PI Group Shared Directories
In what follows, text in monospaced font, is meant to be typed or is output. For example, the directory /gpfs1/user/g/r/grundoon indicates an actual directory name.
PI groups have shared directories available at these locations.
/gpfs1/pi/PI_UVM_NetID /gpfs2/scratch/pi/PI_UVM_NetID
NOTE: Replace PI_UVM_NetID with your (or your PI’s) UVM NetID. For example, if the PI’s UVM NetID is grundoon, then the location of the shared directories would be /gpfs1/pi/grundoon and /gpfs2/pi/grundoon.
If you have a project that spans across PI groups, please contact us for options.
About Permissions
Default permissions are automatically set to: 750 (user: r/w/x, group: r/x, other: none).
Each file and directory in a UNIX system has three permission classes — user (u), group (g), other (o) — and three possible permission modes for each class — read (r), write (w), execute (x).
Permission Classes
- user (u) permissions apply only to the user (owner) and do not impact other users
- group (g) permissions apply only to the group and do not impact other users
- other (o) permissions apply to ALL other users on a system and should be used very carefully. We strongly encourage the use of ACLs instead of using the “other” permission.
Permission Modes
FILES
- read (r) grants permission to view the contents of the file
- write (w) grants permission to modify or remove the contents of the file
- execute (x) grants permission to run the file as a program
DIRECTORIES
- read (r) means that the user can look at the filenames inside the directory
- write (w) grants permission to add or delete files from the directory
- execute (x) grants permission to traverse, or
cdinto, the directory
Please note:
- Users who have write permission (w) for a directory can delete files in the directory without having write permission (w) for those files
- Subdirectories can have less restrictive permissions than their parent directories. However, if you change directory permissions recursively, you are changing them for all of the files and subdirectories in that directory tree.
- An alternative to changing permissions recursively is to set them selectively.
Checking Your Current Permissions
To see the permissions currently set in your file space, use the command ls -l. For example, with permissions set to 750, they might look like this:
-rwxr-x--- 1 username pi-username size date filename
drwxr-x--- 6 username pi-username size date directory
As you can see, the file permission (files are designated by an initial “-“) are set to “rwx” for the user (owner), “r-x” for the group, and “—” for other. The directory permission (files are designated by an initial “d”) are set to “rwx” for the user (owner), “r-x” for the group, and “—” for other. So the user has read, write and execute permission; the group has read and execute permission; other has no permissions for both the file and the directory.
Changing Permissions with chmod
To modify the permission flags on existing files and directories, use the chmod command (“change mode”). It can be used for individual files or it can be run recursively with the -R option to change permissions for all of the subdirectories and files within a directory.
The chmod command specifies which class or classes (user, group, other) have access to the file or directory in various modes (read, write, execute).
There are also operators that can be used with the chmod command:
- Use + and – to add or remove selected permissions for a class without changing its other permissions.
- Use = to specify all of the permissions for a class at once. If a class is not mentioned explicitly, the permissions are unchanged even if the = operator is used for a different class.
Follow this format:
chmod [classes][operator][modes] filename
Examples
Add selected permissions for a group:
Let’s say the user (owner) can read, write, and execute this file. Groups can read and execute, but not write. The permissions would be:
-rwxr-x--- 1 username pi-username size date filename
Add group (g) permissions to write (w) like this:
chmod g+w filename
The new file permissions would be:
-rwxrwx--- 1 username pi-username size date filename
Note that the permissions that were not specified were not changed: The user class permissions and other class permissions did not change.
Specify all permissions for a group:
To set permissions for a single class, such as group (g), use the = operator.
chmod g=rx filename
In this case, the only permissions affected were those for the specified class: group. The group can now read and execute, but not write to the file. Permissions for the user class and other class were not changed because they were not specified.
Specify permissions for sets of classes:
To set permissions for multiple classes with a single command, separate the class settings with a comma.
chmod u=rwx,g=rwx,o+rx filename
The new file permissions would be:
-rwxrwxr-x 1 username pi-username size date filename
Set permissions selectively:
This example shows how to give your group access to all of the files and subdirectories in a directory, but limit other users’ access to specified files.
chmod -R u=rwx,g=rwx,o+x /users/u/s/username/directory/
chmod u=rwx,g=rwx,o+rx /users/u/s/username/directory/subdirectory/file1
chmod u=rwx,g=rwx,o+rx /users/u/s/username/directory/subdirectory/file2
The result is that group members have all rights to files in the specified directories and subdirectories. Others have permission to traverse the directories as needed to read and execute two specified files.
Changing default permissions with umask:
To change the default permissions that are set when you create a file or directory within a session or with a script, use the umask command.
The syntax is similar to that of chmod (above), but use the = operator to set the default permissions.
Changing Permissions with ACLs
Access control lists (ACLs) are tools for managing permissions within a file system by giving users and groups read, write, and/or execute permissions on files or directories outside of the traditional UNIX permissions.
The UNIX permissions for managing files on the VACC remain in effect, but ACLs can be used to facilitate more advanced file sharing options with arbitrary lists of specific users or groups.
Viewing Permissions Set with ACLs
To view the ACL on a file named “myfile,” you would use:
getfacl myfile
Setting Permissions with ACLs
To set an ACL entry, use the -m flag to modify the given entry.
EXAMPLES
Give a user read access to a file: Let’s say you want to give read (r) access to a user (u) with the user ID “testuser”:
setfacl -m u:testuser:r filename
Give a group read and write access to a file: Let’s say you want to give read and write (rw) access to a group (g) with the user ID “testgroup”:
setfacl -m g:testgroup:rw filename
Give a group read and write access to a directory and it’s contents recursively: Again, you want to give read and write (rw) access to a group (g) with the user ID “testgroup,” but this time recursively. The -R flag is used for recursively applying the ACL entry:
setfacl -R -m g:testgroup:rw directory
Note: Any new files created in this directory or subdirectories will not be readable or writable by members of the group.
Give a group read and write access to a directory, its contents, and have new files inherit these rules: Now, you want to give read and write (rw) access to a group (g) with the user ID “testgroup,” recursively, and you want all new files to inherit these rules. The -d flag denotes that the changes should be added as a ACL default entry.
setfacl -Rd -m g:testgroup:rw directory
Note: This makes any new files inherit these ACL default entries, but does not necessarily mean that they will be effective. ACL permissions do not exceed the permissions set by the “mode” parameter (which is used by the program creating the file). Often, this “mode” parameter does not include execute permissions.
Removing Permissions Set with ACLs
To remove all ACLs from a file, use:
setfacl --remove-all filename