Annotation of doc/permissions.txt, revision 1.1
1.1 ! harris41 1: --------------------------------------------------------------------------
! 2: Filesystem Permissions for 'www' and User Directories on a LON-CAPA system
! 3: contributed by Scott, sharrison@users.sourceforge.net
! 4: --------------------------------------------------------------------------
! 5:
! 6: 0. Synopsis
! 7:
! 8: 1. The 'users' group
! 9:
! 10: 2. The 'www' user and group (/home/httpd/html/res/)
! 11:
! 12: 3. /home/USERNAME/public_html/*
! 13:
! 14: 4. The Samba glitch
! 15:
! 16: **************************************************************************
! 17:
! 18: --------------------------------------------------------------------------
! 19: SECTION 0. Synopsis
! 20: --------------------------------------------------------------------------
! 21: (This file is only meant for those with experience administering
! 22: a Linux filesystem.)
! 23:
! 24: * THERE SHOULD NEVER BE A GROUP CALLED 'users'
! 25: * /home/httpd/html/res/* should be -rw-r-r--
! 26: and owned by www:www
! 27: * For any filesystem user,
! 28: /home/USERNAME/public_html/* should be -rw-rw-r--
! 29: and owned by USERNAME:USERNAME
! 30: (www:USERNAME is also okay)
! 31: for _all_ the files
! 32: /home/USERNAME/public_html/* should be drwxrwsr-x
! 33: and owned by USERNAME:USERNAME
! 34: (www:USERNAME is also okay)
! 35: for _all_ the subdirectories
! 36: including /home/USERNAME/public_html
! 37:
! 38: --------------------------------------------------------------------------
! 39: SECTION 1. The 'users' group (IT IS NOT NEEDED OR WANTED)
! 40: --------------------------------------------------------------------------
! 41: Early installations of LON-CAPA erroneously made use of the 'users' group.
! 42: The 'users' group is conventionally meant to indicate individual users
! 43: BELONGING to a group called 'users'.
! 44:
! 45: For example:
! 46: A user named USER1 is a member of a group named 'users'.
! 47: A user named USER2 is a member of a group named 'users'.
! 48: A user named USER3 is a member of a group named 'users'.
! 49:
! 50: However, on a LON-CAPA system, it is seldom the case where
! 51: USER1 should be able to access and/or alter USER2's information
! 52: directly through the filesystem.
! 53:
! 54: Therefore, the conventional notion of a 'users' group is INVALID
! 55: for the purposes of LON-CAPA.
! 56:
! 57: What is necessary on a LON-CAPA server system is a POWERFUL-USER
! 58: that belongs to one-member groups.
! 59:
! 60: For example: (This describes what we DO want)
! 61: A user named POWERFUL-USER is a member of a group named 'USER1'.
! 62: A user named POWERFUL-USER is a member of a group named 'USER2'.
! 63: A user named POWERFUL-USER is a member of a group named 'USER3'.
! 64:
! 65: Since LON-CAPA is essentially a world-wide web program, the
! 66: POWERFUL-USER exists by the name 'www'.
! 67:
! 68: **************************************************************************
! 69:
! 70: --------------------------------------------------------------------------
! 71: SECTION 2. The 'www' user and group (/home/httpd/html/res/)
! 72: --------------------------------------------------------------------------
! 73: 'www' needs to run important LON-CAPA programs on a LON-CAPA server.
! 74: No other entities need to run or access most of the LON-CAPA programs
! 75: via the filesystem.
! 76:
! 77: Therefore most of the LON-CAPA *software* files
! 78: (described in loncapa/doc/loncapafiles/loncapafiles.lpml)
! 79: should be owned by user=www and group=www (www:www).
! 80:
! 81: The LON-CAPA published files (/home/httpd/html/res)
! 82: should also be owned by user=www and group=www (www:www).
! 83:
! 84: **************************************************************************
! 85:
! 86: --------------------------------------------------------------------------
! 87: SECTION 3. /home/USERNAME/public_html/*
! 88: --------------------------------------------------------------------------
! 89: 'www' also needs the power to ACCESS and ALTER user directories on a
! 90: LON-CAPA server as described in the following section.
! 91:
! 92: /home/USERNAME/public_html/* should be -rw-rw-r--
! 93: and owned by USERNAME:USERNAME
! 94: (www:USERNAME is also okay)
! 95: for _all_ the files
! 96:
! 97: /home/USERNAME/public_html/* should be drwxrwsr-x
! 98: and owned by USERNAME:USERNAME
! 99: (www:USERNAME is also okay)
! 100: for _all_ the subdirectories
! 101: including /home/USERNAME/public_html/
! 102:
! 103: **************************************************************************
! 104:
! 105: --------------------------------------------------------------------------
! 106: SECTION 4. The Samba glitch
! 107: --------------------------------------------------------------------------
! 108: Samba was changing permissions of user files and directories
! 109: to be set like -rw-r-r- and drwxr-xr-x respectively
! 110: (going from Windows to Linux).
! 111:
! 112: There was no easy way to get Samba to produce a directory
! 113: setting like drwxrwsr-x.
! 114:
! 115: Therefore, Samba (smb.conf) should be configured with:
! 116: create mode = 0664
! 117: directory mode = 0775
! 118:
! 119: This will violate the rules in SECTION 3, but will allow
! 120: things to work.
! 121:
! 122: Of course (sigh...), if a user generates a directory with
! 123: Windows and then logs into the Linux filesystem and
! 124: creates a file under that directory, the file will
! 125: be of the mode 0644 (-rw-r--r--).
! 126:
! 127: So, the real solution would be to edit the samba source
! 128: code and recompile samba.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to permissions.txt CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / doc