Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
habrok:data_management:sharing_data [2025/03/07 16:10] – Add Fokke's expanded shared dir docs pedrohabrok:data_management:sharing_data [2026/06/19 11:09] (current) – [File system access control lists for read-only groups] fokke
Line 66: Line 66:
 The first set of ''rwx'' is for the owner (''user1'' or ''user2'' in the example), the second set is for the group ''hb-public-courses'', the third set is for anybody else on the system.  The first set of ''rwx'' is for the owner (''user1'' or ''user2'' in the example), the second set is for the group ''hb-public-courses'', the third set is for anybody else on the system. 
  
-Note that all top level directories for private and group directories on the cluster are set to be unreadable and unwritable by anybody except the group, which means that the files and directories inside can only be accessed by group members. This even though the files inside may have read, write or execute permissions for "others". The group can be your private group (based on p- or s-number), containing a single user, or a shared group in the case of shared directories. +**Note that all top level directories for private and group directories on the cluster are set to be unreadable and unwritable by anybody except the group, which means that the files and directories inside can only be accessed by group members.** This even though the files inside may have read, write or execute permissions for "others". The group can be your private group (based on p- or s-number), containing a single user, or a shared group in the case of shared directories.  
 + 
 +For giving certain users read-only access to data we can make use of ACLs to allow a specific group access to a directory. See below for more details.
  
  
Line 122: Line 124:
  
 When permissions in a group directory are wrong, the person owning the files can fix these using the ''chmod'' command. You can use the output of ''ls -l'' to find the owner of the file. First we need to fix the read/write/execute permissions. This can be done for a single file or directory using: When permissions in a group directory are wrong, the person owning the files can fix these using the ''chmod'' command. You can use the output of ''ls -l'' to find the owner of the file. First we need to fix the read/write/execute permissions. This can be done for a single file or directory using:
-<code>+<code bash>
 chmod g+rwX file_or_directory chmod g+rwX file_or_directory
 </code> </code>
Line 128: Line 130:
  
 If you want to change the permission for a directory, including all files and subdirectories inside, one can add the ''-R'' flag to make the command recursive: If you want to change the permission for a directory, including all files and subdirectories inside, one can add the ''-R'' flag to make the command recursive:
-<code>+<code bash>
 chmod -R g+rwX directory_name chmod -R g+rwX directory_name
 </code> </code>
  
 To prevent new files from being owned by the private group of the creator the sgid bit must be set on directories. This can be done using: To prevent new files from being owned by the private group of the creator the sgid bit must be set on directories. This can be done using:
-<code>+<code bash>
 chmod g+s directory_name chmod g+s directory_name
 </code> </code>
  
 Since this sgid bit should not be used on files, we cannot use the ''-R'' option. If many directories must be fixed, we can automate this using the ''find'' tool, e.g.: Since this sgid bit should not be used on files, we cannot use the ''-R'' option. If many directories must be fixed, we can automate this using the ''find'' tool, e.g.:
-<code>+<code bash>
 find . -type d -exec chmod g+s {} \; find . -type d -exec chmod g+s {} \;
 </code> </code>
Line 144: Line 146:
  
 Finally giving other groups read and execute access can be achieved using: Finally giving other groups read and execute access can be achieved using:
-<code>+<code bash>
 chmod o+rX file_or_directory chmod o+rX file_or_directory
 </code> </code>
Line 150: Line 152:
  
  
-==== File system access control lists =====+==== File system access control lists for read-only groups  =====
  
-The permission system described above can only handle a single user and group. If multiple groups need access to data, file system access control lists (ACLs) must be used. These give an additional set of controls on the access rights of files and directories. +The permission system described above can only handle a single user or group. If multiple groups need access to data, file system access control lists (ACLs) must be used. These give an additional set of controls on the access rights of files and directories. 
  
 Setting the correct rights on the top level group directory, using an ACL for the read-only group, is sufficient to prevent the other cluster users from accessing the files and directories inside. Because the ACL system is quite complex, it is better to manage the rights for the other read-only group using the standard permissions for "other" users. This prevents data managers from having to understand the complex ACL system. Setting the correct rights on the top level group directory, using an ACL for the read-only group, is sufficient to prevent the other cluster users from accessing the files and directories inside. Because the ACL system is quite complex, it is better to manage the rights for the other read-only group using the standard permissions for "other" users. This prevents data managers from having to understand the complex ACL system.