Annotation of doc/permissions.txt, revision 1.1

1.1     ! harris41    1: --------------------------------------------------------------------------
        !             2: Filesystem Permissions for 'www' and User Directories on a LON-CAPA system
        !             3:   contributed by Scott, sharrison@users.sourceforge.net
        !             4: --------------------------------------------------------------------------
        !             5: 
        !             6: 0. Synopsis
        !             7: 
        !             8: 1. The 'users' group
        !             9: 
        !            10: 2. The 'www' user and group (/home/httpd/html/res/)
        !            11: 
        !            12: 3. /home/USERNAME/public_html/*
        !            13: 
        !            14: 4. The Samba glitch
        !            15: 
        !            16: **************************************************************************
        !            17: 
        !            18: --------------------------------------------------------------------------
        !            19: SECTION 0. Synopsis
        !            20: --------------------------------------------------------------------------
        !            21: (This file is only meant for those with experience administering
        !            22:  a Linux filesystem.)
        !            23: 
        !            24: * THERE SHOULD NEVER BE A GROUP CALLED 'users'
        !            25: * /home/httpd/html/res/* should be -rw-r-r--
        !            26:                          and owned by www:www
        !            27: * For any filesystem user,
        !            28:   /home/USERNAME/public_html/* should be -rw-rw-r--
        !            29:                                and owned by USERNAME:USERNAME
        !            30:                                (www:USERNAME is also okay)
        !            31:                                for _all_ the files
        !            32:   /home/USERNAME/public_html/* should be drwxrwsr-x
        !            33:                                and owned by USERNAME:USERNAME
        !            34: 			       (www:USERNAME is also okay)
        !            35:                                for _all_ the subdirectories
        !            36: 			       including /home/USERNAME/public_html
        !            37: 
        !            38: --------------------------------------------------------------------------
        !            39: SECTION 1. The 'users' group (IT IS NOT NEEDED OR WANTED)
        !            40: --------------------------------------------------------------------------
        !            41: Early installations of LON-CAPA erroneously made use of the 'users' group.
        !            42: The 'users' group is conventionally meant to indicate individual users
        !            43: BELONGING to a group called 'users'.
        !            44: 
        !            45: For example:
        !            46:   A user named USER1 is a member of a group named 'users'.
        !            47:   A user named USER2 is a member of a group named 'users'.
        !            48:   A user named USER3 is a member of a group named 'users'.
        !            49: 
        !            50: However, on a LON-CAPA system, it is seldom the case where
        !            51: USER1 should be able to access and/or alter USER2's information
        !            52: directly through the filesystem.
        !            53: 
        !            54: Therefore, the conventional notion of a 'users' group is INVALID
        !            55: for the purposes of LON-CAPA.
        !            56: 
        !            57: What is necessary on a LON-CAPA server system is a POWERFUL-USER
        !            58: that belongs to one-member groups.
        !            59: 
        !            60: For example: (This describes what we DO want)
        !            61:   A user named POWERFUL-USER is a member of a group named 'USER1'.
        !            62:   A user named POWERFUL-USER is a member of a group named 'USER2'.
        !            63:   A user named POWERFUL-USER is a member of a group named 'USER3'.
        !            64: 
        !            65: Since LON-CAPA is essentially a world-wide web program, the
        !            66: POWERFUL-USER exists by the name 'www'.
        !            67: 
        !            68: **************************************************************************
        !            69: 
        !            70: --------------------------------------------------------------------------
        !            71: SECTION 2. The 'www' user and group (/home/httpd/html/res/)
        !            72: --------------------------------------------------------------------------
        !            73: 'www' needs to run important LON-CAPA programs on a LON-CAPA server.
        !            74: No other entities need to run or access most of the LON-CAPA programs
        !            75: via the filesystem.
        !            76: 
        !            77: Therefore most of the LON-CAPA *software* files
        !            78: (described in loncapa/doc/loncapafiles/loncapafiles.lpml)
        !            79: should be owned by user=www and group=www (www:www).
        !            80: 
        !            81: The LON-CAPA published files (/home/httpd/html/res)
        !            82: should also be owned by user=www and group=www (www:www).
        !            83: 
        !            84: **************************************************************************
        !            85: 
        !            86: --------------------------------------------------------------------------
        !            87: SECTION 3. /home/USERNAME/public_html/*
        !            88: --------------------------------------------------------------------------
        !            89: 'www' also needs the power to ACCESS and ALTER user directories on a
        !            90: LON-CAPA server as described in the following section.
        !            91: 
        !            92: /home/USERNAME/public_html/* should be -rw-rw-r--
        !            93:                              and owned by USERNAME:USERNAME
        !            94:                              (www:USERNAME is also okay)
        !            95:                              for _all_ the files
        !            96: 
        !            97: /home/USERNAME/public_html/* should be drwxrwsr-x
        !            98:                              and owned by USERNAME:USERNAME
        !            99:                              (www:USERNAME is also okay)
        !           100:                              for _all_ the subdirectories
        !           101:                              including /home/USERNAME/public_html/
        !           102: 
        !           103: **************************************************************************
        !           104: 
        !           105: --------------------------------------------------------------------------
        !           106: SECTION 4. The Samba glitch
        !           107: --------------------------------------------------------------------------
        !           108: Samba was changing permissions of user files and directories
        !           109: to be set like -rw-r-r- and drwxr-xr-x respectively
        !           110: (going from Windows to Linux).
        !           111: 
        !           112: There was no easy way to get Samba to produce a directory
        !           113: setting like drwxrwsr-x.
        !           114: 
        !           115: Therefore, Samba (smb.conf) should be configured with:
        !           116:    create mode = 0664
        !           117:    directory mode = 0775
        !           118: 
        !           119: This will violate the rules in SECTION 3, but will allow
        !           120: things to work.
        !           121: 
        !           122: Of course (sigh...), if a user generates a directory with
        !           123: Windows and then logs into the Linux filesystem and
        !           124: creates a file under that directory, the file will
        !           125: be of the mode 0644 (-rw-r--r--).
        !           126: 
        !           127: So, the real solution would be to edit the samba source
        !           128: code and recompile samba.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>