As of May 16, 2019, the default permissions for all top-level Project Disk Space directories and STASH directories on the SCC are set such that only project group members have any access to the files. This means that, regardless of how permissions are set within lower level directories, people who are not members of the project will not be able to access any of the files. For your own files/directories, you can further limit them so that even group members have limited access, but you cannot grant people outside the project access without opting out of this policy as discussed below. For all /restricted directories, this has been the policy for many years and cannot be changed.
The project spaces affected include:
/project/PROJECTNAME/ /restricted/project/PROJECTNAME/
/projectnb/PROJECTNAME/ /restricted/projectnb/PROJECTNAME/
/stash/PROJECTNAME/ /restricted/stash/PROJECTNAME/Granting Access to Files to People who are not Members of your Project
If you are the Lead Project Investigator (LPI) for a project, you can opt out of the default permissions and ask us to allow all SCC users to have limited access to your project space(s). This is allowed on the /project, /projectnb, and /stash spaces to give read and execute access to the world, if the lower level files/directories’ permissions also allow that. This is most commonly needed for projects that are serving primarily or partially as data storage where a large number of people need read access to the files and you do not want to have to add and remove those people from the project group. To do this, send email to help@scc.bu.edu and indicate the top-level Project directory(-ies) you wish to have the permissions changed for.
If you do this, you should be very careful about setting permissions on your files/directories or it may be possible for any SCC user on the system to accidentally delete some of your files. In general, you should almost never set global/world write permissions for any directory or file. Note that although you can set such permissions yourself (chmod 666 filename), you can also end up with files with those permissions via many other ways. Some of these include transferring them from another machine (such as via Globus or SFTP), copying them from another user, or by using a command such as tar -x.
Controlling Access to Files for Project Group Members
You can use the standard Linux commands chmod and umask to control access to files within your directories. Contact us if you need help with this or need to have some unusual file access scheme set up and we may be able to help.
Using the sticky bit to Protect Files
Using the Linux sticky bit, it is possible to create a directory which is world writable but where only the person who writes a given file/directory can then delete it. An example is given below. Note the characters highlighted in yellow.
scc1% mkdir myrepository
scc1% chmod 1777 myrepository
scc1% ls -l myrepository
total 1
drwxrwxrwt 2 aarondf scv 512 Apr 24 14:30 myrepository/A user who has access to the directory containing myrepository will be able to write files/directories to this directory and only he/she (and also the directory owner) will be able to delete those files/directories.
Used carefully, this feature can protect a directory that needs to have group (and world) write access from accidental deletion of files by group members (for all projects) or by everyone on the system (for those opting out of the default permissions).