User Tools

Site Tools


hpc_user_guide:data_management_practice

Data Management Practice

File permissions.

First of all some teminiology. POSIX (Portable Operating System Interface for uniX) is a set of standards set by the IEEE (Institute of of Electrical Electronic Engineers) and which specify a common set of comuter interfaces. These tend to be followed by UNIX and UNIX like operating systems of which linux is a member. Since linux system developers ususally aim to be POSIX compliant, file permissions on most linux file systems follow the POSIX standard so when we say POSIX file permissions you can generally read that as linux file permissions.

What you can apply permissions to.

On linux you can set the permissions on objects in the file system. There are a number of different objects that can be seen in linux file systems including files, directories, symbolic links, block devices etc. but files and directories are the most common. The permissions applied to files and directories are similar but have slightly different effects.

Key points for POSIX permissions.

Each filesystem object belongs to a user and a group. We'll refer to the user as the “owner” of the file (and the group “owner” we'll just call the file's “group”).

So lets look at an example. To display the permissions for a file we use ls -l command (your system may format the output in a slightly different way):

[alice@login1(rosalind) utils]$ ls -l 
total 20 
-rwxrwxr-x 1 bob      bob       766 Jan  6  2017 delEmptyTreeBadSymLinks.py 
-rwxrwxr-x 1 alice    alice     324 Jan  6  2017 delEmptyTree.py 
-rwxrwxr-x 1 alice    alice    2683 Apr 25  2017 hierach.sh 
-rwxrwxr-x 1 bob      analysts 2936 Oct 26  2015 hierach_test1.sh 
drwxrwxr-x 2 alice    analysts 4096 Apr 24 10:25 R_utils 

The third and fourth columns are the owner and group that the listed objects belong to and we can see that for each object listed there are 10 characters in the first column. These show us the permissions for that object and are referred to as the file mode bits. The first character gives us some information about what type of object we're looking at. In this case a “d” indicates a directory, and a “-” indicates a regular file. The next nine characters represent permissions that have been set for the owner of the object, the object's group and the permission that any other user on the system has. Letters indicate that a permission has been granted for the corresponding position and a “-” indictes that permission has not been granted.

The letters stand for read, write and execute. So if the file has bit mode

-rwxr-x---

this would mean that the file can be executed, read and written to by the owner of the file, read and exectued but not written to by a user who belongs to the file's group and would not be accessible at all by any other user (except root).

File permissions can only be changed by the owner of the file or by root. If you try to change the permission of a file that doesn't belong to you, the command will most likely fail silently without producing any error.

Directory permissions work on what is possible within the directory on which they are set, so for example if a user isn't granted write permissions in a directory, they wouldn't be able to create any new files or directories within that directory. If a user doesn't have permission to execute set on a directory then they cannot run any scripts or programs in that directory but, additionally because of the way linux file access works they also wouldn't be able to read or write files in that directory even if they had been granted read and write access. Directory permissions need to be set correctly along the entire path.

Setting and Changing File Permissions

When a file or directory is created it will have a default set of permissions. If you are the owner of a file or directory, you will be able to change the permissions. File permissions can be chnaged with the command chmod. There are two main ways of doing this:

Changing Permissions Using Letter Codes:

chmod ugao +/- rwx <object name>

where u, g, o or a represent who's permissions you're changing:

u – user, the owner of the object, g – group, the permissions for members of the group that the object belongs to, o – other, the permissions for everyone else, a – all, used to apply permssions to u,g, and o at the same time.

+ and – detemine whether a permission is being added or removed.

r,w, and x are the read write or execute permssions that we've just seen above.

So if a file had permssions

-rwxr-x---

and we performed the command

chmod o+rw <object name>

We would now have permissions:

-rwxr-xrw-

Meaning that the owner has read, write and execute permissions, that members of the same group have read and execute permissions but not write and that everybody else would have read and write permissions for the file.

Changing Permissions Using Bit Masks:

The second way of changing permissions is using a bitmask. As we can see below the numbers 0 to 7 in binary form every possible permutation of 1s and 0s for three digits. Since we have three repeats of rwx characters in our permissions we can represent these as three binary numbers.

000 - 0
001 – 1
010 – 2
011 – 3
100 – 4
101 – 5
110 – 6
111 - 7

When these are set however we use the decimal equivalent so if the command was:

chmod 750 <object name>

this would be like saying:

chmod 111 101 000 <object name>
chmod rwx r-x --- <object name>

and the permissions would look like:

-rwxr-x---

Which would translate to user allowed to read, write and execute, group members allowed to read and execute and everybody else is forbidden access.

