Difference between revisions of "Setting Default File Permissions"

From PHASTA Wiki
Jump to: navigation, search
(Init information)
 
(Further progress)
Line 14: Line 14:
 
** Execute allows files to be executed directly.  
 
** Execute allows files to be executed directly.  
 
*** Note that for script files (such as <code>bash</code> or <code>python</code>), they can still be run by passing the file to it's interpreter if the file is readable (ie. <code>bash non_executableScript.sh</code> is still possible if <code>non_executableScript.sh</code> has <code>rw-</code> permissions).
 
*** Note that for script files (such as <code>bash</code> or <code>python</code>), they can still be run by passing the file to it's interpreter if the file is readable (ie. <code>bash non_executableScript.sh</code> is still possible if <code>non_executableScript.sh</code> has <code>rw-</code> permissions).
* These different levels of file permissions are assigned to three different groups of users: "users", "groups", and "others".
+
* These different levels of file permissions are assigned to three different groups of users: file owner, file group, and "others".
 
** "Others" simply refers to any users that don't fall into the other two categories
 
** "Others" simply refers to any users that don't fall into the other two categories
 +
* The file permissions for these three categories form the file <code>mode</code>
  
 +
==== Viewing them ====
 
As an example, if you run <code>ls -l</code> on a directory, you might see:
 
As an example, if you run <code>ls -l</code> on a directory, you might see:
  
Line 24: Line 26:
  
  
The first block (<code>-rw-r-x---+</code>) shows the permissions for the file. The user owner is shown as <code>jrwrigh7</code> and the group owner is <code>a1983</code>.  
+
The first block (<code>-rw-r-x---+</code>) shows the permissions for the file (described below). The user owner is shown as <code>jrwrigh7</code> and the group owner is <code>a1983</code>.  
  
==== Permissions Block ====
+
'''Permissions Block:'''
 
* First character displays what kind of file it is, be it a link (<code>l</code>), directory (<code>d</code>), regular file (<code>-</code>), etc.
 
* First character displays what kind of file it is, be it a link (<code>l</code>), directory (<code>d</code>), regular file (<code>-</code>), etc.
 
* The next 9 characters show the permissions for the file owner, file group, and "others".  
 
* The next 9 characters show the permissions for the file owner, file group, and "others".  
* The last character is optional. A <code>+</code> means that there are other permission rules not displayed. This is where ACL rules come into play.  
+
** So for <code>test2file</code> in the above output:
 +
*** File Owner: <code>rw-</code>
 +
*** File Group: <code>r-x</code>
 +
*** Others: <code>---</code>
 +
* The last character is optional. A <code>+</code> means that there are other permission rules not displayed. This is where [[Setting_Default_File_Permissions#Setting ACL Rules|ACL rules]] come into play.  
  
 
See [https://www.gnu.org/software/coreutils/manual/html_node/What-information-is-listed.html#What-information-is-listed the ls coreutils manual] for more information on the 'long' format for <code>ls</code>.
 
See [https://www.gnu.org/software/coreutils/manual/html_node/What-information-is-listed.html#What-information-is-listed the ls coreutils manual] for more information on the 'long' format for <code>ls</code>.
  
=== How are they set? ===
+
==== Octal numbers ====
 +
The file <code>mode</code> is often conveyed in the form of three octal numbers (ie. base 8 numbers). It is very similar to how PHASTA handles specifying boundary conditions using bitwise logic.
 +
The first bit handles read, the second bit handles write, and the third handles execute.
  
