Annotation of doc/permissions.txt, revision 1.2
1.1 harris41 1: --------------------------------------------------------------------------
2: Filesystem Permissions for 'www' and User Directories on a LON-CAPA system
3: contributed by Scott, sharrison@users.sourceforge.net
4: --------------------------------------------------------------------------
5:
6: 0. Synopsis
7:
8: 1. The 'users' group
9:
10: 2. The 'www' user and group (/home/httpd/html/res/)
11:
12: 3. /home/USERNAME/public_html/*
13:
14: 4. The Samba glitch
15:
16: **************************************************************************
17:
18: --------------------------------------------------------------------------
19: SECTION 0. Synopsis
20: --------------------------------------------------------------------------
21: (This file is only meant for those with experience administering
22: a Linux filesystem.)
23:
24: * THERE SHOULD NEVER BE A GROUP CALLED 'users'
25: * /home/httpd/html/res/* should be -rw-r-r--
26: and owned by www:www
27: * For any filesystem user,
28: /home/USERNAME/public_html/* should be -rw-rw-r--
29: and owned by USERNAME:USERNAME
30: (www:USERNAME is also okay)
31: for _all_ the files
32: /home/USERNAME/public_html/* should be drwxrwsr-x
33: and owned by USERNAME:USERNAME
34: (www:USERNAME is also okay)
35: for _all_ the subdirectories
36: including /home/USERNAME/public_html
37:
38: --------------------------------------------------------------------------
39: SECTION 1. The 'users' group (IT IS NOT NEEDED OR WANTED)
40: --------------------------------------------------------------------------
41: Early installations of LON-CAPA erroneously made use of the 'users' group.
42: The 'users' group is conventionally meant to indicate individual users
43: BELONGING to a group called 'users'.
44:
45: For example:
46: A user named USER1 is a member of a group named 'users'.
47: A user named USER2 is a member of a group named 'users'.
48: A user named USER3 is a member of a group named 'users'.
49:
50: However, on a LON-CAPA system, it is seldom the case where
51: USER1 should be able to access and/or alter USER2's information
52: directly through the filesystem.
53:
54: Therefore, the conventional notion of a 'users' group is INVALID
55: for the purposes of LON-CAPA.
56:
57: What is necessary on a LON-CAPA server system is a POWERFUL-USER
58: that belongs to one-member groups.
59:
60: For example: (This describes what we DO want)
61: A user named POWERFUL-USER is a member of a group named 'USER1'.
62: A user named POWERFUL-USER is a member of a group named 'USER2'.
63: A user named POWERFUL-USER is a member of a group named 'USER3'.
64:
65: Since LON-CAPA is essentially a world-wide web program, the
66: POWERFUL-USER exists by the name 'www'.
67:
68: **************************************************************************
69:
70: --------------------------------------------------------------------------
71: SECTION 2. The 'www' user and group (/home/httpd/html/res/)
72: --------------------------------------------------------------------------
73: 'www' needs to run important LON-CAPA programs on a LON-CAPA server.
74: No other entities need to run or access most of the LON-CAPA programs
75: via the filesystem.
76:
77: Therefore most of the LON-CAPA *software* files
78: (described in loncapa/doc/loncapafiles/loncapafiles.lpml)
79: should be owned by user=www and group=www (www:www).
80:
81: The LON-CAPA published files (/home/httpd/html/res)
82: should also be owned by user=www and group=www (www:www).
83:
84: **************************************************************************
85:
86: --------------------------------------------------------------------------
87: SECTION 3. /home/USERNAME/public_html/*
88: --------------------------------------------------------------------------
89: 'www' also needs the power to ACCESS and ALTER user directories on a
90: LON-CAPA server as described in the following section.
91:
92: /home/USERNAME/public_html/* should be -rw-rw-r--
93: and owned by USERNAME:USERNAME
94: (www:USERNAME is also okay)
95: for _all_ the files
96:
97: /home/USERNAME/public_html/* should be drwxrwsr-x
98: and owned by USERNAME:USERNAME
99: (www:USERNAME is also okay)
100: for _all_ the subdirectories
101: including /home/USERNAME/public_html/
102:
103: **************************************************************************
104:
105: --------------------------------------------------------------------------
106: SECTION 4. The Samba glitch
107: --------------------------------------------------------------------------
108: Samba was changing permissions of user files and directories
109: to be set like -rw-r-r- and drwxr-xr-x respectively
110: (going from Windows to Linux).
111:
112: There was no easy way to get Samba to produce a directory
113: setting like drwxrwsr-x.
114:
115: Therefore, Samba (smb.conf) should be configured with:
116: create mode = 0664
117: directory mode = 0775
118:
1.2 ! harris41 119: This will allow LON-CAPA to operate properly although
! 120: the rules in SECTION 3 are violated.
1.1 harris41 121:
1.2 ! harris41 122: Difficulty could still emerge though, if a user
! 123: generates a directory with Windows and then logs
! 124: into the Linux filesystem and creates a file under
! 125: that directory (the file would, alas, be of the
! 126: mode 0644 (-rw-r--r--)).
1.1 harris41 127:
1.2 ! harris41 128: Currently, for cases like this, we consider it to
! 129: be the responsibility of the user (who logs directly
! 130: into the Linux filesystem) to make proper use of the
! 131: 'chmod' command.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to permissions.txt CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / doc