Unix permissions and data access control

The permissions system built into Linux (and all Unix-like operating systems) can be used to make it easier for multiple users to interact with cryoSPARC's data, or to establish a degree of separation between data belonging to different research teams. This page offers some tips on how this can be done.
Changing file permissions has security implications. If you aren't familiar with how Unix permissions work, it is advisable to consult with your system administrator, consult your operating system's documentation, or do some online research into Unix permissions before running the commands in this guide. 
Allowing users' Linux accounts to access cryoSPARC files
Structura recommends that cryoSPARC be installed under its own operating system account. Typically, individual researchers will have their own accounts for accessing the computer(s) that cryoSPARC is installed on. By default on most Linux distributions, user accounts cannot modify files created by other user accounts, so the accounts belonging to individual researchers can only read files created or owned by cryoSPARC. This can be a barrier when trying to, for example, copy exported job files into another project for import. The standard permission system built into Linux can be used to work around this problem. Below is an example of how.
For the purpose of this example, we'll assume we are working with a fresh cryoSPARC installation. We will create a cryosparc user account (all cryoSPARC processes will run as this user), and we'll create two user accounts for people who will be using cryoSPARC.
1
[email protected]:~# useradd cryosparc
2
[email protected]:~# useradd alice
3
[email protected]:~# useradd tom
Copied!
We'll add Alice and Tom's accounts to the "cryosparc" group:
1
[email protected]:~# usermod -aG cryosparc alice
2
[email protected]:~# usermod -aG cryosparc tom
Copied!
Since in this example we're assuming this is a brand new cryoSPARC installation, we'll set up the directory that we will be storing our project files in. We'll then change the ownership of that directory so that it's under the control of the cryosparc account and group, and lastly we'll change the permissions on that directory. Specifically, we want g+ws, which will make anyone in the cryosparc group able to write to that directory (that's the w), and will make it so that any time new file is created in that directory, the file is owned by the cryosparc group (that's the s). 
1
[email protected]:~# mkdir -p /data/cryosp_projs
2
[email protected]:~# chown cryosparc:cryosparc /data/cryosp_projs
3
[email protected]:~# chmod g+ws /data/cryosp_projs/
Copied!
A demonstration of the result:
1
# the cryosparc user creates a bunch of files
2
​
3
[email protected]:~# su cryosparc
4
[email protected]:/root$ touch /data/cryosp_projs/file1
5
[email protected]:/root$ touch /data/cryosp_projs/file2
6
[email protected]:/root$ touch /data/cryosp_projs/file3
7
[email protected]:/root$ ls -l /data/cryosp_projs/
8
total 0
9
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
10
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file2
11
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
12
[email protected]:/root$ exit
13
​
14
​
15
# alice logs in, and also creates a file in that directory
16
​
17
[email protected]:~# su alice
18
[email protected]:/root$ touch /data/cryosp_projs/file4
19
[email protected]:/root$ ls -l /data/cryosp_projs/
20
total 0
21
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
22
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file2
23
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
24
-rw-rw-r-- 1 alice     cryosparc 0 Jun 18 17:06 file4
25
[email protected]:/root$ exit
26
​
27
# notice how the file alice made is owned by the cryosparc group.
28
#
29
# now tom can log in and is able to modify the files created by...
30
# ... both alice and cyosparc
31
​
32
[email protected]:~# su tom
33
[email protected]:/root$ rm /data/cryosp_projs/file2 
34
[email protected]:/root$ rm /data/cryosp_projs/file4
35
[email protected]:/root$ ls -l /data/cryosp_projs/
36
total 0
37
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
38
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
39
[email protected]:/root$ touch /data/cryosp_projs/file
40
[email protected]:/root$ ls /data/cryosp_projs/ -l
41
total 0
42
-rw-rw-r-- 1 tom       cryosparc 0 Jun 18 17:07 file
43
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file1
44
-rw-rw-r-- 1 cryosparc cryosparc 0 Jun 18 17:05 file3
Copied!
 On some systems, the default umask variable may disable group write permissions. This would cause new files created by a user to not have group write permission unless manually changed with chmod. You can determine what the current umask is by running umask at a command prompt. If the second-to-last digit is not zero, you may run into issues. Putting umask 0002 in the ~/.bashrc file for the cryosparc account and each individual user account will correct this issue if it occurs.
Establishing teams of users, and limiting access to data owned by another team
Another area where unix permissions can help is in separating cryoSPARC users into teams that cannot interact with each other's data. Be sure to read the above section before this one, as a few important ideas are not repeated here.
