Managing permissions

On this page we curated general advice, tips and tricks, but also important caveats for managing permissions on your files and directories. All of these points are especially relevant when sharing or migrating data between different user accounts. At least a basic understanding of POSIX permissions is a prerequisite for anything discussed here. Please refer to our self-paced tutorial for begginners before reading this, if necessary.

Info
Recap:
  • Only the owner of a file or directory can change its group, permissions or ACLs.
  • If you have multiple usernames, only one of them can own a file/directory, and the operating system does not know your other usernames belong to the same person.
  • In order to access a given file, you need to also be able to access its parent directories, all the way up to /, the root of the filesystem (technically, you need to have execute permission on the directories)
  • Other permissions apply to any user that is not the owner or a member of the owning group
  • User permissions have precedence over group permissions, which in turn have precedence over other permissions. For example, if a file has r for other, but not for the group, members of the group can not read the file, but anyone else can
  • As an regular user, you are not able to change ownership of existing files or directories. Only our admins can do that in emergencies. But you can make a copy of a file owned by another user, as long as it is readable for you, and the copy will be owned by you.
Warning

Many directories have both a logical path like /user/your_name/u12345 and a real path that points to the actual location on the filesystem.

Please always operate on the real paths which are directories you can actually modify, unlike the symbolic links below /user or /projects which cannot be modified by users.

You can find out the real path with the following command:

realpath /path/to/directory

Alternatively, as a quick way to transparently resolve logical paths, you can add a trailing / at the end of the path when using it in a command.

General advice

  • Use the -R option for chmod or chgrp to recursively change the permissions/group for a directory and all its files and subdirectories.

  • Always use a capital X (instead of a lower-case one) when adding permissions via recursive chmod operations! This makes sure you’re only making directories and files executable for the group or others that are already executable by the owner, while a lower-case x would unconditionally make all files executable. It is generally a very bad idea to mark files as executable that are not supposed to be! It would be confusing in the best case and a potential security risk and risk to your data in the worst. To avoid that, use e.g.

chmod -R g+rwX example_dir
  • Set the SGID-bit on group-writable directories. This will cause newly created subdirectories to be owned by the same group as the parent, instead of the primary group of the user that created it (which would almost never be useful).
chmod g+s example_dir
Warning

Do not use chmod -R to recursively set the SGID-bit on a directory! This would also set the SGID-bit on all files in the directory, which is a potential security risk and generally a bad idea.

  • To recursively set the SGID-bit on a directory and all its subdirectories, but not on files, use:
find example_dir -type d -exec chmod g+s {} \;
  • When you recursively change a directory tree with symlinks in it, especially symlinks to another location, use the -h flag to chgrp to change the group of the symlink itself, rather than the destination file/directory. By default, chgrp only works on the destination, not the symlink itself, which is often not what you intended.
chgrp -Rh <group> example_dir
  • Set the sticky bit on a directory if you want others to be able to create new files and subdirectories in it, but forbid deleting, moving or renaming files owned by someone else:
chmod +t example_dir
Note

Users are able to delete or move files if they have write permission on the parent directory, even if they do not have write permission on the file itself. The sticky bit prevents that, for anyone but the owner of the directory.

Advanced commands and tricks

If you have a very large number of files/directories and the commands documented on this page take a long time to complete, here are some tips to speed it up.

  1. Use the correct login node to run your commands. Accessing filesystems from a specific cluster island, while possible from login nodes dedicated to other islands, may be a lot slower than accessing them from the correct login nodes. See the Cluster Storage Map for an overview.

  2. When changing permissions or the owning group for a larger number of files/directories, use a terminal multiplexer like tmux or screen, to allow the process to continue running in the background while you do something else, log off overnight or in case your connection drops out.

  3. For large numbers of directories, set the SGID-bit with this more advanced command:

find <path> -type d \! -perm /g+s -print0 | xargs -0rn 200 chmod g+s
  1. For a large number of files, some of which may already belong to the correct group or have group r/w/x permissions, changing the group and setting permissions can be sped up by running:
find <path> \! -group <group> -print0 | xargs -0rn 200 chgrp <group>
find <path> \! -perm /g+rw -print0 | xargs -0rn 200 chmod g+rwX