Changing POSIX file permissions#

Be careful when changing permissions as others can accidentally get access.

This guide should not be mixed with sharing a directory by changing NFS permissions.

This guide describes how to share a subdirectory of $HPCVAULT or $WORK with

members of your group or
all other HPC users not part of your group

by adjusting POSIX file permissions with the chmod command.

Granting read access to members of your group#

This allows all members of your group to read a subdirectory (and its content) of $HPCVAULT or $WORK, in this example the directory $WORK/directory-to-be-shared.

POSIX group file permissions of all parent directories up to $WORK must be set to traversable, i.e. the group permission must include execute x. In our example the only parent directory is $WORK:
```
chmod g+x $WORK
```
A traversable directory means that you can access its subdirectories or files (if their permissions allow it), but cannot list the directory's content. This is achieved if the directory has only execute x permission.
Grant all members of your group read access to the directory $WORK/directory-to-be-shared and its subdirectories:
```
chmod -R g+r $WORK/directory-to-be-shared
```
- -R: apply permissions recursively, i.e. to subdirectories and files.
- g: selects your group
- +r: add read permission

This might expose more files and directories as intended.

If you have subdirectories or files that have group permissions set under $WORK and your group members can guess their names, they can also access them.

If you have for example a file $WORK/secret that has group read permissions set and you enable traversal for $WORK, group members knowing that $WORK/secret exists, can access it.

By default, directories and files are created with certain permissions. If this does not include group permissions you might have to adjust the permissions of files you created afterwards inside the shared directory.

Granting read access to other HPC users#

We discourage this method as it allows all HPC users, who know the path to the shared directory, to access it.

This gives read access to all HPC users not members of your group to a subdirectory of $HPCVAULT or $WORK, in this example the directory $WORK/directory-to-be-shared.

POSIX other file permissions of all parent directories up to $WORK must be set to traversable, i.e. the others permission must include execute x. In our example the only parent directory is $WORK:
```
chmod o+x $WORK
```
A traversable directory means that you can access its subdirectories or files (if their permissions allow it), but cannot list the directory's content. This is achieved if the directory has only execute x permission.
Grant all HPC users not members of your group read access to the directory $WORK/directory-to-be-shared and its subdirectories:
```
chmod -R o+r $WORK/directory-to-be-shared
```
- -R: apply permissions recursively, i.e. to subdirectories and files.
- o: selects all HPC users that are not members of your group
- +r: add read permission

This might expose more files and directories as intended.

If you have subdirectories or files that have group permissions set under $WORK and your group members can guess their names, they can also access them.

If you have for example a file $WORK/secret that has group read permissions set and you enable traversal for $WORK, group members knowing that $WORK/secret exists, can access it.

By default, directories and files are created with certain permissions. If this does not include other permissions you might have to adjust the permissions of files you created afterwards inside the shared directory.