 +
Using <code>test2file</code> as the example permissions block, it is stored as <code>110 101 000</code>. When translated into decimal, that equals <code>3 5 0</code>.
 +
 +
Another way to think about it is that the octal number equivalent of a permission set = 1*r + 2*w + 4*x, where r, w, and x equal 0 or 1 depending on whether they're set.
 +
 +
=== What determines the permissions for a new file? ===
 +
 +
There are three sources that determine what file permissions will be set; <code>umask</code>, the "mode" parameter used by the program creating the file, and ACL.
 +
 +
==== umask ====
 +
 +
<code>umask</code> is a function that contains file permission settings for any file created by a user and it is unique to the user. The user can change it at anytime using the <code>umask</code> command. To see what it is set to, simply run <code>umask</code> with no arguments.
 +
 +
==== "Mode" Parameter ====
 +
 +
When a new file is created, the <code>syscall</code> <code>open()</code> (among others) is used and a file mode parameter must be chosen by that program. For example, `touch` will automatically apply the mode <code>666</code> to the file, which will make the file owner, file group, and "others" all have <code>rw-</code> permissions
 +
 +
==== ACL ====
 +
 +
The Access-control List (ACL) has the ability to set more nuanced permissions for files (ie. permissions for specific users or groups that are not file owner or file group). They can be set for a specific file/directory, or as a ''default'' setting. This default setting is set for a directory and is used for files and subdirectories created inside that directory.
 +
 +
There are 6 different tags that ACL rules can apply to. From the <code>acl</code> manpage:
 +
 +
ACL_USER_OBJ    The ACL_USER_OBJ entry denotes access rights for the file owner.
 +
 +
ACL_USER        ACL_USER entries denote access rights for users identified by the entry's qualifier.
 +
 +
ACL_GROUP_OBJ  The ACL_GROUP_OBJ entry denotes access rights for the file group.
 +
 +
ACL_GROUP      ACL_GROUP entries denote access rights for groups identified by the entry's qualifier.
 +
 +
ACL_MASK        The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP.
 +
 +
ACL_OTHER      The ACL_OTHER entry denotes access rights for processes that do not match any other entry in the ACL.
 +
 +
<code>ACL_USER_OBJ</code>, <code>ACL_GROUP_OBJ</code>, and <code>ACL_OTHER</code> correspond to the file owner, file group, and "other" permissions mentioned above and shown by <code>ls -l</code>. The other two (<code>ACL_GROUP</code> and <code>ACL_USER</code>) are for custom permissions.
 +
 +
The <code>ACL_MASK</code> entry plays an important role in [[Setting_Default_File_Permissions#How are file permissions set?|how new file permissions are set]].
 +
 +
=== How are new file permissions set? ===
 +
The manpage for ACL is a great resource to answering this question. Most of the information below is simply paraphrasing what is written in the "Object Creation and Default ACLs" section.
 +
 +
When creating a file/subdirectory in a parent directory:
 +
 +
* If the parent directory '''has''' default ACL rules, only the ACL default rules and "mode" parameter are used:
 +
** The new file/subdirectory first inherits the default ACL rules of its parent directory
 +
** The new file/subdirectory has its ACL entries adjusted such that no permissions exceed the "mode" parameter.
 +
*** The <code>ACL_USER_OBJ</code> and <code>ACL_OTHER</code> are changed directly
 +
*** The <code>ACL_GROUP</code>, <code>ACL_GROUP_OBJ</code>, and <code>ACL_USER</code> are changed ''through'' adjusting the <code>ACL_MASK</code>
 +
** Additionally, if a new subdirectory is created, it will inherit its parents default ACL rules. Note that a file ''cannot'' have default ACL rules set.
 +
 +
* If the parent directory '''does not''' have default ACL rules, only <code>umask</code> and "mode" parameter are used:
 +
** The new file/subdirectory's <code>ACL_USER_OBJ</code>, <code>ACL_GROUP_OBJ</code>, and <code>ACL_OTHER</code> are set based on the permissions set by <code>umask</code>
 +
** The new file/subdirectory's are then adjusted to limit permissions to be no looser than the "mode" parameter
 +
 +
Note that this all means that if you have a default ACL rule that gives execute permissions to a group, the group will not have execute permissions by default ''unless'' the "mode" parameter also has execute permissions. Most compilers will use the execute permission bit for the "mode" parameter of it's executable, but other files will not.
  
 
== Setting ACL Rules ==
 
== Setting ACL Rules ==

Revision as of 17:17, 4 July 2020

This page will review how to set default file permissions for a directory. This is often used when working in HPC "scratch" directories where members of the same research group (like us) want to give each other some default file permissions on every file created in those directories, regardless of who created them.


Basics of Unix/POSIX File Permissions

What are they?

  • All files and directories have permissions assigned to them
  • All files and directories have a designated user and group "owners", known as file owner and file group respectively
    • By default, these are the ones that created the directory/file, but this can be changed using `chown`
  • There are three different "levels" of file permissions in a standard POSIX: read (r), write (w), and execute (x).
    • Read allows viewing the contents of the file/directory, and copying the files
    • Write allows rewriting and deleting files. For a directory with write permissions, it also allows creation of subdirectories and creation of new files
    • Execute allows files to be executed directly.
      • Note that for script files (such as bash or python), they can still be run by passing the file to it's interpreter if the file is readable (ie. bash non_executableScript.sh is still possible if non_executableScript.sh has rw- permissions).
  • These different levels of file permissions are assigned to three different groups of users: file owner, file group, and "others".
    • "Others" simply refers to any users that don't fall into the other two categories
  • The file permissions for these three categories form the file mode

Viewing them

As an example, if you run ls -l on a directory, you might see: 

drwxr-x---+ 2 jrwrigh7 a1983 4.0K 2020-07-04 08:09 test2
-rw-r-x---+ 1 jrwrigh7 a1983   38 2020-07-02 12:38 test2file
lrwxrwxrwx  1 jrwrigh7 a1983    9 2020-07-04 08:40 test2fileLink -> test2file


The first block (-rw-r-x---+) shows the permissions for the file (described below). The user owner is shown as jrwrigh7 and the group owner is a1983.

