[Snic-users] Permissions change for personal directories on project storage (/proj/*/users/*)

[Mats Kronberg]

Dear Triolith, Kappa and Matter users,

In two weeks time, on Tuesday, March 17th, between 14:00 and 14:15
CET, we will change the permissions of all existing personal
directories on the /proj file system (e.g
/proj/someproject/users/x_abcde).

If you only store data in your personal directories on /proj, and no
one else needs to access your data, you can stop reading now.


** What will happen? **

The permissions of /proj/*/users/* will be changed from whatever they
are now, to mode 0700 ("rwx------"). This means that only the user
owning the directory will be able to access the data inside it.

If you want less restrictive settings for your own directory, you can
change them back (e.g "chmod 755 /proj/someproj/users/x_abcde")
yourself after 14:15. If other users/applications depend on having
non-stop access to your personal directory we can exclude it from the
change. In this case, please send an email to support at nsc.liu.se with
a list of the directories you want to exclude.

We will only change the permissions of the top level directories (i.e
/proj/*/users/*), not files and directories inside them.

This is a one-time change, if you change the permissions after we have
changed them we will not try to change them back.

New /proj/*/users* directories will be created with restrictive
permissions (0700) and can then be changed by the user if needed.


** Optional reading: Why are we doing this? **

The default "umask" setting in the CentOS operating system is 0002(*).
For our project storage, this means that the members of the project
group can read, write and delete any files and directories that are
not explicitly created with more restrictive permissions.

In many environments this is a good thing - it enables and encourages
sharing of data and collaboration. On the other hand, it also makes it
possible for one user to accidentally delete other users' data.

After some internal discussions (including our application experts to
get as much input from the real world as possible), we have decided to
keep the more permissive umask, but restrict access to the "users"
directories.

This setup protects the personal work areas under /proj/*/users from
the actions of other users (unless the user decides to open up his/her
directory), while at the same time making it easy to share data and
collaborate in other parts of the project directory (e.g /proj/*/data,
/proj/*/scripts, ...).

Also remember that all project directories are protected by
"snapshots". If you or someone else deletes a file, you can often
restore it (or an earlier version of it) from a snapshot. Read the
Centre Storage User Guide for more information:
https://www.nsc.liu.se/storage/snic-centrestorage/

If the combination of umask and permissions we have chosen to be the
default is not to your liking, you can choose any umask you want
(hint: put the umask command in your shell startup file (.bashrc for
most users)) and set any permission you want on your directories and
files.


(*) we had previously documented on the Centre Storage FAQ page that
the default umask was 0022 (meaning that the group could not
write/delete files you created). This was wrong, and that information
has been removed. We were fooled by an if-statement in a CentOS file
that gave NSC staff users a different umask than all other users. We
apologize for any confusion this might have caused.


-- 
Mats Kronberg, NSC Support <support at nsc.liu.se>