doc/permissions.txt - view

File: [LON-CAPA] / doc / permissions.txt
Revision 1.2: download - view: text, annotated - select for diffs
Sun Jul 28 17:36:24 2002 UTC (22 years, 7 months ago) by harris41
Branches: MAIN
CVS tags: version_2_9_X, version_2_9_99_0, version_2_9_1, version_2_9_0, version_2_8_X, version_2_8_99_1, version_2_8_99_0, version_2_8_2, version_2_8_1, version_2_8_0, version_2_7_X, version_2_7_99_1, version_2_7_99_0, version_2_7_1, version_2_7_0, version_2_6_X, version_2_6_99_1, version_2_6_99_0, version_2_6_3, version_2_6_2, version_2_6_1, version_2_6_0, version_2_5_X, version_2_5_99_1, version_2_5_99_0, version_2_5_2, version_2_5_1, version_2_5_0, version_2_4_X, version_2_4_99_0, version_2_4_2, version_2_4_1, version_2_4_0, version_2_3_X, version_2_3_99_0, version_2_3_2, version_2_3_1, version_2_3_0, version_2_2_X, version_2_2_99_1, version_2_2_99_0, version_2_2_2, version_2_2_1, version_2_2_0, version_2_1_X, version_2_1_99_3, version_2_1_99_2, version_2_1_99_1, version_2_1_99_0, version_2_1_3, version_2_1_2, version_2_1_1, version_2_1_0, version_2_12_X, version_2_11_X, version_2_11_6_msu, version_2_11_6, version_2_11_5_msu, version_2_11_5, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, version_2_11_3_uiuc, version_2_11_3_msu, version_2_11_3, version_2_11_2_uiuc, version_2_11_2_msu, version_2_11_2_educog, version_2_11_2, version_2_11_1, version_2_11_0_RC3, version_2_11_0_RC2, version_2_11_0_RC1, version_2_11_0, version_2_10_X, version_2_10_1, version_2_10_0_RC2, version_2_10_0_RC1, version_2_10_0, version_2_0_X, version_2_0_99_1, version_2_0_2, version_2_0_1, version_2_0_0, version_1_99_3, version_1_99_2, version_1_99_1_tmcc, version_1_99_1, version_1_99_0_tmcc, version_1_99_0, version_1_3_X, version_1_3_3, version_1_3_2, version_1_3_1, version_1_3_0, version_1_2_X, version_1_2_99_1, version_1_2_99_0, version_1_2_1, version_1_2_0, version_1_1_X, version_1_1_99_5, version_1_1_99_4, version_1_1_99_3, version_1_1_99_2, version_1_1_99_1, version_1_1_99_0, version_1_1_3, version_1_1_2, version_1_1_1, version_1_1_0, version_1_0_99_3, version_1_0_99_2, version_1_0_99_1, version_1_0_99, version_1_0_3, version_1_0_2, version_1_0_1, version_1_0_0, version_0_99_5, version_0_99_4, version_0_99_3, version_0_99_2, version_0_99_1, version_0_99_0, version_0_6_2, version_0_6, version_0_5_1, version_0_5, loncapaMITrelate_1, language_hyphenation_merge, language_hyphenation, conference_2003, bz6209-base, bz6209, HEAD, GCI_3, GCI_2, GCI_1, BZ4492-merge, BZ4492-feature_horizontal_radioresponse, BZ4492-feature_Support_horizontal_radioresponse, BZ4492-Support_horizontal_radioresponse

