Skip to content

Changing NFS permissions#

This guide describes how to share a subdirectory of $HPCVAULT or $WORK. NFS ACLs and POSIX file permissions are used to grant read or read/write access to this subdirectory for a specific user or group in a two step process. NFS ACLs provide more specific options than typical POSIX read/write/execute permissions.

  1. NFS ACLs are used to make the $HPCVAULT or $WORK traversable for the specific user/group.
  2. POSIX file permissions are used to open a subdirectory of $HPCVAULT or $WORK to members of your group or anybody else.

Be careful when changing permissions as others can accidentally get access

This guide should not be mixed with sharing a directory by changing POSIX file permissions.

Ensure POSIX permission group others does not have read, write, or execute permission for $HPCVAULT or $WORK when following this guide.

You can check the POSIX file permissions for $HPCVAULT or $WORK with:

$ ls -ld $WORK
drwx------ 58 USER GROUP 105 Feb  2 10:47 /home/.../GROUP/USER

Ensure the last three characters in the first block, here drwx------, are --- and do not contain rwx.

For working with NFS ACLs we will use:

For POSIX file permissions we use the chmod command.

Grant a specific user read or read/write access#

In the following example you, the OWNER, will grant read or read/write access to a specific user <OTHER-USER> to directory $WORK/<SUBDIR>. <OTHER-USER> denotes the user's HPC account name.

  1. Make $WORK (top level) traversable for <OTHER-USER>:

    nfs4_setfacl -a A::<OTHER-USER>@rrze.uni-erlangen.de:X $WORK
    

    • -a: add an ACL entry
    • A: allow the following user/group with the respective permissions
    • ::: empty colons denote the principal is a user
    • <OTHER-USER>@rrze.uni-erlangen.de: the principal
    • X: makes the following directory traversable
    • $WORK: the directory the ACLs are applied to
  2. Grant read or read/write access to $WORK/<SUBDIR>:

    <OTHER-USER> is ... access command to execute
    member of your group read chmod -R g=rx $WORK/<SUBDIR>
    member of your group read/write chmod -R g=rwx $WORK/<SUBDIR>
    not member of your group read chmod -R o=rx $WORK/<SUBDIR>
    not member of your group read/write chmod -R o=rwx $WORK/<SUBDIR>
    • -R: apply permissions recursively
    • g=rx: read permission for members of your group
    • g=rwx: read/write permission for members of your group
    • o=rx: read permission for all HPC users, except members of your group
    • o=rwx: read/write permission for all HPC users, except members of your group
  3. Optional: check resulting permissions.

Grant a specific group read or read/write access#

In the following example you, the OWNER, will grant read or read/write access to a group <OTHER-GROUP> to directory $WORK/<SUBDIR>. Here <OTHER-GROUP> denotes the group's HPC group name.

  1. Make $WORK (top level) traversable for <OTHER-GROUP>:

    nfs4_setfacl -a A:g:<OTHER-GROUP>@rrze.uni-erlangen.de:X $WORK
    

    • -a: add an ACL entry
    • A: allow the following user/group with the respective permissions
    • :g:: the principal is a group
    • <OTHER-GROUP>@rrze.uni-erlangen.de: the principal
    • X: makes the following directory traversable
    • $WORK: the directory the ACLs are applied to
  2. Grant read or read/write access to $WORK/<SUBDIR>:

    you are ... access command to execute
    member of <OTHER-GROUP> read chmod -R g=rx $WORK/<SUBDIR>
    member of <OTHER-GROUP> read/write chmod -R g=rwx $WORK/<SUBDIR>
    not member of <OTHER-GROUP> read chmod -R o=rx $WORK/<SUBDIR>
    not member of <OTHER-GROUP> read/write chmod -R o=rwx $WORK/<SUBDIR>
    • -R: apply permissions recursively
    • g=rx: read permission for members of your group
    • g=rwx: read/write permission for members of your group
    • o=rx: read permission for all HPC users, except members of your group
    • o=rwx: read/write permission for all HPC users, except members of your group
  3. Optional: check resulting permissions.

Checking resulting permissions#

You can check the permissions you granted and they should look like the following:

  • for $WORK:

    • If access was granted to a user:

      $ nfs4_getfacl $WORK
      # file: /home/.../GROUP/USER
      A::OWNER@:rwaDxtTcCy
      A::<OTHER-USER-ID>:xtcy
      A::GROUP@:tcy
      A::EVERYONE@:tcy
      
      Here <OTHER-USER-ID> is the user id the command id <OTHER-USER> returns.

    • If access was granted to a group:

      $ nfs4_getfacl $WORK
      # file: /home/.../GROUP/USER
      A::OWNER@:rwaDxtTcCy
      A::GROUP@:tcy
      A:g:<OTHER-GROUP-ID>:xtcy
      A::EVERYONE@:tcy
      
      Here <OTHER-GROUP-ID> is the group id the command getent group <OTHER-GROUP> returns.

    • In case access was granted to user and group or multiple users and groups you will see a mix of both examples.

  • for $WORK/<SUBDIR>:

    • If <OTHER-USER> is a group member or you are member of <OTHER-GROUP>:
      $ ls -ld $WORK/<SUBDIR>
      drwxr-x--- 58 USER GROUP 105 Feb  2 10:47 /home/.../GROUP/USER/SUBDIR
      
    • If <OTHER-USER> is not a group member or you are not member of <OTHER-GROUP>:
      $ ls -ld $WORK/<SUBDIR>
      drwx---r-x 58 USER GROUP 105 Feb  2 10:47 /home/.../GROUP/USER/SUBDIR