Technical Bulletin #524: UNIX World Permissions on LC File Systems
NoteThis Technical Bulletin supersedes Technical Bulletin #471
It is Livermore Computing (LC) policy to prevent unintended sharing of user files.
To accomplish this, certain user directories will only be allowed to have user and group read, write, and/or execute permissions set unless there is an express, written, and approved exemption allowing world access. To enforce this policy, LC will monitor the permissions on the following directories across all zones (CZ, RZ, and SCF):
• /collab/usr/gapps/* • /collab/usr/gapps/data/* • /collab/usr/gdata/* • /nfs/*/* • /p/lscratch*/* • /usr/dnta/* • /usr/dvsprod/* • /usr/gapps/* • /usr/gapps/data/* • /usr/gdata/* • /usr/mic/bdiv • /usr/mic/*/*
Example of how permissions will be reset:
$ ls -lad /p/lscratchrza/lee1001 drwxr-xr-x 2 lee1001 lee1001 25600 Apr 28 2017 /p/lscratchrza/lee1001
will change to
drwxr-x--- 2 lee1001 lee1001 25600 Apr 28 2017 /p/lscratchrza/lee1001
Furthermore, because of the sensitivity of certain files, user home directories (i.e. /g/g*/<username>) shall be accessible only by the owner of the directory. This will also be monitored and enforced.
Example of an appropriately set home directory:
$ ls -lad /g/g0/lee1001 drwx------ 46 lee1001 lee1001 12288 Jun 19 21:29 /g/g0/lee1001
A number of options are available to users for sharing data. /usr/workspace/*/<group> is a good way to share files as is a shared bitbucket repo and a confluence project space. Please contact the LC Hotline if you wish to explore these options or if you have questions about other possibilities.
For more examples of how to check file system permissions, please see the how-to article in CZ Confluence.