fixing samba glitch description

1: -------------------------------------------------------------------------- 2: Filesystem Permissions for 'www' and User Directories on a LON-CAPA system 3: contributed by Scott, sharrison@users.sourceforge.net 4: -------------------------------------------------------------------------- 5: 6: 0. Synopsis 7: 8: 1. The 'users' group 9: 10: 2. The 'www' user and group (/home/httpd/html/res/) 11: 12: 3. /home/USERNAME/public_html/* 13: 14: 4. The Samba glitch 15: 16: ************************************************************************** 17: 18: -------------------------------------------------------------------------- 19: SECTION 0. Synopsis 20: -------------------------------------------------------------------------- 21: (This file is only meant for those with experience administering 22: a Linux filesystem.) 23: 24: * THERE SHOULD NEVER BE A GROUP CALLED 'users' 25: * /home/httpd/html/res/* should be -rw-r-r-- 26: and owned by www:www 27: * For any filesystem user, 28: /home/USERNAME/public_html/* should be -rw-rw-r-- 29: and owned by USERNAME:USERNAME 30: (www:USERNAME is also okay) 31: for _all_ the files 32: /home/USERNAME/public_html/* should be drwxrwsr-x 33: and owned by USERNAME:USERNAME 34: (www:USERNAME is also okay) 35: for _all_ the subdirectories 36: including /home/USERNAME/public_html 37: 38: -------------------------------------------------------------------------- 39: SECTION 1. The 'users' group (IT IS NOT NEEDED OR WANTED) 40: -------------------------------------------------------------------------- 41: Early installations of LON-CAPA erroneously made use of the 'users' group. 42: The 'users' group is conventionally meant to indicate individual users 43: BELONGING to a group called 'users'. 44: 45: For example: 46: A user named USER1 is a member of a group named 'users'. 47: A user named USER2 is a member of a group named 'users'. 48: A user named USER3 is a member of a group named 'users'. 49: 50: However, on a LON-CAPA system, it is seldom the case where 51: USER1 should be able to access and/or alter USER2's information 52: directly through the filesystem. 53: 54: Therefore, the conventional notion of a 'users' group is INVALID 55: for the purposes of LON-CAPA. 56: 57: What is necessary on a LON-CAPA server system is a POWERFUL-USER 58: that belongs to one-member groups. 59: 60: For example: (This describes what we DO want) 61: A user named POWERFUL-USER is a member of a group named 'USER1'. 62: A user named POWERFUL-USER is a member of a group named 'USER2'. 63: A user named POWERFUL-USER is a member of a group named 'USER3'. 64: 65: Since LON-CAPA is essentially a world-wide web program, the 66: POWERFUL-USER exists by the name 'www'. 67: 68: ************************************************************************** 69: 70: -------------------------------------------------------------------------- 71: SECTION 2. The 'www' user and group (/home/httpd/html/res/) 72: -------------------------------------------------------------------------- 73: 'www' needs to run important LON-CAPA programs on a LON-CAPA server. 74: No other entities need to run or access most of the LON-CAPA programs 75: via the filesystem. 76: 77: Therefore most of the LON-CAPA *software* files 78: (described in loncapa/doc/loncapafiles/loncapafiles.lpml) 79: should be owned by user=www and group=www (www:www). 80: 81: The LON-CAPA published files (/home/httpd/html/res) 82: should also be owned by user=www and group=www (www:www). 83: 84: ************************************************************************** 85: 86: -------------------------------------------------------------------------- 87: SECTION 3. /home/USERNAME/public_html/* 88: -------------------------------------------------------------------------- 89: 'www' also needs the power to ACCESS and ALTER user directories on a 90: LON-CAPA server as described in the following section. 91: 92: /home/USERNAME/public_html/* should be -rw-rw-r-- 93: and owned by USERNAME:USERNAME 94: (www:USERNAME is also okay) 95: for _all_ the files 96: 97: /home/USERNAME/public_html/* should be drwxrwsr-x 98: and owned by USERNAME:USERNAME 99: (www:USERNAME is also okay) 100: for _all_ the subdirectories 101: including /home/USERNAME/public_html/ 102: 103: ************************************************************************** 104: 105: -------------------------------------------------------------------------- 106: SECTION 4. The Samba glitch 107: -------------------------------------------------------------------------- 108: Samba was changing permissions of user files and directories 109: to be set like -rw-r-r- and drwxr-xr-x respectively 110: (going from Windows to Linux). 111: 112: There was no easy way to get Samba to produce a directory 113: setting like drwxrwsr-x. 114: 115: Therefore, Samba (smb.conf) should be configured with: 116: create mode = 0664 117: directory mode = 0775 118: 119: This will allow LON-CAPA to operate properly although 120: the rules in SECTION 3 are violated. 121: 122: Difficulty could still emerge though, if a user 123: generates a directory with Windows and then logs 124: into the Linux filesystem and creates a file under 125: that directory (the file would, alas, be of the 126: mode 0644 (-rw-r--r--)). 127: 128: Currently, for cases like this, we consider it to 129: be the responsibility of the user (who logs directly 130: into the Linux filesystem) to make proper use of the 131: 'chmod' command.