File Permissions

All files and directories have an owner (usually the person who initially created the file or directory). The owner can assign UNIX permissions to other users, and these permissions control who can manipulate the files and directories.

There are three classes of users who may have different permissions for a file or directory:

u = user  (the owner)

g = group  (the owner's group)

o = others  (everyone else)

There are three kinds of permissions for files and directories (r, w, x) that may be assigned to any or all of the above classes of users

r = read  (read, copy files; list files in directory)

w = write  (edit, append files; create or remove files in directory)

x = execute  (run, execute; cd into directory)

Run ls with the -l option to see the permissions assigned to your files and directories. Add the -a option to the command (ls -la) to see invisible files that reside in the directory, e.g., files whose names begin with a dot(.).

Only the owner of a file or directory (or the super user) can change a file's permissions. The changes are made using the chmod utility. There are two forms of chomd syntax: one specifies the desired permissions as an absolute (octal numeric) value; the other is symbolic and changes permissions incrementally.

Detailed information about UNIX file and directory permissions and modes is easily found online using your favorite Web search engine.

Citizenship and Permissions

Groups of users exist so that group members can use chgrp and chmod to allow shared access to files among everyone in that group. The groups utility, run without options, reports the names of the groups to which you currently belong.

On SCF machines, user citizenship can affect file sharing and the assignment of file permissions. Every user belongs to an "extra" group that reflects that user's citizenship. For example, every U.S. citizen belongs to the group us_cit. This allows restricted file access based on citizenship group, such as

chgrp us_cit myfile

and the use of chmod to open group permissions but limit (or eliminate) world permissions on that file

chmod 750 myfile

If you think your file management activities call for more details on the interaction of citizenship with file permissions, contact the LC Hotline at 925-422-4531 with specific questions.

Top-Level World Permissions Disabled

World (or "other") permissions on top-level files and directories invite unauthorized access and other security problems. An automatic monitoring process systematically disables all world permissions (read, write, and execute) on top-level user directories and files in the following file systems on each LC production machine:

  • /g/gnn
  • /nfs/tmpn
  • /var/tmp (sometimes called /usr/tmp)
  • /tmp
  • /p/lscratch* (Lustre)
  • /usr/gapps (linked from former /usr/apps)

Permissions on files below the top level remain unchanged. Because disabling top-level world permissions is a security policy, exceptions will require a justification memo. Contact the LC Hotline if you want to apply for a specific exemption to the restrictions on world access.

Several alternatives to sharing files safely are available on LC machines, and each has its own strengths and weaknesses. See the File-Sharing Alternatives section for a comparison of these alternatives.