Skip to content

Access control

This page describers how you can limit access to your files and securely share them amongst other cluster users.

Understanding Permissions

Some of your datasets may have access restrictions - it is your responsibility to ensure that you protect your files/folders from access by other users, especially where this data is personal data subject to DPA2018/GDPR regulations.

UNIX systems by default utilise a three level access control system allowing you to apply different permissions for yourself, the group the file/folder is a member of and to all other users of the computer. This is especially important where the files are stored on a network served folder (e.g. home/scratch etc on the cluster) as many machines have access to these folders, not just the computer you are currently accessing it from.

You can view the current permissions of a file/folder using the -l option to ls:

clint $ ls -l
total 4
drwxrwxr-x. 2 me mygroup 2 Oct 27 11:13 adir
-rw-rw-r--. 1 me mygroup 0 Oct 27 11:13 afile

The permissions are reported in the first column as a combination of letters and dashes. The first character reports the type of object, the most common:

  • d is a folder
  • - is a file
  • l is a symbolic link​ (a pointer to another file stored elsewhere)

The next section is the permissions for the three access groups (owner, group and others) in three blocks of three characters. The meaning of these characters are as follows:

  1. r object is readable, - means that this access group can read the object (the file contents or the folder contents listing)

  2. w object is writable, - means that file is write-protected for that access group. Files lacking this permission for your user type can be deleted if you have write permission on the folder holding them but require confirmation, write-protected folders prevent deletion of files/folders within.

  3. x object is executable by that access group if it is a file or can be entered by that access group if it is a folder. In some scenarios this is replaced by a different character

Some other characters may appear after the permission blocks:

  • s on the group block of folders means that the folder is accessable by the group and the group of any newly created files/folders within will inherit this group.

  • S on the group block means that the group is inherited by newly created files/folders within but the group has no access to the folder, e.g. x is not set (probably not very useful!).

  • t on the others block of folders means that the folder has restricted deletion, e.g. although the group might have write privileges for the folder and any files within, deletion is only allowed by the owner of the file/folder

  • T on the others block of folders means that the folder has restricted deletion but cannot be accessed by accounts in the others category

For example:

clint $ ls -l
total 11
drwxr-x---. 2 me mygroup   2 Oct 27 11:13 adir
-rw-rw----. 1 me mygroup   0 Oct 27 11:20 afile
-r--------. 1 me mygroup   0 Oct 27 11:21 bfile
drwxrwsr-x. 2 me group2    2 Oct 27 11:38 bdir
drwxrwx---. 2 me group2    3 Oct 27 11:32 rdir

Here, the folder adir could be access by user me and by members of mygroup but only user me would be allowed to make changes within.

File afile can be modified by the user me and by members of group mygroup.

File bfile can be read by the user me only. Writes will be prevented and deletion will require confirmation (or forcing).

Folder bdir can be viewed by everyone but only user me and members of group2 can write to it. In addition any new files/folders created within will automatically get the group group2 assigned to it but not necessarily be given write permissions.

Folder rdir can only be viewed by user me and members of group2 but although group2 members have write permissions they can only delete files/folders that they own.

Changing the permissions of your files/folders

Use the chmod command if you need to change the permissions of some of your files/folders. The chmod command can be used as follows:

chmod [-R] <permissions> <paths>

where:

  • -R stands for recursive, and instructs chmod to change the permissions of all files/sub-folders contained within a folder.
  • <permissions> is a sequence of characters specifying the new permissions to give the files/folders.
  • <paths> is one or more files/folders to update.

For example, if you have some files and folders in your scratch space that are only readable by you:

clint $ ls -l ~/scratch/
total 1
-rw-------. 1 me mygroup   0 Oct 27 11:20 afile
drwx------. 1 me mygroup   0 Oct 27 11:20 adir

And you want to make them readable to everybody on the file system, you can use commands such as:

clint $ chmod a+r ~/scratch/afile
clint $ chmod -R a+rx ~/scratch/adir

where: - chmod a+r ~/scratch/afile tells chmod to make afile readable (r) by all (a) users. - chmod -R a+rx ~/scratch/adir tells chmod to make adir and all of its contents readable and executable (x) by all users.

Folders must be executable for you to be able to change into them.

The permissions will now look like:

clint $ ls -l ~/scratch/
total 1
-rw-r--r--. 1 me mygroup   0 Oct 27 11:20 afile
drwxr-xr-x. 1 me mygroup   0 Oct 27 11:20 adir

If you need to restrict access to any of your files/folders, so that they are only accessible by your user, you can use commands such as:

clint $ chmod go-rwx ~/scratch/afile
clint $ chmod -R go-rwx ~/scratch/adir

where:

  • chmod go-rwx ~/scratch/afile instructs chmod to remove the readable, writable and executable (rwx) permissions for afile from users in your group (g), and all other users (o).
  • chmod -R go-rwx ~/scratch/adir does the same for adir and all of its contents.

This will change the permissions for afile and adir back to:

clint $ ls -l ~/scratch/
total 1
-rw-------. 1 me mygroup   0 Oct 27 11:20 afile
drwx------. 1 me mygroup   0 Oct 27 11:20 adir

Controlling Permissions​ for New Files/Folders

​When a new file or folder is created the permissions it gets are controlled by an account property called the umask. This is an octal number 0XYZ that is used to calculate which permission settings to apply. You can control this yourself, but by default we apply two different umasks to your login sessions depending on your group membership.

  1. If your primary group name is the same as your username (and thus you are the only member) then your umask will be set to 0002, which means that new files/folders will be created with owner and group write permissions, e.g. -rw-rw-r-- for files; drwxrwxr-x for folders​. This is the default for all newly created accounts.

  2. If your primary group name is one of the shared groups then your umask will be set to 0022, which means that new files/folders will be created with only owner write permissions, e.g. -rw-r--r-- for files; drwxr-xr-x for folders.

!> If you noticed that your file/directory permissions are not as described above, please contact computing-help@oxcin.ox.ac.uk to have your account updated such that your umask is set appropriately automatically if this is not already the case.

If you wish to temporarily modify your umask you can do this within your login session using the umask command (N.B. due to the nature of the way tasks are started on the cluster the umask of jobs run there is always set as above). Whilst you can use the octal representation (which is confusing), the umask command supports a much more friendly symbolic setting which allows you to usre r, w and x, e.g.:

umask u=rwx,g=rwx,o=

This would set your umask such that new files​ would get the permissions lrw-rw---.