Skip to content

File permissions

File sharing with Access Control Lists (ACL)

With the help of ACL you can grant access to your files and folder for other users. It makes it easy to share data between multiple users.

Sub folder access

To make sure that every file and folder within your home and work directory can only be accessed by you set the file mode to 700 (read, write and execute permissions only for you):

chmod -R 700 /work/users/<sc~username>
chmod -R 700 /home/sc.uni-leipzig.de/<sc~username>

If you do not set that permission it may be possible for the user you granted access to read other files and folders as well.

Since we have two different file systems, there are also two different systems to grant access to the contained folders and files.

You should differentiate betweens your work folder
/work/users/<sc~username>
and your home folder
/home/sc.uni-leipzig.de/<sc~username>.

/work folder

To see the current permissions for a folder or file you can execute the following command:

getfacl <path>

Example

$ getfacl /work/user/za381bafi
getfacl: Removing leading '/' from absolute path names
# file: work/user/za381bafi
# owner: za381bafi
# group: domain\040users
user::rwx
group::r-x
mask::rwx
other::r-x

To set permissions for another user for your /work folder you can use the following command:

setfacl -m u:<other~user>:<access~type(s)> /work/users/<your~sc~username>

where the parameters are the following:

  • <other~user> - the SC username of the user you want to grant access
  • <access~type(s)> - the kind of access privilege
    • r (read), w (write), x (execution and changing into directory)
    • or a combination of these e.g. rw (read and write), rx (read directory and change into it)
  • <your-sc-username> - your own username

The permissions can also be set recursively (i.e. all subfolders and files inside) by adding the -R parameter right behind setfacl like: setfacl -R -m u:test:rwx /work/users/my-dir

This example would grant read, write and execution permissions for the directory my-dir to user test.

Permissions can be withdrawn with the following command:

setfacl -x u:<sc~username> <dir>

A simple example for the /work folder

The following example shows the steps to grant read access for the subdirectory shared-scripts within the work directory of user prof to user student:

setfacl -m u:student:x /work/users/prof # allow students to change into work directory (they cannot read or write files / folders)
setfacl -R -m u:student:rx /work/users/prof/shared-scripts # allow students to change into subdirectory shared-scripts and all subdirectories within and allow them to read files / folders

home folder

To allow a user access to your home folder you can use the following command:

nfs4_setfacl -a A::$(id -u <sc~username~of~other~user>):<granted~access~type(s)> /home/sc.uni-leipzig.de/<your~sc~username>

where the parameters have the following values:

  • <sc~username~of~other~user> - the sc username of the user you want to grant access
  • <granted~access~type(s)> - which kind of access -> R (read), W (write), X (execution and changing into directory) or a combination of these e.g. RW (read and write), RX (read directory and change into it)
  • <your-sc-username> - your own username

To see which permissions are set for a folder or file you can execute the following command:

nfs4_getfacl <path>

This shows a list with all permissions. A result can look like:

A::1435002882:waDxtcy

this means that access is granted to the user with the id 1435002882 and the user has write, append, delete, execute, and various attribute-related permissions.

To see, who that user is, execute id <user~id>

To modify permissions of a user it is easier to withdraw permissions for a folder and then grant the new permissions. To withdraw permissions execute the following:

nfs4_setfacl -x $(nfs4_getfacl <path> | grep $(id -u <sc~username~of~other~user>)) <path>

Afterwards, you can set the permission like written before.

The permissions can also be set recursively by adding the -R parameter right behind nfs4_setfacl like: nfs4_setfacl -R -m A::$(id -u test):RWX /home/sc.uni-leipzig.de/my-dir

This example would grant read, write and execution permissions for the directory my-dir to user test.

A simple example for the home folder

The following example shows the steps to grant read access for the subdirectory shared-scripts within the home directory of user prof to user student:

# allow students to change into home directory (they cannot read or write files / folders)
nfs4_setfacl -a A::$(id -u student):X home/sc.uni-leipzig.de/prof 
# allow students to change into subdirectory shared-scripts and all subdirectories within and allow them to read files / folders
nfs4_setfacl -R -a A::$(id -u student):RX home/sc.uni-leipzig.de/prof/shared-scripts/