A few useful examples below:

chmod 770 <object name>
-rwxrwx---
chmod 555 <object name>
-r-xr-xr-x
chmod 666 <object name>
-rw-rw-rw-

Applying some of these to our directory listing example:

[alice@login1(rosalind) utils]$ ls -l 
total 20 
-rwxrwxr-x 1 bob      bob       766 Jan  6  2017 delEmptyTreeBadSymLinks.py 
-rwxrwxrwx 1 alice    alice     324 Jan  6  2017 delEmptyTree.py 
-rwxrwxr-x 1 alice    alice    2683 Apr 25  2017 hierach.sh 
-rwxrwxr-x 1 bob      analysts 2936 Oct 26  2015 hierach_test1.sh 
drwxrwxr-x 2 alice    analysts 4096 Apr 24 10:25 R_utils 
[alice@login1(rosalind) utils]$ chmod 700 hierach.sh
[alice@login1(rosalind) utils]$ ls -l 
total 20 
-rwxrwxr-x 1 bob      bob       766 Jan  6  2017 delEmptyTreeBadSymLinks.py 
-rwxrwxrwx 1 alice    alice     324 Jan  6  2017 delEmptyTree.py 
-rwx------ 1 alice    alice    2683 Apr 25  2017 hierach.sh
-rwxrwxr-x 1 bob      analysts 2936 Oct 26  2015 hierach_test1.sh 
drwxrwxr-x 2 alice    analysts 4096 Apr 24 10:25 R_utils 
[alice@login1(rosalind) utils]$ chmod 755 delEmptyTree.py
[alice@login1(rosalind) utils]$ ls -l 
total 20 
-rwxrwxr-x 1 bob      bob       766 Jan  6  2017 delEmptyTreeBadSymLinks.py 
-rwxr-xr-x 1 alice    alice     324 Jan  6  2017 delEmptyTree.py 
-rwx------ 1 alice    alice    2683 Apr 25  2017 hierach.sh 
-rwxrwxr-x 1 bob      analysts 2936 Oct 26  2015 hierach_test1.sh 
drwxrwxr-x 2 alice    analysts 4096 Apr 24 10:25 R_utils 

Access Control Lists

Linux file permissions are pretty useful when you want to control access but they are fairly limited when you need to apply more fine grained control of access. That's where access control lists (ACLs) come in handy. ACLs share some similarities with POSIX permissions but have the benefit of being able to add and remove users and groups individually to the access rights of a file system's object and in some ways they are a little more intuative to apply.

So for example to display the acls of a given file we could use the command getfacl:

[alice@login1(rosalind) utils]$ ls -l 
-rwxr-x--- 1 alice alice 2683 Apr 25  2017 hierach.sh 
[alice@login1(rosalind) utils]$ getfacl ./hierach.sh 
# file: hierach.sh 
# owner: alice
# group: alice
user::rwx 
group::r-x
other::--- 

We see that the file simply has the normal permissions listed in the ACL. We can now add users and set their permissions. To add the user bob with read and execute permissions the following command is used:

[alice@login1(rosalind) utils]$ setfacl -m u:bob:rx  hierach.sh
[alice@login1(rosalind) utils]$ getfacl ./hierach.sh
# file: hierach.sh 
# owner: alice
# group: alice
user::rwx 
user:bob:r-x
group::r-x
other::---

So now we can see bob has been added as a user and that the r-x bits have been set to allow him read and execute permissions.

Now if we list the files again:

[alice@login1(rosalind) utils]$ ls -l 
-rwxr-x---+ 1 alice alice 2683 Apr 25  2017 hierach.sh 

There is now a “+” sign at the end on the permissions string to indicate that this has been extended.

This can be done for groups too:

[alice@login1(rosalind) utils]$ setfacl -m g:analysts:rx  hierach.sh

ACL entries can be removed using the -x flag e.g. to revoke bob's user permission on the file the command would be:

[alice@login1(rosalind) utils]$ setfacl -x u:bob hierach.sh

ACLs behave pretty much the same as permissions except you can add arbitrary groups and users.

For more information see the man pages for setfacl and getfacl.

hpc_user_guide/data_management_practice.txt · Last modified: 2018/06/05 09:37 by alan