Annotation of doc/permissions.txt, revision 1.2

1.1       harris41    1: --------------------------------------------------------------------------
                      2: Filesystem Permissions for 'www' and User Directories on a LON-CAPA system
                      3:   contributed by Scott, sharrison@users.sourceforge.net
                      4: --------------------------------------------------------------------------
                      5: 
                      6: 0. Synopsis
                      7: 
                      8: 1. The 'users' group
                      9: 
                     10: 2. The 'www' user and group (/home/httpd/html/res/)
                     11: 
                     12: 3. /home/USERNAME/public_html/*
                     13: 
                     14: 4. The Samba glitch
                     15: 
                     16: **************************************************************************
                     17: 
                     18: --------------------------------------------------------------------------
                     19: SECTION 0. Synopsis
                     20: --------------------------------------------------------------------------
                     21: (This file is only meant for those with experience administering
                     22:  a Linux filesystem.)
                     23: 
                     24: * THERE SHOULD NEVER BE A GROUP CALLED 'users'
                     25: * /home/httpd/html/res/* should be -rw-r-r--
                     26:                          and owned by www:www
                     27: * For any filesystem user,
                     28:   /home/USERNAME/public_html/* should be -rw-rw-r--
                     29:                                and owned by USERNAME:USERNAME
                     30:                                (www:USERNAME is also okay)
                     31:                                for _all_ the files
                     32:   /home/USERNAME/public_html/* should be drwxrwsr-x
                     33:                                and owned by USERNAME:USERNAME
                     34: 			       (www:USERNAME is also okay)
                     35:                                for _all_ the subdirectories
                     36: 			       including /home/USERNAME/public_html
                     37: 
                     38: --------------------------------------------------------------------------
                     39: SECTION 1. The 'users' group (IT IS NOT NEEDED OR WANTED)
                     40: --------------------------------------------------------------------------
                     41: Early installations of LON-CAPA erroneously made use of the 'users' group.
                     42: The 'users' group is conventionally meant to indicate individual users
                     43: BELONGING to a group called 'users'.
                     44: 
                     45: For example:
                     46:   A user named USER1 is a member of a group named 'users'.
                     47:   A user named USER2 is a member of a group named 'users'.
                     48:   A user named USER3 is a member of a group named 'users'.
                     49: 
                     50: However, on a LON-CAPA system, it is seldom the case where
                     51: USER1 should be able to access and/or alter USER2's information
                     52: directly through the filesystem.
                     53: 
                     54: Therefore, the conventional notion of a 'users' group is INVALID
                     55: for the purposes of LON-CAPA.
                     56: 
                     57: What is necessary on a LON-CAPA server system is a POWERFUL-USER
                     58: that belongs to one-member groups.
                     59: 
                     60: For example: (This describes what we DO want)
                     61:   A user named POWERFUL-USER is a member of a group named 'USER1'.
                     62:   A user named POWERFUL-USER is a member of a group named 'USER2'.
                     63:   A user named POWERFUL-USER is a member of a group named 'USER3'.
                     64: 
                     65: Since LON-CAPA is essentially a world-wide web program, the
                     66: POWERFUL-USER exists by the name 'www'.
                     67: 
                     68: **************************************************************************
                     69: 
                     70: --------------------------------------------------------------------------
                     71: SECTION 2. The 'www' user and group (/home/httpd/html/res/)
                     72: --------------------------------------------------------------------------
                     73: 'www' needs to run important LON-CAPA programs on a LON-CAPA server.
                     74: No other entities need to run or access most of the LON-CAPA programs
                     75: via the filesystem.
                     76: 
                     77: Therefore most of the LON-CAPA *software* files
                     78: (described in loncapa/doc/loncapafiles/loncapafiles.lpml)
                     79: should be owned by user=www and group=www (www:www).
                     80: 
                     81: The LON-CAPA published files (/home/httpd/html/res)
                     82: should also be owned by user=www and group=www (www:www).
                     83: 
                     84: **************************************************************************
                     85: 
                     86: --------------------------------------------------------------------------
                     87: SECTION 3. /home/USERNAME/public_html/*
                     88: --------------------------------------------------------------------------
                     89: 'www' also needs the power to ACCESS and ALTER user directories on a
                     90: LON-CAPA server as described in the following section.
                     91: 
                     92: /home/USERNAME/public_html/* should be -rw-rw-r--
                     93:                              and owned by USERNAME:USERNAME
                     94:                              (www:USERNAME is also okay)
                     95:                              for _all_ the files
                     96: 
                     97: /home/USERNAME/public_html/* should be drwxrwsr-x
                     98:                              and owned by USERNAME:USERNAME
                     99:                              (www:USERNAME is also okay)
                    100:                              for _all_ the subdirectories
                    101:                              including /home/USERNAME/public_html/
                    102: 
                    103: **************************************************************************
                    104: 
                    105: --------------------------------------------------------------------------
                    106: SECTION 4. The Samba glitch
                    107: --------------------------------------------------------------------------
                    108: Samba was changing permissions of user files and directories
                    109: to be set like -rw-r-r- and drwxr-xr-x respectively
                    110: (going from Windows to Linux).
                    111: 
                    112: There was no easy way to get Samba to produce a directory
                    113: setting like drwxrwsr-x.
                    114: 
                    115: Therefore, Samba (smb.conf) should be configured with:
                    116:    create mode = 0664
                    117:    directory mode = 0775
                    118: 
1.2     ! harris41  119: This will allow LON-CAPA to operate properly although
        !           120: the rules in SECTION 3 are violated.
1.1       harris41  121: 
1.2     ! harris41  122: Difficulty could still emerge though, if a user
        !           123: generates a directory with Windows and then logs
        !           124: into the Linux filesystem and creates a file under
        !           125: that directory (the file would, alas, be of the
        !           126: mode 0644 (-rw-r--r--)).
1.1       harris41  127: 
1.2     ! harris41  128: Currently, for cases like this, we consider it to
        !           129: be the responsibility of the user (who logs directly
        !           130: into the Linux filesystem) to make proper use of the
        !           131: 'chmod' command.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>