Skip to content

Managing File Permissions on Oak#

Data owners are responsible for managing permissions

SRCC administrators generally defer data management tasks, including permission changes and file deletions, to data owners whenever possible. If you need permissions updated on a file or folder, please ask the data owner.

Common Tools For Managing Permissions#

chmod and setfacl are both Linux commands that are used to manage file permissions, but they work in slightly different ways and are used in different scenarios.

chmod stands for "change mode" and is used to change the permissions of a file or directory. It works by assigning permissions to three different groups: the owner of the file, the group associated with the file, and all other users. Permissions can be assigned using either numeric or symbolic modes.

For example, to give the owner of a file full permissions and the group and others no permissions, you would use the following command:

chmod 700 file.txt

This would assign rwx (read, write, execute) permissions to the owner, and no permissions (---) to the group and others.

setfacl stands for "set file access control list" and is used to set advanced permissions on a file or directory. It allows you to specify permissions for specific users or groups, in addition to the standard owner, group, and other permissions.

For example, to give a specific user r (read) permission on a file and no permission to others, you would use the following command:

setfacl -m u:username:r file.txt

This would assign read permission to the user username and no permission to others.

In general, chmod is preferred when you need to set basic permissions on a file or directory and you don't need to specify permissions for specific users or groups. setfacl is preferred when you need to set advanced permissions on a file or directory, such as giving specific users or groups access to a file.

Important note about file permissions#

The default directory permissions on Oak rely on the setgid bit (g+S or chmod mask 2000 set on the directory). With regular UNIX permissions, files are created using the user's primary group, but this setgid permission bit ensures that new directories and files are created using the same group than the parent directory. While it is usually not a problem when accessing Oak from Sherlock (because a primary group is defined on Sherlock), it might be a problem if you remove this bit and accessing Oak from the gateways. Oak is using Stanford LDAP that doesn't provide a primary group.

For more information, please see the Advanced topics page: "What is a Sticky Bit?"

Getting Help#

Understanding how to construct commands to change permissions can be challenging. If you aren't sure how to structure a command to set permissions the way you'd like, please email us at srcc-support@stanford.edu and we can help guide you with examples that suit your needs.