Granting File Permissions using ACLs

You can use Access Control Lists (ACLs) to give others users permission to access files and directories that you own.  There are 2 sets of ACL commands, one for use on the /users directory, and one for use on other directories (/dcs01, /dcl01, /dcl02).

ACLs on /users

There are 2 commands for dealing with ACLs.  The “nfs4_getfacl” command will display current ACL setting for a file or directory, and the “nfs4_setfacl” command is used to modify ACLs.  With ACLs you can grant either read-only access, or read-write access on a directory or file to specific users.

The simplest permissions to use in ACLs are R for read access, W for write access, and X for execute and directory access. These are shortcuts for more fine-grained settings and for a good, detailed description of the fine-grained permissions that can be set, please see https://www.osc.edu/book/export/html/4523

By default, one’s home directory is only accessible to the owner, and the ACL should reflect this. For example, for the user alice, the ACL on their home directory would look like:

[alice@jhpce01 ~]$ pwd
/users/alice
[alice@jhpce01 ~]$ nfs4_getfacl .
# file: .
A::OWNER@:rwaDxtTcCy
A::GROUP@:tcy
A::EVERYONE@:tcy

Note that only alice can access the /users/alice directory. Now, if alice wanted to grant read-only access to their home directory to the user bob, they would use the “nfs4_setfacl” command:

[alice@jhpce01 ~]$ nfs4_setfacl -a A::bob@cm.cluster:RX .
[alice@jhpce01 ~]$ getfacl .
# file: .
A::OWNER@:rwaDxtTcCy
A::bob@cm.cluster:xtcy
A::GROUP@:tcy
A::EVERYONE@:tcy

At this point, bob would be able to access alice’s home directory. Now suppose there is a file that alice wants to let bob update. Alice could use ACLs to grant write access to a particular file:

[alice@jhpce01 ~]$ ls -l shared-data.txt
-rw-r--r-- 1 alice users 79691776 Feb  2 07:06 shared-data.txt
[alice@jhpce01 ~]$ nfs4_getfacl shared-data.txt
# file: shared-data.txt
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy
[alice@jhpce01 ~]$ nfs4_setfacl -a A::bob@cm.cluster:RWX shared-data.txt 
[alice@jhpce01 ~]$ nfs4_getfacl shared-data.txt
nfs4_getfacl shared-data.txt
# file: shared-data.txt
A::OWNER@:rwatTcCy
A::bob@cm.cluster:rwaxtcy
A::GROUP@:rtcy
A::EVERYONE@:rtcy

At this point, bob could access and modify the “shared-data.txt” file.

Now suppose alice wanted to create a directory that bob could write to. Alice could create a directory, and grant bob write access to it:

[alice@jhpce01 ~]$ mkdir shared
[alice@jhpce01 ~]$ nfs4_setfacl -a A::bob@cm.cluster:RWX shared
[alice@jhpce01 ~]$ nfs4_getfacl shared
nfs4_getfacl shared-data.txt
# file: shared-data.txt
A::OWNER@:rwatTcCy
A::bob@cm.cluster:rwaxtcy
A::GROUP@:rtcy
A::EVERYONE@:rtcy

Now the user bob can copy or save files in the “shared” directory.

If you want to remove and ACL, you can use the “-x” option to nfs4_setfacl. Please note that you need to use the full ACL, and not the “RWX” shortcuts.

[alice@jhpce01 ~]$ nfs4_setfacl -x A::bob@cm.cluster:rwaxtcy shared
[alice@jhpce01 ~]$ nfs4_getfacl shared
nfs4_getfacl shared-data.txt
# file: shared-data.txt
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy

ACLs on DCL and DCS directories

There are 2 commands for dealing with ACLs on the JHPCE cluster for directories other than /users.  The “getfacl” command will display current ACL setting for a file or directory, and the “setfacl” command is used to modify ACLs.  With ACLs you can grant either read-only access, or read-write access on a directory or file to specific users.

Let’s say there is a directory /dcl01/project/data/alice that alice owns. The “getfacl” command could ye used to see the current ACL set on the directory:

[alice@jhpce01 ]$ pwd
/dcl01/project/data/alice
[alice@jhpce01 ]$ getfacl .
# file: .
# owner: alice
# group: users
user::rwx
group::---
other::---

Note that only alice can access the /dcl01/project/data/alice directory. Now, if alice wanted to grant read-only access to /dcl01/project/data/alice to the user bob, they would use the “setfacl” command:

[alice@jhpce01 ]$ setfacl -m user:bob:rx .
[alice@jhpce01 ]$ getfacl .
# file: .
# owner: alice
# group: users
user::rwx
user:bob:r-x
group::---
mask::r-x
other::---

At this point, bob would be able to access /dcl01/project/data/alice. Now suppose there is a file that alice wants to let bob update. Alice could use ACLs to grant write access to a particular file:

[alice@jhpce01 ]$ ls -l shared-data.txt
-rw-r--r-- 1 alice users 79691776 Feb  2 07:06 shared-data.txt
[alice@jhpce01 ]$ getfacl shared-data.txt
# file: shared-data.txt
# owner: alice
# group: users
user::rw-
group::r--
other::r--
[alice@jhpce01 ]$ setfacl -m user:bob:rw shared-data.txt 
[alice@jhpce01 ]$ getfacl shared-data.txt
# file: shared-data.txt
# owner: alice
# group: users
user::rw-
user:bob:rw-
group::r--
mask::rwx
other::r--

At this point, bob could access and modify the “shared-data.txt” file.

Now suppose alice wanted to create a directory that bob could write to. Alice could create a directory, and grant bob write access to it:

[alice@jhpce01 ~]$ mkdir shared
[alice@jhpce01 ]$ setfacl -m user:bob:rwx shared
[alice@jhpce01 ]$ getfacl shared
# file: shared
# owner: alice
# group: users
user::rwx
user:bob:rwx
group::r-x
mask::rwx
other::r-x

Now the user bob can copy or save files in the “shared” directory.

If you want to remove and ACL, you can use the “-x” option to setfacl.

[alice@jhpce01 ]$ setfacl -x user:bob shared
[alice@jhpce01 ]$ getfacl shared
# file: shared
# owner: alice
# group: users
user::rwx
group::r-x
mask::r-x
other::r-x