Update 9/8/20

NoteThis Technical Bulletin supersedes Technical Bulletin #471

It is Livermore Computing (LC) policy to prevent unintended sharing of user files.

To accomplish this, certain user directories will only be allowed to have user and group read, write, and/or execute permissions set unless there is an express, written, and approved exemption allowing world access. To enforce this policy, LC will monitor the permissions on the following directories across all zones (CZ, RZ, and SCF):

• /collab/usr/gapps/*
• /collab/usr/gapps/data/*
• /collab/usr/gdata/*
• /nfs/*/*
• /p/lscratch*/*
• /p/lustre*/*
• /p/vast*/*
• /usr/dnta/*
• /usr/dvsprod/*
• /usr/gapps/*
• /usr/gapps/data/*
• /usr/gdata/*
• /usr/mic/bdiv
• /usr/mic/*/*

If there is a programmatic reason a directory requires world permissions set, download and complete the UNIX world exemption form and forward the completed form to lc-support@llnl.gov.

Example of how permissions will be reset:

$ ls -lad /p/lscratchrza/lee1001
drwxr-xr-x 2 lee1001 lee1001 25600 Apr 28  2017 /p/lscratchrza/lee1001

will change to

drwxr-x--- 2 lee1001 lee1001 25600 Apr 28  2017 /p/lscratchrza/lee1001

Furthermore, because of the sensitivity of certain files, user home directories (i.e. /g/g*/<username>) shall be accessible only by the owner of the directory. This will also be monitored and enforced.

Example of an appropriately set home directory:

$ ls -lad /g/g0/lee1001
drwx------ 46 lee1001 lee1001 12288 Jun 19 21:29 /g/g0/lee1001

A number of options are available to users for sharing data. /usr/workspace/*/<group> is a good way to share files as is a shared BitBucket repo and a confluence project space. Please contact the LC Hotline if you wish to explore these options or if you have questions about other possibilities.

For more examples of how to check file system permissions, please see the how-to article in CZ Confluence.