Access control
Limiting access to your files and securely sharing amongst cluster users
Understanding Permissions
Some of your datasets may be restricted access so it is your responsibility to ensure that you protect access to these files/folders from access by other users, especially where this data is personal data subject to DPA2018/GDPR regulations.
UNIX systems by default utilise a three level access control system allowing you to apply different permissions for yourself, the group the file/folder is a member of and to all other users of the computer. This is especially important where the files are stored on a network served folder (e.g. home/scratch etc on the cluster) as many machines have access to these folders, not just the computer you are currently accessing it from.
You can view the current permissions of a file/folder using the -l option to ls:
jalapeno $ ls -l total 4 drwxrwxr-x. 2 me mygroup 2 Oct 27 11:13 adir -rw-rw-r--. 1 me mygroup 0 Oct 27 11:13 afile
The permissions are reported in the first column as a combination of letters and dashes. The first character reports the type of object, the most common:
- d is a folder
- - is a file
- l is a symbolic link (a pointer to another file stored elsewhere)
- r object is readable, - means that this access group can read the object (the file contents or the folder contents listing)
- w object is writable, - means that file is write-protected for that access group. Files lacking this permission for your user type can be deleted if you have write permission on the folder holding them but require confirmation, write-protected folders prevent deletion of files/folders within.
- x object is executable by that access group if it is a file or can be entered by that access group if it is a folder. In some scenarios this is replaced by a different character
- s on the group block of folders means that the folder is accessable by the group and the group of any newly created files/folders within will inherit this group.
- S on the group block means that the group is inherited by newly created files/folders within but the group has no access to the folder, e.g. x is not set (probably not very useful!).
- t on the others block of folders means that the folder has restricted deletion, e.g. although the group might have write privileges for the folder and any files within, deletion is only allowed by the owner of the file/folder
- T on the others block of folders means that the folder has restricted deletion but cannot be accessed by accounts in the others category
For example:
jalapeno $ ls -l total 11 drwxr-x---. 2 me mygroup 2 Oct 27 11:13 adir -rw-rw----. 1 me mygroup 0 Oct 27 11:20 afile -r--------. 1 me mygroup 0 Oct 27 11:21 bfile drwxrwsr-x. 2 me group2 2 Oct 27 11:38 bdir drwxrwx---. 2 me group2 3 Oct 27 11:32 rdir
Here, the folder adir could be access by user me and by members of mygroup but only user me would be allowed to make changes within.
File afile can be modified by the user me and by members of group mygroup.
File bfile can be read by the user me only. Writes will be prevented and deletion will require confirmation (or forcing).
Folder bdir can be viewed by everyone but only user me and members of group2 can write to it. In addition any new files/folders created within will automatically get the group group2 assigned to it but not necessarily be given write permissions.
Folder rdir can only be viewed by user me and members of group2 but although group2 members have write permissions they can only delete files/folders that they own.
Controlling Permissions for New Files/Folders
When a new file or folder is created the permissions it gets are controlled by an account property called the umask. This is an octal number 0XYZ that is used to calculate which permission settings to apply. You can control this yourself, but by default we apply two different umasks to your login sessions depending on your group membership.
- If your primary group name is the same as your username (and thus you are the only member) then your umask will be set to 0002, which means that new files/folders will be created with owner and group write permissions, e.g. -rw-rw-r-- for files; drwxrwxr-x for folders. This is the default for all newly created accounts.
- If your primary group name is one of the shared groups then your umask will be set to 0022, which means that new files/folders will be created with only owner write permissions, e.g. -rw-r--r-- for files; drwxr-xr-x for folders.
Where you are sharing files regularly amongst a group of users option one is the most useful, please contact computing-help@win.ox.ac.uk to have your account updated such that your umask is set appropriately automatically if this is not already the case.
If you wish to temporarily modify your umask you can do this within your login session using the umask command (N.B. due to the nature of the way tasks are started on the cluster the umask of jobs run there is always set as above). Whilst you can use the octal representation (which is confusing), the umask command supports a much more friendly symbolic setting:
umask u=rwx,g=rwx,o=
This would set your umask such that new files would get the permissions rw-rw---