From 5eb3794e7360eabf4a67cf527d8c5a31d16ba1ef Mon Sep 17 00:00:00 2001 From: Jan Frenzel <jan.frenzel@tu-dresden.de> Date: Thu, 14 Jul 2022 12:00:06 +0200 Subject: [PATCH] Added chmod and chown explanations to data_sharing.md. --- .../docs/data_lifecycle/data_sharing.md | 57 ++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/doc.zih.tu-dresden.de/docs/data_lifecycle/data_sharing.md b/doc.zih.tu-dresden.de/docs/data_lifecycle/data_sharing.md index 9a1fa211f..00906eea7 100644 --- a/doc.zih.tu-dresden.de/docs/data_lifecycle/data_sharing.md +++ b/doc.zih.tu-dresden.de/docs/data_lifecycle/data_sharing.md @@ -1,10 +1,65 @@ # Sharing Data This page should provide you some commands to share your data with other users or projects. + +## Grant access on some file or directory to persons in your project + +If all persons that should be able to access your data are in the same project, you can give them +access to your workspace, e. g. `input-data` via the following commands: + +```console +marie@login$ id --group --name +p_number_crunch +marie@login$ chown -R marie:p_number_crunch /scratch/ws/1/marie-input-data +``` + +Now, everyone who is in project `p_number_crunch` should be able to access your data. If this is not +the case, you should check whether the file that your colleague wants to access is readable for the +group (`r` permission is set for the group) and every parent directory of that file is searchable +for the group (`x` permission is set for the group). For example, in the following case, a colleague +of `marie` cannot access `data-file` because the base directory `.` is not searchable for the group +as it does not have the `x` permission, even though the file has the permission `r` set for the +group. Thus, `marie` has to make the directory searchable by using `chmod`: + +```console +marie@login$ ls -la /scratch/ws/1/marie-input-data +dr-xr----- 4 marie p_number_crunch 4096 27. Jun 17:13 . +drwxr-xr-x 444 operator adm 151552 14. Jul 09:41 .. +dr-xr----- 2 marie p_number_crunch 4096 27. Jun 17:13 data-file +dr-xr-x--- 2 marie p_number_crunch 4096 28. Jun 09:45 env.sh +marie@login$ chmod g+x /scratch/ws/1/marie-input-data +marie@login$ ls -la /scratch/ws/1/marie-input-data +dr-xr-x--- 4 marie p_number_crunch 4096 27. Jun 17:13 . +drwxr-xr-x 444 operator adm 151552 14. Jul 09:41 .. +dr-xr----- 2 marie p_number_crunch 4096 27. Jun 17:13 data-file +dr-xr-x--- 2 marie p_number_crunch 4096 28. Jun 09:45 env.sh +``` + +!!! danger "New file inherits group and permission of the creator" + + When a user creates a file, the created file is associated to that user and inherits the user's + default group. If the user is in multiple groups/projects, he/she has to ensure, that the a new + file is associated with the project's group. This can be done using `chown` and `chmod` as shown + above. Another possibility is to use an environment file `env.sh` with the following content: + + ```bash + newgrp p_number_crunch # files should have this group by default + umask o-rwx # prevent creating files that allow persons not in this group (a.k.a. others) to read, write or execute something + ``` + + Before creating new files, users can now load this file using `source` in order to ensure that + new files automatically get the right group: + + ```console + marie@login$ cd /scratch/ws/1/marie-input-data + marie@login$ source env.sh + bash-4.2$ touch new-file #create a new file + ``` + Read on, if you want to restrict access to specific persons outside of your group, but don't want to permit everyone to access your data. -## Managing Access Control Lists +## Grant access on some file or directory to persons from various projects [Access Control Lists](https://en.wikipedia.org/wiki/Access-control_list) (ACLs) can be used, when `chmod` is not sufficient anymore, e. g. because you want to permit accessing a particular file for -- GitLab