Permissions Block:

  • First character displays what kind of file it is, be it a link (l), directory (d), regular file (-), etc.
  • The next 9 characters show the permissions for the file owner, file group, and "others".
    • So for test2file in the above output:
      • File Owner: rw-
      • File Group: r-x
      • Others: ---
  • The last character is optional. A + means that there are other permission rules not displayed. This is where ACL rules come into play.

See the ls coreutils manual for more information on the 'long' format for ls.

Octal numbers

The file mode is often conveyed in the form of three octal numbers (ie. base 8 numbers). It is very similar to how PHASTA handles specifying boundary conditions using bitwise logic. The first bit handles read, the second bit handles write, and the third handles execute.

Using test2file as the example permissions block, it is stored as 110 101 000. When translated into decimal, that equals 3 5 0.

Another way to think about it is that the octal number equivalent of a permission set = 1*r + 2*w + 4*x, where r, w, and x equal 0 or 1 depending on whether they're set.

What determines the permissions for a new file?

There are three sources that determine what file permissions will be set; umask, the "mode" parameter used by the program creating the file, and ACL.

umask

umask is a function that contains file permission settings for any file created by a user and it is unique to the user. The user can change it at anytime using the umask command. To see what it is set to, simply run umask with no arguments.

"Mode" Parameter

When a new file is created, the syscall open() (among others) is used and a file mode parameter must be chosen by that program. For example, `touch` will automatically apply the mode 666 to the file, which will make the file owner, file group, and "others" all have rw- permissions

ACL

The Access-control List (ACL) has the ability to set more nuanced permissions for files (ie. permissions for specific users or groups that are not file owner or file group). They can be set for a specific file/directory, or as a default setting. This default setting is set for a directory and is used for files and subdirectories created inside that directory.

There are 6 different tags that ACL rules can apply to. From the acl manpage: 

ACL_USER_OBJ    The ACL_USER_OBJ entry denotes access rights for the file owner.

ACL_USER        ACL_USER entries denote access rights for users identified by the entry's qualifier.

ACL_GROUP_OBJ   The ACL_GROUP_OBJ entry denotes access rights for the file group.

ACL_GROUP       ACL_GROUP entries denote access rights for groups identified by the entry's qualifier.

ACL_MASK        The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP.

ACL_OTHER       The ACL_OTHER entry denotes access rights for processes that do not match any other entry in the ACL.

ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER correspond to the file owner, file group, and "other" permissions mentioned above and shown by ls -l. The other two (ACL_GROUP and ACL_USER) are for custom permissions.

The ACL_MASK entry plays an important role in how new file permissions are set.

How are new file permissions set?

The manpage for ACL is a great resource to answering this question. Most of the information below is simply paraphrasing what is written in the "Object Creation and Default ACLs" section.

When creating a file/subdirectory in a parent directory:

  • If the parent directory has default ACL rules, only the ACL default rules and "mode" parameter are used:
    • The new file/subdirectory first inherits the default ACL rules of its parent directory
    • The new file/subdirectory has its ACL entries adjusted such that no permissions exceed the "mode" parameter.
      • The ACL_USER_OBJ and ACL_OTHER are changed directly
      • The ACL_GROUP, ACL_GROUP_OBJ, and ACL_USER are changed through adjusting the ACL_MASK
    • Additionally, if a new subdirectory is created, it will inherit its parents default ACL rules. Note that a file cannot have default ACL rules set.
  • If the parent directory does not have default ACL rules, only umask and "mode" parameter are used:
    • The new file/subdirectory's ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER are set based on the permissions set by umask
    • The new file/subdirectory's are then adjusted to limit permissions to be no looser than the "mode" parameter

Note that this all means that if you have a default ACL rule that gives execute permissions to a group, the group will not have execute permissions by default unless the "mode" parameter also has execute permissions. Most compilers will use the execute permission bit for the "mode" parameter of it's executable, but other files will not.

Setting ACL Rules

Retrieved from "https://fluid.colorado.edu/wiki/index.php?title=Setting_Default_File_Permissions&oldid=687"