Versions Compared

Old Version 3

changes.mady.by.user Luca Marsella (CSCS)

Saved on

compared with

New Version Current

changes.mady.by.user Marco Passerini (CSCS)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Newly created user folders are not accessible by other groups or users on CSCS systems. The Access Control Lists (ACLs) let you grant access to one or more groups or users. 

Step-by-step guide

In traditional POSIX, access permissions are granted to user/group/other in mode read/write/execute. You can check these permissions of a folder test with The permissions can be checked with the -l  option of the command ls. For instance, if user1 owns the folder test, the output would be the following: 

Code Block
languagebash
themeRDark
$ ls -lahd test/
drwxr-xr-x 2 pasmarcouser1 csstaff 4.0K Feb 23 13:46 test/

ACLs are an extension of these permissions to give one or more users or groups access to your data. You can list the current The ACLs on a folder the test folder of user1 can be shown with the command getfacl:

Code Block
languagebash
themeRDark
$ getfacl test
# file: test
# owner: pasmarcouser1
# group: csstaff
user::rwx
group::r-x
other::r-x

The command setfacl can add users or groups to read/write/execute on a selected file or folder using the option -M (--modify-file)  or -m (--modify) to modify the ACL of a file or directory:     

Code Block
languagebash
themeRDark
$ setfacl -m user:<username>user2:rw test/

$ getfacl test/
# file: test
# owner: pasmarcouser1
# group: csstaff
user::rwx
user:<username>user2:rw
group::r-x
mask::rwx
other::r-x

The In the example above will give the selected <username> user2 will be granted read and write access to the folder test. The the test folder owned by user1. The -X (--remove-file) and  -x (--remove) options instead will remove ACL entries (it is not an error to remove an entry which does not exist)instead:

Code Block
languagebash
themeRDark
$ setfacl -x user:<username>user2 test/

$ getfacl test/
# file: test
# owner: pasmarcouser1
# group: csstaff
user::rwx
group::r-x
mask::rwx
other::r-x

You Access rights can also grant permissions be granted recursively to a folder and its children (if they exist) using the option -R, --recursive.  Note this applies only to existing files. New files created in there won't inherhit the permissions. If you want that all new files created inside a specific folder inherit the permissions, you need to configure the default ACLs with the option

Code Block
languagebash
themeRDark
$ setfacl -R -m user:user2 test

$ getfacl test/subdir
# file: test/subdir
# owner: user1
# group: csstaff
user::rwx
user:user2:rwx
group::---
group:csstaff:r-x
mask::rwx
other::---

If you wish to set up a default so all newly created folders and dirs inside or your desired path will inherit the permissions, you can use the -d, --default: option.

Code Block
languagebash
themeRDark
$ setfacl -dm user:<username>user2:rw test/

$ getfacl test
# file: test
# owner: pasmarcouser1
# group: csstaff
user::rwx
user:<username>:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:<username>user2:rw
default:group::r-x
default:mask::rwx
default:other::r-x
Info

Please have a look at the man page man setfacl  for more options of the command setfacl 

Content by Label
showLabelsfalse
max5
spacesKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("kb-dci","kb-how-to-article") and type = "page" and space = "KB"
labelskb-how-to-article kb-dci

...