File:  [LON-CAPA] / doc / permissions.txt
Revision 1.1: download - view: text, annotated - select for diffs
Sun Jul 28 04:05:11 2002 UTC (21 years, 8 months ago) by harris41
Branches: MAIN
CVS tags: HEAD
lon-capa servers should not have a 'users' group;
filename should have extension

--------------------------------------------------------------------------
Filesystem Permissions for 'www' and User Directories on a LON-CAPA system
  contributed by Scott, sharrison@users.sourceforge.net
--------------------------------------------------------------------------

0. Synopsis

1. The 'users' group

2. The 'www' user and group (/home/httpd/html/res/)

3. /home/USERNAME/public_html/*

4. The Samba glitch

**************************************************************************

--------------------------------------------------------------------------
SECTION 0. Synopsis
--------------------------------------------------------------------------
(This file is only meant for those with experience administering
 a Linux filesystem.)

* THERE SHOULD NEVER BE A GROUP CALLED 'users'
* /home/httpd/html/res/* should be -rw-r-r--
                         and owned by www:www
* For any filesystem user,
  /home/USERNAME/public_html/* should be -rw-rw-r--
                               and owned by USERNAME:USERNAME
                               (www:USERNAME is also okay)
                               for _all_ the files
  /home/USERNAME/public_html/* should be drwxrwsr-x
                               and owned by USERNAME:USERNAME
			       (www:USERNAME is also okay)
                               for _all_ the subdirectories
			       including /home/USERNAME/public_html

--------------------------------------------------------------------------
SECTION 1. The 'users' group (IT IS NOT NEEDED OR WANTED)
--------------------------------------------------------------------------
Early installations of LON-CAPA erroneously made use of the 'users' group.
The 'users' group is conventionally meant to indicate individual users
BELONGING to a group called 'users'.

For example:
  A user named USER1 is a member of a group named 'users'.
  A user named USER2 is a member of a group named 'users'.
  A user named USER3 is a member of a group named 'users'.

However, on a LON-CAPA system, it is seldom the case where
USER1 should be able to access and/or alter USER2's information
directly through the filesystem.

Therefore, the conventional notion of a 'users' group is INVALID
for the purposes of LON-CAPA.

What is necessary on a LON-CAPA server system is a POWERFUL-USER
that belongs to one-member groups.

For example: (This describes what we DO want)
  A user named POWERFUL-USER is a member of a group named 'USER1'.
  A user named POWERFUL-USER is a member of a group named 'USER2'.
  A user named POWERFUL-USER is a member of a group named 'USER3'.

Since LON-CAPA is essentially a world-wide web program, the
POWERFUL-USER exists by the name 'www'.

**************************************************************************

--------------------------------------------------------------------------
SECTION 2. The 'www' user and group (/home/httpd/html/res/)
--------------------------------------------------------------------------
'www' needs to run important LON-CAPA programs on a LON-CAPA server.
No other entities need to run or access most of the LON-CAPA programs
via the filesystem.

Therefore most of the LON-CAPA *software* files
(described in loncapa/doc/loncapafiles/loncapafiles.lpml)
should be owned by user=www and group=www (www:www).

The LON-CAPA published files (/home/httpd/html/res)
should also be owned by user=www and group=www (www:www).

**************************************************************************

--------------------------------------------------------------------------
SECTION 3. /home/USERNAME/public_html/*
--------------------------------------------------------------------------
'www' also needs the power to ACCESS and ALTER user directories on a
LON-CAPA server as described in the following section.

/home/USERNAME/public_html/* should be -rw-rw-r--
                             and owned by USERNAME:USERNAME
                             (www:USERNAME is also okay)
                             for _all_ the files

/home/USERNAME/public_html/* should be drwxrwsr-x
                             and owned by USERNAME:USERNAME
                             (www:USERNAME is also okay)
                             for _all_ the subdirectories
                             including /home/USERNAME/public_html/

**************************************************************************

--------------------------------------------------------------------------
SECTION 4. The Samba glitch
--------------------------------------------------------------------------
Samba was changing permissions of user files and directories
to be set like -rw-r-r- and drwxr-xr-x respectively
(going from Windows to Linux).

There was no easy way to get Samba to produce a directory
setting like drwxrwsr-x.

Therefore, Samba (smb.conf) should be configured with:
   create mode = 0664
   directory mode = 0775

This will violate the rules in SECTION 3, but will allow
things to work.

Of course (sigh...), if a user generates a directory with
Windows and then logs into the Linux filesystem and
creates a file under that directory, the file will
be of the mode 0644 (-rw-r--r--).

So, the real solution would be to edit the samba source
code and recompile samba.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>