Skip to content

Linux permissions

PI Group Shared Directories

In what follows, text in monospaced font, is meant to be typed or is output. For example, the directory /gpfs1/user/g/r/grundoon indicates an actual directory name.

PI groups have shared directories available at these locations.

/gpfs1/pi/PI_UVM_NetID /gpfs2/scratch/pi/PI_UVM_NetID

NOTE: Replace PI_UVM_NetID with your (or your PI’s) UVM NetID. For example, if the PI’s UVM NetID is grundoon, then the location of the shared directories would be /gpfs1/pi/grundoon and /gpfs2/pi/grundoon.

If you have a project that spans across PI groups, please contact us for options.

About Permissions

Default permissions are automatically set to: 750 (user: r/w/x, group: r/x, other: none).

Each file and directory in a UNIX system has three permission classes — user (u), group (g), other (o) — and three possible permission modes for each class — read (r), write (w), execute (x).

Permission Classes

  • user (u) permissions apply only to the user (owner) and do not impact other users
  • group (g) permissions apply only to the group and do not impact other users
  • other (o) permissions apply to ALL other users on a system and should be used very carefully. We strongly encourage the use of ACLs instead of using the “other” permission.

Permission Modes

FILES

  • read (r) grants permission to view the contents of the file
  • write (w) grants permission to modify or remove the contents of the file
  • execute (x) grants permission to run the file as a program

DIRECTORIES

  • read (r) means that the user can look at the filenames inside the directory
  • write (w) grants permission to add or delete files from the directory
  • execute (x) grants permission to traverse, or cd into, the directory

Please note:

  • Users who have write permission (w) for a directory can delete files in the directory without having write permission (w) for those files
  • Subdirectories can have less restrictive permissions than their parent directories. However, if you change directory permissions recursively, you are changing them for all the files and subdirectories in that directory tree.
  • An alternative to changing permissions recursively is to set them selectively.

Checking Your Current Permissions

To see the permissions currently set in your file space, use the command ls -l. For example, with permissions set to 750, they might look like this:

-rwxr-x--- 1 username pi-username size date filename
drwxr-x--- 6 username pi-username size date directory

As you can see, the file permission (files are designated by an initial “-“) are set to “rwx” for the user (owner), “r-x” for the group, and “-” for other. The directory permission (files are designated by an initial “d”) are set to “rwx” for the user (owner), “r-x” for the group, and “-” for other. So the user has read, write and execute permission; the group has read and execute permission; other has no permissions for both the file and the directory.

Changing Permissions with chmod

To modify the permission flags on existing files and directories, use the chmod command (“change mode”). It can be used for individual files or it can be run recursively with the -R option to change permissions for all of the subdirectories and files within a directory.

The chmod command specifies which class or classes (user, group, other) have access to the file or directory in various modes (read, write, execute).

There are also operators that can be used with the chmod command:

  • Use + and to add or remove selected permissions for a class without changing its other permissions.
  • Use = to specify all of the permissions for a class at once. If a class is not mentioned explicitly, the permissions are unchanged even if the =operator is used for a different class.

Follow this format:

chmod [classes][operator][modes] filename

Examples

Add selected permissions for a group:

Let’s say the user (owner) can read, write, and execute this file. Groups can read and execute, but not write. The permissions would be:

-rwxr-x--- 1 username pi-username size date filename

Add group (g) permissions to write (w) like this:

$ chmod g+w filename

The new file permissions would be:

-rwxrwx--- 1 username pi-username size date filename

Note that the permissions that were not specified were not changed: The user class permissions and other class permissions did not change.

Specify all permissions for a group:

To set permissions for a single class, such as group (g), use the = operator.

$ chmod g=rx filename

In this case, the only permissions affected were those for the specified class: group. The group can now read and execute, but not write to the file. Permissions for the user class and other class were not changed because they were not specified.

Specify permissions for sets of classes:

To set permissions for multiple classes with a single command, separate the class settings with a comma.

$ chmod u=rwx,g=rwx,o+rx filename

The new file permissions would be:

-rwxrwxr-x 1 username pi-username size date filename

Set permissions selectively:

This example shows how to give your group access to all of the files and subdirectories in a directory, but limit other users’ access to specified files.

$ chmod -R u=rwx,g=rwx,o+x /users/u/s/username/directory/

$ chmod u=rwx,g=rwx,o+rx /users/u/s/username/directory/subdirectory/file1

$ chmod u=rwx,g=rwx,o+rx /users/u/s/username/directory/subdirectory/file2

The result is that group members have all rights to files in the specified directories and subdirectories. Others have permission to traverse the directories as needed to read and execute file1 and file2.

Changing default permissions with umask:

To change the default permissions that are set when you create a file or directory within a session or with a script, use the umask command.

The syntax is similar to that of chmod (above), but use the = operator to set the default permissions. However, umask sets the mask to files and directories to be the default system mask minus the umask you set.

For example, if you set your umask to 022 by typing: 

umask=022

Then the mask for your session becomes "the new mask" below:

Item Default mask umask set to The new mask
Directories 777 022 755
Files 666 022 644

So for the remainder of your session or script, directories are created with 755 and files with 644, As an aside, this is typically the default on most Linux installations.

Changing Permissions with ACLs

Access control lists (ACLs) are tools for managing permissions within a file system by giving users and groups read, write, and/or execute permissions on files or directories outside of the traditional UNIX permissions.

The UNIX permissions for managing files on the VACC remain in effect, but ACLs can be used to facilitate more advanced file sharing options with arbitrary lists of specific users or groups.

Viewing Permissions Set with ACLs

To view the ACL on a file named “myfile,” you would use:

$ getfacl myfile

Setting Permissions with ACLs

To set an ACL entry, use the -m flag to modify the given entry.

EXAMPLES

Give a user read access to a file: Let’s say you want to give read (r) access to a user (u) with the user ID “testuser”:

$ setfacl -m u:testuser:r filename


Give a group read and write access to a file: Let’s say you want to give read and write (rw) access to a group (g) with the user ID “testgroup”:

$ setfacl -m g:testgroup:rw filename


Give a group read and write access to a directory and it’s contents recursively: Again, you want to give read and write (rw) access to a group (g) with the user ID “testgroup,” but this time recursively. The -R flag is used for recursively applying the ACL entry:

$ setfacl -R -m g:testgroup:rw directory

Note: Any new files created in this directory or subdirectories will not be readable or writable by members of the group.


Give a group read and write access to a directory, its contents, and have new files inherit these rules: Now, you want to give read and write (rw) access to a group (g) with the user ID “testgroup,” recursively, and you want all new files to inherit these rules. The -d flag denotes that the changes should be added as a ACL default entry.

$ setfacl -Rd -m g:testgroup:rw directory

Note: This makes any new files inherit these ACL default entries, but does not necessarily mean that they will be effective. ACL permissions do not exceed the permissions set by the “mode” parameter (which is used by the program creating the file). Often, this “mode” parameter does not include execute permissions.

Removing Permissions Set with ACLs

To remove all ACLs from a file, use:

$ setfacl --remove-all filename