Files permissions FAQ

Umask (User Mask)

1. What is umask?
   Umask (User Mask) defines the default permissions for newly created files and directories by setting access restrictions, rather than granting access (unlike chmod). It plays a key role in controlling access and protecting sensitive data from unintended exposure.

2. How can I check my current umask setting?
   Run the umask command :

   ## for octal representation:
   > umask
   0022
   

   ## for symbolic representation:
   > umask -S
   u=rwx,g=rx,o=rx
   

3. What do the values in umask (e.g., 0022, 0027) mean?
   Umask subtracts permissions from the default (full permissions). The default permissions for new files and directories are calculated as follows:

   • File permissions = 666 - umask
   • Directory permissions = 777 - umask

   For example, when umask is set to 0022:

   • Files permissions become : 666 - 022 = 644
   • Directories permissions become : 777 - 022 = 755

4. What is the default umask on LUCIA ?
   The default umask is 0002.

5. How can I temporarily change my umask setting?
   Run the umask command with the desired value:
   

   > umask 0027  
   

   This change lasts for the current session only.

6. How do I permanently change my umask ?
   Add the desired umask command to your ~/.bashrc file:
   

   > echo "umask 0027" >> ~/.bashrc  
   

7. Why might a restrictive umask cause issues in project directories?
   A restrictive umask (e.g., 0077) can prevent collaborators in a shared project directory from accessing your files. Adjusting permissions with chmod may be necessary for collaboration.

---

Setgid (Set Group ID)

1. What is the purpose of the setgid bit on directories?
   The setgid (Set Group ID) bit ensures that any new files or directories created within a directory inherit the group ownership of that directory rather than the primary group of the user who created them. This is particularly useful for collaborative environments to maintain consistent group ownership.

2. How does the setgid bit ensure files inherit group ownership?
   When the setgid bit is applied to a directory, it forces all new files and subdirectories to have the same group as the parent directory. This behavior is enforced at the file system level.

3. Can the setgid bit affect file collaboration in project directories?
   Yes, the setgid bit simplifies collaboration by ensuring all files created in the directory are group-owned, avoiding manual changes to file permissions or ownership.

4. What tools can I use to verify if the setgid bit is set on a directory?
   Use the ls -ld command. The presence of an s in the group execute field indicates the setgid bit is set:
   

   > ls -ld <directory_name>
   

5. Why does my project directory show the s in its permissions?
   The s in the group permission field (e.g., drwxrws---) indicates that the setgid bit is set on the directory. This ensures new files and subdirectories inherit the group's ownership.

6. How can I set the setgid bit on a directory?
   Use the chmod command with the g+s option:
   

   > chmod g+s <directory_name>
   

7. How can I remove the setgid bit from a directory?
   Use the chmod command with the g-s option:
   

   > chmod g-s <directory_name>
   

8. What happens if I mistakenly apply the setgid bit to files?
   If the setgid bit is applied to files, it has no practical effect for most file types but can lead to confusion. For executables, it can allow processes to run with the group permissions of the file, which may pose security risks.

9. What are the security risks of misconfiguring the setgid bit?
   Applying the setgid bit to executables can allow users to run processes with group-level privileges, leading to unauthorized access or privilege escalation.

10. How can I prevent group members from unintentionally modifying files in a setgid directory?
    Restrict group write access with:
    

    > chmod g-w <file>
    

    Alternatively, set a restrictive umask to control default permissions for new files.

11. Why does the error "Disk quota exceeded" appear when creating files?
    This error often occurs when the setgid bit is missing, causing new files to inherit a group without allocated quota. For non-project Unix groups, quotas on /gpfs/projects and /gpfs/scratch filesets are minimal (16KB and 1 file). Ensure the parent directory has the setgid bit set to enforce the correct group ownership.

12. Why do some commands remove the setgid bit or group ownership?
    Commands like mv or scp preserve the original permissions and ownership, bypassing the setgid rules of the destination directory.

    • Instead of mv use cp (without -p to avoid preserving permissions).
    • Instead of scp use rsync with --no-p (turns off the preserve permissions), --no-g (turns off the preserve group) and --chmod=ug=rwX (ensures that all non-masked bits get enabled):
      

      > rsync -av --progress --no-p --no-g --chmod=ug=rwX <src> <dest>
      

13. What should I do if the setgid bit is missing on a directory?
    Use the chmod command to restore the setgid bit. Automate this process with the find command:

    # replace <myusername> with your username
    > find /path/to/project -type d -user myusername ! -perm -g=s -exec chmod g+s {} \;
    

14. How can I fix incorrect group ownership on existing files or directories?
    Use find to identify files or directories with incorrect group ownership and correct them:
    

    # replace <myusername> with your username
    # replace <project01> with the correct group name
    > find /path/to/project -user myusername ! -group project01 -exec chgrp project01 {} \;
    

15. How can I temporarily work under a specific group for file creation?
    Use the newgrp command to switch to the desired group temporarily:
    

    newgrp project01
    

    This ensures new files and directories inherit the active group's ownership. Use id to verify:
    

    id
    uid=xxxx(user) gid=xxxx(project01) groups=xxxx(project01),xxxx(user)
    

---

Umask and Setgid Interactions

1. Can umask settings override the group ownership set by the setgid bit?
   No, umask settings do not override the group ownership enforced by the setgid bit. The setgid bit ensures that new files and directories inherit the group ownership of the parent directory, regardless of the umask setting.

2. How do umask and the setgid bit interact?
   The setgid bit and umask settings work together when creating new files or directories:

   • The setgid bit enforces the group ownership, ensuring that all new files and directories inherit the group of the parent directory.
   • The umask setting determines the default permissions (read, write, execute) for the new files or directories. If the umask is restrictive (e.g., 0077), it may prevent other users in the group from accessing the files, even if they inherit the correct group ownership. To allow group collaboration, you may need to adjust the umask or modify file permissions manually.