Changing NFS permissions

This guide describes how to share a subdirectory of $HPCVAULT or $WORK. NFS ACLs and POSIX file permissions are used to grant read or read/write access to this subdirectory for a specific user or group in a two step process. NFS ACLs provide more specific options than typical POSIX read/write/execute permissions.

1. NFS ACLs are used to make the $HPCVAULT or $WORK traversable for the specific user/group.
2. POSIX file permissions are used to open a subdirectory of $HPCVAULT or $WORK to members of your group or anybody else.

Be careful when changing permissions as others can accidentally get access

This guide should not be mixed with sharing a directory by changing POSIX file permissions.

Ensure POSIX permission group others does not have read, write, or execute permission for $HPCVAULT or $WORK when following this guide.

You can check the POSIX file permissions for $HPCVAULT or $WORK with:

$ ls -ld $WORK
drwx------ 58 USER GROUP 105 Feb  2 10:47 /home/.../GROUP/USER

Ensure the last three characters in the first block, here drwx------, are --- and do not contain rwx.

For working with NFS ACLs we will use:

• nfs4_setfacl to change permissions
• nfs4_getfacl to review permissions.
• For a general overview over NFS permissions, see nfs4_acl.

For POSIX file permissions we use the chmod command.

Grant a specific user read or read/write access

In the following example you, the OWNER, will grant read or read/write access to a specific user <OTHER-USER> to directory $WORK/<SUBDIR>. <OTHER-USER> denotes the user's HPC account name.

1. Make $WORK (top level) traversable for <OTHER-USER>:

   nfs4_setfacl -a A::<OTHER-USER>@rrze.uni-erlangen.de:X $WORK
   

   • -a: add an ACL entry
   • A: allow the following user/group with the respective permissions
   • ::: empty colons denote the principal is a user
   • <OTHER-USER>@rrze.uni-erlangen.de: the principal
   • X: makes the following directory traversable
   • $WORK: the directory the ACLs are applied to

2. Grant read or read/write access to $WORK/<SUBDIR>:

   <OTHER-USER> is ...	access	command to execute
   member of your group	read	chmod -R g=rx $WORK/<SUBDIR>
   member of your group	read/write	chmod -R g=rwx $WORK/<SUBDIR>
   not member of your group	read	chmod -R o=rx $WORK/<SUBDIR>
   not member of your group	read/write	chmod -R o=rwx $WORK/<SUBDIR>

   • -R: apply permissions recursively
   • g=rx: read permission for members of your group
   • g=rwx: read/write permission for members of your group
   • o=rx: read permission for all HPC users, except members of your group
   • o=rwx: read/write permission for all HPC users, except members of your group

3. Optional: check resulting permissions.

Grant a specific group read or read/write access

In the following example you, the OWNER, will grant read or read/write access to a group <OTHER-GROUP> to directory $WORK/<SUBDIR>. Here <OTHER-GROUP> denotes the group's HPC group name.

1. Make $WORK (top level) traversable for <OTHER-GROUP>:

   nfs4_setfacl -a A:g:<OTHER-GROUP>@rrze.uni-erlangen.de:X $WORK
   

   • -a: add an ACL entry
   • A: allow the following user/group with the respective permissions
   • :g:: the principal is a group
   • <OTHER-GROUP>@rrze.uni-erlangen.de: the principal
   • X: makes the following directory traversable
   • $WORK: the directory the ACLs are applied to

2. Grant read or read/write access to $WORK/<SUBDIR>:

   you are ...	access	command to execute
   member of <OTHER-GROUP>	read	chmod -R g=rx $WORK/<SUBDIR>
   member of <OTHER-GROUP>	read/write	chmod -R g=rwx $WORK/<SUBDIR>
   not member of <OTHER-GROUP>	read	chmod -R o=rx $WORK/<SUBDIR>
   not member of <OTHER-GROUP>	read/write	chmod -R o=rwx $WORK/<SUBDIR>

   • -R: apply permissions recursively
   • g=rx: read permission for members of your group
   • g=rwx: read/write permission for members of your group
   • o=rx: read permission for all HPC users, except members of your group
   • o=rwx: read/write permission for all HPC users, except members of your group

3. Optional: check resulting permissions.

Checking resulting permissions

You can check the permissions you granted and they should look like the following:

• for $WORK:

  • If access was granted to a user:

    $ nfs4_getfacl $WORK
    # file: /home/.../GROUP/USER
    A::OWNER@:rwaDxtTcCy
    A::<OTHER-USER-ID>:xtcy
    A::GROUP@:tcy
    A::EVERYONE@:tcy
    

    Here <OTHER-USER-ID> is the user id the command id <OTHER-USER> returns.

  • If access was granted to a group:

    $ nfs4_getfacl $WORK
    # file: /home/.../GROUP/USER
    A::OWNER@:rwaDxtTcCy
    A::GROUP@:tcy
    A:g:<OTHER-GROUP-ID>:xtcy
    A::EVERYONE@:tcy
    

    Here <OTHER-GROUP-ID> is the group id the command getent group <OTHER-GROUP> returns.

  • In case access was granted to user and group or multiple users and groups you will see a mix of both examples.

• for $WORK/<SUBDIR>:

  • If <OTHER-USER> is a group member or you are member of <OTHER-GROUP>:

    $ ls -ld $WORK/<SUBDIR>
    drwxr-x--- 58 USER GROUP 105 Feb  2 10:47 /home/.../GROUP/USER/SUBDIR
    

  • If <OTHER-USER> is not a group member or you are not member of <OTHER-GROUP>:

    $ ls -ld $WORK/<SUBDIR>
    drwx---r-x 58 USER GROUP 105 Feb  2 10:47 /home/.../GROUP/USER/SUBDIR