-------------------------------------------------------------------------- Filesystem Permissions for 'www' and User Directories on a LON-CAPA system contributed by Scott, sharrison@users.sourceforge.net -------------------------------------------------------------------------- 0. Synopsis 1. The 'users' group 2. The 'www' user and group (/home/httpd/html/res/) 3. /home/USERNAME/public_html/* 4. The Samba glitch ************************************************************************** -------------------------------------------------------------------------- SECTION 0. Synopsis -------------------------------------------------------------------------- (This file is only meant for those with experience administering a Linux filesystem.) * THERE SHOULD NEVER BE A GROUP CALLED 'users' * /home/httpd/html/res/* should be -rw-r-r-- and owned by www:www * For any filesystem user, /home/USERNAME/public_html/* should be -rw-rw-r-- and owned by USERNAME:USERNAME (www:USERNAME is also okay) for _all_ the files /home/USERNAME/public_html/* should be drwxrwsr-x and owned by USERNAME:USERNAME (www:USERNAME is also okay) for _all_ the subdirectories including /home/USERNAME/public_html -------------------------------------------------------------------------- SECTION 1. The 'users' group (IT IS NOT NEEDED OR WANTED) -------------------------------------------------------------------------- Early installations of LON-CAPA erroneously made use of the 'users' group. The 'users' group is conventionally meant to indicate individual users BELONGING to a group called 'users'. For example: A user named USER1 is a member of a group named 'users'. A user named USER2 is a member of a group named 'users'. A user named USER3 is a member of a group named 'users'. However, on a LON-CAPA system, it is seldom the case where USER1 should be able to access and/or alter USER2's information directly through the filesystem. Therefore, the conventional notion of a 'users' group is INVALID for the purposes of LON-CAPA. What is necessary on a LON-CAPA server system is a POWERFUL-USER that belongs to one-member groups. For example: (This describes what we DO want) A user named POWERFUL-USER is a member of a group named 'USER1'. A user named POWERFUL-USER is a member of a group named 'USER2'. A user named POWERFUL-USER is a member of a group named 'USER3'. Since LON-CAPA is essentially a world-wide web program, the POWERFUL-USER exists by the name 'www'. ************************************************************************** -------------------------------------------------------------------------- SECTION 2. The 'www' user and group (/home/httpd/html/res/) -------------------------------------------------------------------------- 'www' needs to run important LON-CAPA programs on a LON-CAPA server. No other entities need to run or access most of the LON-CAPA programs via the filesystem. Therefore most of the LON-CAPA *software* files (described in loncapa/doc/loncapafiles/loncapafiles.lpml) should be owned by user=www and group=www (www:www). The LON-CAPA published files (/home/httpd/html/res) should also be owned by user=www and group=www (www:www). ************************************************************************** -------------------------------------------------------------------------- SECTION 3. /home/USERNAME/public_html/* -------------------------------------------------------------------------- 'www' also needs the power to ACCESS and ALTER user directories on a LON-CAPA server as described in the following section. /home/USERNAME/public_html/* should be -rw-rw-r-- and owned by USERNAME:USERNAME (www:USERNAME is also okay) for _all_ the files /home/USERNAME/public_html/* should be drwxrwsr-x and owned by USERNAME:USERNAME (www:USERNAME is also okay) for _all_ the subdirectories including /home/USERNAME/public_html/ ************************************************************************** -------------------------------------------------------------------------- SECTION 4. The Samba glitch -------------------------------------------------------------------------- Samba was changing permissions of user files and directories to be set like -rw-r-r- and drwxr-xr-x respectively (going from Windows to Linux). There was no easy way to get Samba to produce a directory setting like drwxrwsr-x. Therefore, Samba (smb.conf) should be configured with: create mode = 0664 directory mode = 0775 This will violate the rules in SECTION 3, but will allow things to work. Of course (sigh...), if a user generates a directory with Windows and then logs into the Linux filesystem and creates a file under that directory, the file will be of the mode 0644 (-rw-r--r--). So, the real solution would be to edit the samba source code and recompile samba.