While this guide can be used as a basis for limiting access to data and projects at the level of unix user accounts, the cryosparc user can still access the data from all teams. This is necessary for cryoSPARC to function correctly. As a result, users could still access another group's work by using the cryoSPARC user interface and navigating to a project directory owned by another group. One group could, for example, import raw data owned by another group. This will be addressed in a future cryoSPARC release.
This guide will proceed by example, similar to the previous.
We assume we're starting with a blank slate. Suppose we have four researchers in two separate research groups: Alice and Tom are in the 'lab1' group, Dmitri and Sonja are in the 'lab2' group.
1
[email protected]:~# useradd tom
2
[email protected]:~# useradd alice
3
[email protected]:~# useradd dmitri
4
[email protected]:~# useradd sonja
5
[email protected]:~# groupadd lab1
6
[email protected]:~# groupadd lab2
7
[email protected]:~# usermod -aG lab1 tom
8
[email protected]:~# usermod -aG lab1 alice
9
[email protected]:~# usermod -aG lab2 dmitri
10
[email protected]:~# usermod -aG lab2 sonja 
11
​
12
# add the cryosparc user account to both lab1 and lab2
13
​
14
[email protected]:~# useradd cryosparc
15
[email protected]:~# usermod -aG lab1 cryosparc
16
[email protected]:~# usermod -aG lab2 cryosparc
Copied!
Create the directory that will be used to store cryoSPARC projects, and establish the same permissions as in the previous guide.
To briefly recap, we're going to use "chmod g+sw", where the "s" means that files created within the folder will be associated with the folder's group. Right now, that isn't terribly useful as we haven't added any users to the cryosparc group. But that "s" setting - the "setgid" bit, will be set on any created subdirectories as well, which will become important shortly. 
1
[email protected]:~# mkdir -p /data/cryosp_projs
2
[email protected]:~# chmod g+ws /data/cryosp_projs/
3
[email protected]:~# chown cryosparc:cryosparc /data/cryosp_projs/
Copied!
At this point, create some projects via the cryoSPARC UI which, will automatically create project subfolders. (e.g. "P1", "P2", "P3", etc). Decide which project subfolders should be owned by which group, and change the folder ownership appropriately as shown below. Note that the 'mkdir' lines are just simulating what the UI will do when creating a project - these don't need to actually be run.
1
[email protected]:~# su cryosparc
2
[email protected]:/root$ cd /data/cryosp_projs/
3
[email protected]:/data/cryosp_projs$ mkdir P1
4
[email protected]:/data/cryosp_projs$ mkdir P2
5
[email protected]:/data/cryosp_projs$ mkdir P3
6
[email protected]:/data/cryosp_projs$ chgrp lab1 P1
7
[email protected]:/data/cryosp_projs$ chgrp lab2 P2
8
[email protected]:/data/cryosp_projs$ chgrp lab2 P3
9
[email protected]:/data/cryosp_projs$ chmod o-rx *
10
[email protected]:/data/cryosp_projs$ ls -l
11
total 12
12
drwxrws--- 2 cryosparc lab1 4096 Jun 18 17:12 P1
13
drwxrws--- 2 cryosparc lab2 4096 Jun 18 17:12 P2
14
drwxrws--- 2 cryosparc lab2 4096 Jun 18 17:12 P3
15
[email protected]:/data/cryosp_projs$ exit
Copied!
Take a look at the output of the ls -l command. Notice that each project folder has an "s" where the group "x" would normally be. This happened because we added the "s" bit to the cryosparc_projs directory before we created the projects (it could be added with chmod if we were doing this retroactively). As a result of the presence of that "s" bit and the fact that each project folder is now owned by one of the lab groups, any files created inside the project folders will be owned by the corresponding lab group, which allows our researcher accounts to access and modify them as appropriate.
Notice also that we used chmod o-rx, meaning that users who aren't cryosparc or part of the appropriate lab group cannot even see the contents of the project directories.
The resulting configuration is demonstrated below:
1
[email protected]:~# su tom
2
[email protected]:/root$ cd /data/cryosp_projs/
3
[email protected]:/data/cryosp_projs$ ls
4
P1  P2	P3
5
[email protected]:/data/cryosp_projs$ cd P1/
6
[email protected]:/data/cryosp_projs/P1$ touch file1
7
[email protected]:/data/cryosp_projs/P1$ cd ..
8
[email protected]:/data/cryosp_projs$ cd P2
9
bash: cd: P2: Permission denied
10
[email protected]:/data/cryosp_projs$ exit
11
​
12
​
13
[email protected]:~# su sonja
14
[email protected]:/root$ cd /data/cryosp_projs/
15
[email protected]:/data/cryosp_projs$ ls P1
16
ls: cannot open directory 'P1': Permission denied
17
[email protected]:/data/cryosp_projs$ touch P3/file
18
[email protected]:/data/cryosp_projs$ ls -l P3
19
total 0
20
-rw-rw-r-- 1 sonja lab2 0 Jun 18 17:14 file
21
[email protected]:/data/cryosp_projs$ exit
22
​
23
​
24
[email protected]:~# su cryosparc
25
[email protected]:/root$ cd /data/cryosp_projs/
26
[email protected]:/data/cryosp_projs$ ls
27
P1  P2	P3
28
[email protected]:/data/cryosp_projs$ find
29
.
30
./P3
31
./P3/file
32
./P1
33
./P1/file1
34
./P2
35
[email protected]:/data/cryosp_projs$ rm P3/file
36
[email protected]:/data/cryosp_projs$ rm P1/file1
Copied!

cryosparcw reference

Next - Setup, Configuration and Management

Troubleshooting

Last modified 4mo ago

Copy link

Contents

Allowing users' Linux accounts to access cryoSPARC files

Establishing teams of users, and limiting access to data owned by another team