ACLs and Shared Directories in the MH Linux Cluster

Creating shared directories in the MH Linux cluster using ACLS

Creating a share directory on the MH Linux cluster

The most flexible way to create a directory on the linux cluster that
can be shared by all users is to use Linux ACL or access control
lists.

ACLs give users very fine grained control over who can read, write or
execute in a target directory. ACLs also allow you to set a default
set of permissions that will be inherited by all subdirectories and
files of the shared directory. Since ACLs can be fairly complex this
document is meant to give a few straight forward steps for how to
create a shared directory on the Mayer Hall Linux cluster, accessible
by all machines that mount directories off of hepuser.ucsd.edu.

Note: All of the examples below will assume that the actions are being
performed as user tmartin.

Making sure you can see the default /home/share directory

If you are on the Linux cluster you should be able to access /home/share from your linux cluster computer. If you cannot access this directory from your workstationscontact Bryan Hill or Terrence Martin to get access to this directory configured, or if you know how to use automount you can edit the /etc/auto.home file as root and add the line

share hepuser.ucsd.edu:/home/share

Then run as root run

/etc/rc.d/init.d/autofs reload

You should then be able to cd /home/share

Creating a shared directory the shared directory

The first step is to create a directory that can be shared by all
users. Any directory can be shared but a special area has been created
on the Linux cluster where everyone can go and create a directory they
want to share. The base directory for these shares is /home/share

cd /home/share

Note:
Once you are in the /home/share area you can create the base
directory. This path is what you give to other users you want to share
the directory. For this example I will create the directory myshare

mkdir /home/share/myshare

To see what ACLs are assigned to this directory to start you can run
the getfacl command.

$ getfacl myshare
# file: myshare
# owner: tmartin
# group: tmartin
user::rwx
group::rwx
other::r-x

2. Assigning default permissions to the directory

Once the directory is created you need to apply some default

permissions to it. These are not the actual permissions for the
current directory, but are the ACL permissions that will be assigned
automatically to all files and directories created in
/home/share/myshare

The command used for manipulating file ACLs is called setacl

setfacl -d -m u:tmartin:rwx,u:fkw:rwx,u:mpieri:rwx,u:branson:rwx myshare/

Once you run this command you can re-run getfacl to see the changes.

$ getfacl myshare/
# file: myshare
# owner: tmartin
# group: tmartin
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:branson:rwx
default:user:tmartin:rwx
default:user:fkw:rwx
default:user:mpieri:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

As you can see the users branson, tmartin, fkw and mpieri all have rwx
permissions. The reason that tmartin is in the list is that unless you
set your own users default permissions is that so any sub directories
created by other users are also writeable by user tmartin. If you did
not add your own user then branson could create a subdirectory that
tmartin could not write into, even though tmartin owns
/home/share/myshare.

3. Assigning the permissions to /home/share/myshare

Once the default permissions are assigned you can go ahead and assign
the actual permissions to the /home/share/myshare directory.

$ setfacl -m u:tmartin:rwx,u:fkw:rwx,u:mpieri:rwx,u:branson:rwx myshare/
$ getfacl myshare/
# file: myshare
# owner: tmartin
# group: tmartin
user::rwx
user:branson:rwx
user:tmartin:rwx
user:fkw:rwx
user:mpieri:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:branson:rwx
default:user:tmartin:rwx
default:user:fkw:rwx
default:user:mpieri:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

As you can see now not only are branson, tmartin, fkw and mpieri
assigned for the default permissions on all subdirectories and files
that those same users are also able to read, write and execute (cd
into) /home/share/myshare as well.

From this point any of the users on the list can create a file or directory in
/home/share/myshare and any of the other users can read, write and
delete that file or directory

example

As user branson


branson@dementia ~]$ cd /home/share/myshare/
[branson@dementia myshare]$ echo "Hello World" > myfile
[branson@dementia myshare]$ ls -l
total 8
-rw-rw-r--+ 1 branson branson 12 Jun 29 13:29 myfile
[branson@dementia myshare]$ getfacl myfile
# file: myfile
# owner: branson
# group: branson
user::rw-
user:branson:rwx #effective:rw-
user:tmartin:rwx #effective:rw-
user:fkw:rwx #effective:rw-
user:mpieri:rwx #effective:rw-
group::rwx #effective:rw-
mask::rw-
other::r--

[branson@dementia myshare]$ mkdir mydir
[branson@dementia myshare]$ getfacl mydir
# file: mydir
# owner: branson
# group: branson
user::rwx
user:branson:rwx
user:tmartin:rwx
user:fkw:rwx
user:mpieri:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:branson:rwx
default:user:tmartin:rwx
default:user:fkw:rwx
default:user:mpieri:rwx
default:group::rwx
default:mask::rwx
default:other::r-x

[branson@dementia myshare]$ cd mydir
[branson@dementia mydir]$

Then as user tmartin

[tmartin@dementia myshare]$ cd /home/share/myshare/
[tmartin@dementia myshare]$ cat myfile
Hello World
[tmartin@dementia myshare]$ echo "Next Line" >> myfile
[tmartin@dementia myshare]$ cat myfile
Hello World
Next Line
[tmartin@dementia myshare]$ getfacl myfile
# file: myfile
# owner: branson
# group: branson
user::rw-
user:branson:rwx #effective:rw-
user:tmartin:rwx #effective:rw-
user:fkw:rwx #effective:rw-
user:mpieri:rwx #effective:rw-
group::rwx #effective:rw-
mask::rw-
other::r--

[tmartin@dementia myshare]$ cd mydir
[tmartin@dementia mydir]$ echo "Hello World" > newfile
[tmartin@dementia mydir]$ getfacl newfile
# file: newfile
# owner: tmartin
# group: tmartin
user::rw-
user:branson:rwx #effective:rw-
user:tmartin:rwx #effective:rw-
user:fkw:rwx #effective:rw-
user:mpieri:rwx #effective:rw-
group::rwx #effective:rw-
mask::rw-
other::r--