Biowulf High Performance Computing at the NIH
Managing Access Permissions on the NIH HPC Systems

Setting permissions on files and directories is not always straightforward. There are instances where a file should be kept hidden, and there are other instances where a directory must be opened to other users. Understanding how UNIX/Linux permissions allow access, how to determine the permissions, and how to change them is vitally important when working on shared filesystems such as those on Helix and Biowulf.

This page describes traditional UNIX permissions. Newer systems can support a more sophisticated file access control mechanism called Access Control Lists (ACLs). Users with directories on GPFS can use ACLs to control access. See https://hpc.nih.gov/storage/acls.html for more information about ACLs on NIH HPC Systems.

Unix Permissions

All files and directories in a UNIX/Linux filesystem have access permissions. These permissions are broken into three categories: user, group, and other. The access permissions of a file or directory can be determined using the ls -l command (add '-d for directories; see below):

$ ls -l /home/user/myfile.txt
-rw-r----- 1 user   mygrp 49664 Oct 18  2008 /home/user/myfile.txt

There are three very important elements that are displayed with the ls -l command. First, the owner of the file is given as 'user'. Second, the group to which the file belongs is given as 'mygrp'. Third, the 10-character string that begins the line ('-rw-r--r--') contains access information relating to the owner and group of the file. It is the third element that is most crucial to understand.

The string is understood if it is broken into four parts.

Position Meaning
1 filetype flag; '-' if a normal file, 'd' if a directory
2-4 user access
5-7 group access
8-10 other access

Each of the 3-character access strings will contain certain characters to indicate a type of access:

Character Meaning
- no access
r read access: for files, allows file reading and copying; for directories, allows content listing
w write access: for files, allows editing; for directories, allows file creation and deletion
x execute access: for files, allows execution; for directories, allows cd and content listing only for known files/subdirectories
s/S setuid/setgid: for files, allows execution as the user or group of the file; for directories, sets the uid or gid of files or subdirectories created within the directory
t/T stickybit: no use for files; for directories, restricts deletion of files and directories only to the owner of the file or directory to be deleted

The given results for the ls -l command above can thus be interpreted as follows: The file is a normal file (position 1 is '-'), the owner 'user' has read and write access (positions 2-4 equals 'rw-'), all members of the group 'mygrp' have read-only access (positions 5-7 equals 'r--'), and all other users (the so-called world) have no access to the file (positions 8-10 equals '---').

Setting Access Permissions

The permissions on a file can be set by the owner of the file using the chmod command. This example shows a file being granted group read/write permission and other (everybody else) read-only permission:

$ chmod g+w,o+r /home/user/myfile.txt
$ ls -l /home/user/myfile.txt
-rw-rw-r-- 1 user   mygrp 49664 Oct 18  2008 /home/user/myfile.txt

The same goes for directories (including the -d option to ls is important, as you will only list the contents of the directory without it):

$ ls -l -d /data/user
drwx------ 1 user   mygrp  4096 Feb 31  2012 /data/user
$ chmod g+rwx,o+rx /data/user
$ ls -l -d /data/user
drwxrwxr-x 1 user   mygrp  4096 Feb 31  2012 /data/user

Permission Mode

chmod can set permissions on an absolute level using permission modes, rather than on a functional level using, for example, g+ and u-. Permission modes are 4-digit translations of the permission string. For example, the mode of a directory permission string drwxr-x--- is 0750; the mode for a file permission string -rw-rw-rw- is 0666. Again, the mode can be understood if it is broken into single digits:

Digit Meaning
1 stickybit/setgid/setuid
2 user access
3 group access
4 other access

The value of each digit is the sum of three possible values:

  • 0: no access (first digit = no sticktybit/segtid/setuid)
  • 1: execute (first digit = stickybit enabled)
  • 2: write (first digit = setgid enabled)
  • 4: read (first digit = setuid enabled)

Thus, drwxr-x--- = 0750;

  • 0 = no stickybit/setgid/setuid enabled
  • 7 = 4 (read) + 2 (write) + 1 (execute) for the owner of the directory
  • 5 = 4 (read) + 1 (execute) for the group
  • 0 = no access for everybody else

-rw-rw-rw- = 0666;

  • 0 = no stickybit/setgid/setuid enabled
  • 6 = 4 (read) + 2 (write) for the owner of the directory
  • 6 = 4 (read) + 2 (write) for the group
  • 6 = 4 (read) + 2 (write) for everybody else

Using permission modes, the access permissions of a file or directory can be changed in a single step. For example, to set the access of a directory (called 'mydir') to drwxrws--T using functional steps would be

chmod u+rwx mydir
chmod g+rwx mydir
chmod g+s mydir
chmod +t mydir

or using permission mode 3770:

chmod 3770 mydir

The mode of a file or directory can be determined using the stat command:

$ stat /home/user
  File: `/home/user'
  Size: 86016           Blocks: 176        IO Block: 65536  directory
Device: 17h/23d Inode: 151152320   Links: 129
Access: (0750/drwxr-x---)  Uid: (54321/    user)   Gid: (54321/   mygrp)
Access: 2013-10-31 16:04:35.943907000 -0400
Modify: 2013-11-01 14:57:40.870482000 -0400
Change: 2013-11-01 14:57:40.870482000 -0400

Line 4, where is starts with 'Access: (0750/drwxr-x---)', shows the permission mode.

