::rwx
other::---

Here we see that the directory belongs to scitas user and that is associated to the scitas-ge-unit group.

There are 3 ACLs in place:

  1. The user root can read, write and execute
  2. The group scitas-ge-unit can read, write and execute
  3. Other users (i.e. everybody) can't do anything

Permissions displayed with an empty middle field are the base ACL entries, such as user::rwx, which correspond to the standard permissions displayed with ls -l which can also be changed with chmod.

The above example would result in ls -l showing the permissions as -rwxrwx--- or 770 in numeric notation.

ACLs allow us to apply much finer grained access control.

You can see if there is an extended ACL in place using ls:

$ ls -ld /work/scitas-ge/
drwxrws--T+ 67 root scitas-ge-unit 4096 Aug 28 11:18 /work/scitas-ge/
The + after the permissions shows the presence of an extended ACL.

Setting an ACL#

Here we give a few examples of the syntax for setting ACLs.

Allow a Unix group to read#

Add permission to the sub-folder you want to give access to#

$ setfacl -R -m g:myfriends:rX /work/scitas-ge/acl_example
  • -R means recursive
  • -m means modify
  • g:myfriends:rX means the Unix group myfriends and read/execute
    • note that we are using X (instead of x) for the execute permission as it will set the execute permission conditionally (only for directories and files for which another user already has execute permissions)

We can check that the changes have been put in place with getfacl:

$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
group::r-x
group:myfriends:r-x
mask::r-x
other::---

Note the presence of the new line group:myfriends:r-x

Allow the group to traverse the root folder /work/scitas-ge#

Since /work/scitas-ge has no execution permission (x) for other, members of the group myfriends won't be allowed to traverse it. We need to give myfriends group the x permission (not recursively this time) :

$ setfacl -m g:myfriends:X /work/scitas-ge

Here we can see the new acl line group:myfriends:--x

$ getfacl /work/scitas-ge
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge
# owner: scitas
# group: scitas-ge-unit
# flags: -st
user::rwx
group::rwx
group:myfriends:--x
mask::rwx
other::---

Allow a user to read and execute#

Here we want to allow the user bob to have read and execute permissions on the directory /work/scitas-ge/scitas and everything inside of it.

Add permission to the sub-folder you want to give access to#

$ setfacl -R -m u:bob:rX /work/scitas-ge/scitas

​ Here, u:bob:rX means the user bob and read/execute.

​ We can check that the changes have been put in place with getfacl:

$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::r-x

Note the presence of the new line user:bob:r-x.

Allow the user to traverse the root folder /work/scitas-ge#

Since /work/scitas-ge has no execution permission (x) for other, bob won't be able to traverse it. We need to give bob the x permission (not recursively this time) :

$ setfacl -m u:bob:X /work/scitas-ge

Here we can see the new permission line user:bob:--x

$ getfacl /work/scitas-ge
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge
# owner: root
# group: scitas-ge-unit
# flags: -st
user::rwx
user:bob:--x
group::rwx
mask::rwx
other::---

Prevent people who are not in your group from accessing files or directories#

The following command is equivalent to chmod -R o-rwx /work/scitas-ge/scitas:

$ setfacl -R -m o::--- /work/scitas-ge/scitas

We now see that the others have no permissions:

$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
group::r-x
mask::r-x
other::---

Removing an ACL#

Here we want to remove the ACL that gives bob read and execute permissions:

$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
user:bob:r-x
group::r-x
mask::r-x
other::---
Just use the -x option with setfacl to delete permissions:

$ setfacl -R -x u:bob /work/scitas-ge/scitas/
Here you can see the acl line user:bob:r-x is not present anymore as desired:

$ getfacl /work/scitas-ge/scitas
getfacl: Removing leading '/' from absolute path names
# file: work/scitas-ge/scitas
# owner: scitas
# group: scitas-ge-unit
# flags: -s-
user::rwx
group::r-x
mask::r-x
other::--