Safely Sharing Files on our System

For any programming projects that you do with a partner(s), you need to set up your development environment so that you and your partner(s) can access joint project files while still protecting them from all other users.

ACLs: the prefered way to share files.

ACLs (access control lists) can be associated with files and directories. An ACL is a list of {user, access permissions} pairs that specify which users can access a file and in what way they can access it (read, write, execute, ...). ACLs are a more flexible mechanism than the standard Unix mechanism for specifying access permissions to files and directories (standard Unix only allows permissions in terms of three users: owner, group, other).

You will likely want to use revision control software for managing your shared project. See the git documentation here for more information about setting up a git repository.

Setting ACLs

  1. You or your partner should create a subdirectory in one of your home directories that you will use to store your shared code:
     mkdir /home/newhall/cs44_project
     chmod 700 /home/newhall/cs44_project	
  2. Then, run to set acls on the directory. is program that makes calls to the setfacl command to set acls on the directory so that you and your parter(s) can share its contents while keeping them private. In this example, I'm setting acls on the directory so that three users can share it (newhall, knerr, and tnas):
      Enter a space separated list of users: newhall knerr tnas
      Enter a pathname (relative or full): cs44_project
      These commands will be entered
      setfacl -R -d -m user:newhall:rwX,user:knerr:rwX,user:tnas:rwX cs44_project
      setfacl -R -m user:newhall:rwX,user:knerr:rwX,user:tnas:rwX cs44_project
      Should I do this? (Y/n)y
      acls are set up
      press Return
    (see the note on the page about setting acls on files you copy into your shared directory (vs. ones that are created in your shared directory))

Listing ACLs

To see what acls are set on a directory, use the getfacl command:
     # the + in the ls -l listing indicates that this directory has acls
  % ls -l
    drwxrwx---+  2 newhall users       4096 Mar 5 13:20     cs44_project 

  % getfacl cs44_project
    # file: cs44_project
    # owner: newhall
    # group: users

Removing ACLs

After you are done sharing code, you and your partner should make your own private copies of your shared code, and you should remove acls on your shared working directory and remove your shared working directory and its contents (or just move it into one of your private subdirectories).

Use the -b command line option to remove acls (-R is recursive):

  % setfacl -R -b cs44_project

  % ls -l
    drwx------  4 newhall users       4096 Mar  5 13:25     cs44_project

    # move it into my private stuff after my partner has made a copy of it
  % mv cs44_project ~/private/cs44/project
see the man pages for acl and setfacl for more information on ACLs.

You can also remove an individual user's acls on directory by doing the following:

setfacl -R -x user:user_name     dir_name 
setfacl -R -d -x user:user_name  dir_name
run getfacl to check the results.

groups: the old way to safely share files (works on any Unix system)

You need to create a Unix group containing you and your partner(s), and then set the group id on shared files and directories to your group. Once a file's group is set to your group id, you can use use chmod to give only your group members read and write permission to shared files.

To create a group, email local-staff requesting that a group be created for you and your partner. They will reply with your group name after creating a group for you. Then using chgrp set the group of your shared directory to you and your partner's group name, and use chmod to set permissions on your directories and files so that only your group can access them. For shared directories your group likely needs read, write and execute permission, and for shared files your group likely needs read and write permissions set. Here is an example of setting permissions on a project directory so that it is accessible to only you and the members of your group:

   % ls -l
    drwx------    4 newhall  users        4096 Jul 18 10:47 projdir/

   % chgrp mygroup  projdir  # change projdir's group id to mygroup

   % ls -l
    drwx------    4 newhall  mygroup        4096 Jul 18 10:47 projdir/

   % chmod 770  projdir      # set permissions so that only you and your group can access this directory

   % ls -l
    drwxrwx---    4 newhall  mygroup        4096 Jul 18 10:47 projdir/
For more information about setting Unix file permissions see: chmod info