Implications and Potentials

It is crucial to understand the implications of access permissions on files and directories. Here are some key examples for files:

Permissions Mode Concern Explanation
-rw------- 0600 SAFE only the owner of the file can read, edit, execute, or delete the file
-rw-r----- 0640 SAFE members of the group can read the file, but not edit or delete
-rw-rw---- 0660 WARNING members of the group can read AND edit the file; however they may not be able to delete it, as this depends on the permissions of the directory in which the file exists (see below)
-rw-rw-rw- 0666 DANGER! ANYONE can read AND edit the file, similar to the above example; A REALLY BAD IDEA!

Here are some examples for directories:

Permissions Mode Concern Explanation
drwx------ 0700 SAFE only the owner of the directory can cd into the directory, list the directory contents with ls, and create/delete files
drwxr-x--- 0750 SAFE same as above, plus members of the group can cd into the directory and list directory contents; however, they cannot create/delete files.
drwxrwx--- 0770 WARNING in addition, members of the group can now delete files REGARDLESS OF FILE PERMISSIONS! Files can be created as well; file editing is controlled by the specific file permissions.
drwxrws--- 2770 SHARING adding setgid (chmod g+s) causes all files and subdirectories created to inherit the group of the parent directory; this is essential (in conjunction with the proper umask, see below) for shared directories
drwxrws--T 3770 CLEVER adding stickybit (chmod +t) prevents the group member from deleting a file or directory unless they own the file or directory; this is a good idea for shared directories. However, stickybit is not propagated onto created subdirectories, so this effect must be manually set for all subdirectories.
drwxr--r-- 0744 SAFE allowing group or world read on a directory only allows simple content listing; files can't be deleted or edited, and subdirectories are not accessible.
drwxrw-rw- 0766 SAFE unless the directory has group or world execute access, the files are only listable; subdirectories are not accessible. This is identical to mode 0744.
drwx-----x
drwx----wx
0701
0703
WARNING making a directory world executable (chmod o+x) allows anyone with knowledge of the files and subdirectories within the directory access. This is sometimes called security through obscurity. However, files can be overwritten or deleted depending on their individual permissions or the access permission of the subdirectory.
drwxr-xr-x 0755 DANGER! files can be overwritten or deleted depending on their individual permissions or the access permission of the subdirectory. This is similar to mode 0701, but worse, because the contents are recursively accessible by ls -R, rm -r and find.
drwxrwxrwx 0777 INSANE! ANYONE CAN DELETE ANYTHING! A REALLY BAD IDEA!

Default Permissions: umask

The default permissions set on a file or directory is determined by the current setting of umask. This value is displayed with the umask command:

$ umask
027

The value of umask is set within the shell, and is propagated like environment variables.

This value (027) of umask will cause a file to disallow world read access. A value of 022 will allow world read access. The umask value is a mask that is applied to the permission mode of a file. That is, the numbers are subtracted to give the final permissions.

NOTE: The value of umask actually as four digits. Under RedHat Linux, the first digit is ignored. As a consequence, the umask values of 0027 and 027 are equivalent.

As an example to explain how umask works, a file will have by default permissions 666 (actually it is 0666, but we will ignore the first digit). If the umask is set to 022, the permission mode of the file when it is created is the difference of 022 from 666:

 666
-022
----
 644

That is, the created file will have read/write access for the owner, read-only access for the group, and read-only for the everybody else.

If you set the umask to 007, this will force newly created files to be read/write for both the owner and the group, but remove all access for everybody else:

 666
-007
----
 660

Okay, yeah, 6-7 is actually -1, but anything lower than zero is set to zero...

For a directory, the default permission is 777. With a umask of 007:

 777
-007
----
 770

the directory will allow read/write/execute access to the owner and group, but no access to everybody else.

To change your default permissions, the umask command is also used:

$ umask 022

This command can be added to your ~/.bashrc file to make the change permanent for all login and shell sessions.

Best Practices

For most users, unless you want to share your files with strangers, maintaining a umask of 027 is best. This will prevent most problems. Your /home and /data directories should be maintained with at most g+rwx permission setting.

Highly paranoid users should set a umask of 077. This prevents all sharing of files and directories.

Users who wish to open their directories up to others should use a UNIX group to limit access, rather than make files and directories world accessible. It is very easy to imagine a clumsy or nefarious user editing or deleting accessible files.

Here is a table with suggestions for umask values:

Value Concern Explanation
077 SAFE files are created as read/write only for the owner; directories are created read/write/execute only for the owner
027 SAFE files are created with read-only access for members of the group, but only the owner has write access; directories are created with read/execute for the owner and group
022 WARNING everyone has read-only access to files; everyone has read/execute access to directories
007 SHARING the owner and members of the group have read/write access for files and read/write/execute access for directories
002 WARNING the owner and members of the group have read/write access for files and read/write/execute access for directories; everybody else has read-only access to files and read/execute access to directories
000 DANGER! EVERYONE has read/write access to files and read/write/execute access for directories. ANYONE CAN EDIT OR DELETE ANYTHING! BAD!

More Information

Articles about UNIX permissions abound on the internet. Here are a handful of helpful sources: