File:  [LON-CAPA] / doc / permissions.txt
Revision 1.2: download - view: text, annotated - select for diffs
Sun Jul 28 17:36:24 2002 UTC (21 years, 8 months ago) by harris41
Branches: MAIN
CVS tags: version_2_9_X, version_2_9_99_0, version_2_9_1, version_2_9_0, version_2_8_X, version_2_8_99_1, version_2_8_99_0, version_2_8_2, version_2_8_1, version_2_8_0, version_2_7_X, version_2_7_99_1, version_2_7_99_0, version_2_7_1, version_2_7_0, version_2_6_X, version_2_6_99_1, version_2_6_99_0, version_2_6_3, version_2_6_2, version_2_6_1, version_2_6_0, version_2_5_X, version_2_5_99_1, version_2_5_99_0, version_2_5_2, version_2_5_1, version_2_5_0, version_2_4_X, version_2_4_99_0, version_2_4_2, version_2_4_1, version_2_4_0, version_2_3_X, version_2_3_99_0, version_2_3_2, version_2_3_1, version_2_3_0, version_2_2_X, version_2_2_99_1, version_2_2_99_0, version_2_2_2, version_2_2_1, version_2_2_0, version_2_1_X, version_2_1_99_3, version_2_1_99_2, version_2_1_99_1, version_2_1_99_0, version_2_1_3, version_2_1_2, version_2_1_1, version_2_1_0, version_2_12_X, version_2_11_X, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, version_2_11_3_uiuc, version_2_11_3_msu, version_2_11_3, version_2_11_2_uiuc, version_2_11_2_msu, version_2_11_2_educog, version_2_11_2, version_2_11_1, version_2_11_0_RC3, version_2_11_0_RC2, version_2_11_0_RC1, version_2_11_0, version_2_10_X, version_2_10_1, version_2_10_0_RC2, version_2_10_0_RC1, version_2_10_0, version_2_0_X, version_2_0_99_1, version_2_0_2, version_2_0_1, version_2_0_0, version_1_99_3, version_1_99_2, version_1_99_1_tmcc, version_1_99_1, version_1_99_0_tmcc, version_1_99_0, version_1_3_X, version_1_3_3, version_1_3_2, version_1_3_1, version_1_3_0, version_1_2_X, version_1_2_99_1, version_1_2_99_0, version_1_2_1, version_1_2_0, version_1_1_X, version_1_1_99_5, version_1_1_99_4, version_1_1_99_3, version_1_1_99_2, version_1_1_99_1, version_1_1_99_0, version_1_1_3, version_1_1_2, version_1_1_1, version_1_1_0, version_1_0_99_3, version_1_0_99_2, version_1_0_99_1, version_1_0_99, version_1_0_3, version_1_0_2, version_1_0_1, version_1_0_0, version_0_99_5, version_0_99_4, version_0_99_3, version_0_99_2, version_0_99_1, version_0_99_0, version_0_6_2, version_0_6, version_0_5_1, version_0_5, loncapaMITrelate_1, language_hyphenation_merge, language_hyphenation, conference_2003, bz6209-base, bz6209, HEAD, GCI_3, GCI_2, GCI_1, BZ4492-merge, BZ4492-feature_horizontal_radioresponse, BZ4492-feature_Support_horizontal_radioresponse, BZ4492-Support_horizontal_radioresponse
fixing samba glitch description

--------------------------------------------------------------------------
Filesystem Permissions for 'www' and User Directories on a LON-CAPA system
  contributed by Scott, sharrison@users.sourceforge.net
--------------------------------------------------------------------------

0. Synopsis

1. The 'users' group

2. The 'www' user and group (/home/httpd/html/res/)

3. /home/USERNAME/public_html/*

4. The Samba glitch

**************************************************************************

--------------------------------------------------------------------------
SECTION 0. Synopsis
--------------------------------------------------------------------------
(This file is only meant for those with experience administering
 a Linux filesystem.)

* THERE SHOULD NEVER BE A GROUP CALLED 'users'
* /home/httpd/html/res/* should be -rw-r-r--
                         and owned by www:www
* For any filesystem user,
  /home/USERNAME/public_html/* should be -rw-rw-r--
                               and owned by USERNAME:USERNAME
                               (www:USERNAME is also okay)
                               for _all_ the files
  /home/USERNAME/public_html/* should be drwxrwsr-x
                               and owned by USERNAME:USERNAME
			       (www:USERNAME is also okay)
                               for _all_ the subdirectories
			       including /home/USERNAME/public_html

--------------------------------------------------------------------------
SECTION 1. The 'users' group (IT IS NOT NEEDED OR WANTED)
--------------------------------------------------------------------------
Early installations of LON-CAPA erroneously made use of the 'users' group.
The 'users' group is conventionally meant to indicate individual users
BELONGING to a group called 'users'.

For example:
  A user named USER1 is a member of a group named 'users'.
  A user named USER2 is a member of a group named 'users'.
  A user named USER3 is a member of a group named 'users'.

However, on a LON-CAPA system, it is seldom the case where
USER1 should be able to access and/or alter USER2's information
directly through the filesystem.

Therefore, the conventional notion of a 'users' group is INVALID
for the purposes of LON-CAPA.

What is necessary on a LON-CAPA server system is a POWERFUL-USER
that belongs to one-member groups.

For example: (This describes what we DO want)
  A user named POWERFUL-USER is a member of a group named 'USER1'.
  A user named POWERFUL-USER is a member of a group named 'USER2'.
  A user named POWERFUL-USER is a member of a group named 'USER3'.

Since LON-CAPA is essentially a world-wide web program, the
POWERFUL-USER exists by the name 'www'.

**************************************************************************

--------------------------------------------------------------------------
SECTION 2. The 'www' user and group (/home/httpd/html/res/)
--------------------------------------------------------------------------
'www' needs to run important LON-CAPA programs on a LON-CAPA server.
No other entities need to run or access most of the LON-CAPA programs
via the filesystem.

Therefore most of the LON-CAPA *software* files
(described in loncapa/doc/loncapafiles/loncapafiles.lpml)
should be owned by user=www and group=www (www:www).

The LON-CAPA published files (/home/httpd/html/res)
should also be owned by user=www and group=www (www:www).

**************************************************************************

--------------------------------------------------------------------------
SECTION 3. /home/USERNAME/public_html/*
--------------------------------------------------------------------------
'www' also needs the power to ACCESS and ALTER user directories on a
LON-CAPA server as described in the following section.

/home/USERNAME/public_html/* should be -rw-rw-r--
                             and owned by USERNAME:USERNAME
                             (www:USERNAME is also okay)
                             for _all_ the files

/home/USERNAME/public_html/* should be drwxrwsr-x
                             and owned by USERNAME:USERNAME
                             (www:USERNAME is also okay)
                             for _all_ the subdirectories
                             including /home/USERNAME/public_html/

**************************************************************************

--------------------------------------------------------------------------
SECTION 4. The Samba glitch
--------------------------------------------------------------------------
Samba was changing permissions of user files and directories
to be set like -rw-r-r- and drwxr-xr-x respectively
(going from Windows to Linux).

There was no easy way to get Samba to produce a directory
setting like drwxrwsr-x.

Therefore, Samba (smb.conf) should be configured with:
   create mode = 0664
   directory mode = 0775

This will allow LON-CAPA to operate properly although
the rules in SECTION 3 are violated.

Difficulty could still emerge though, if a user
generates a directory with Windows and then logs
into the Linux filesystem and creates a file under
that directory (the file would, alas, be of the
mode 0644 (-rw-r--r--)).

Currently, for cases like this, we consider it to
be the responsibility of the user (who logs directly
into the Linux filesystem) to make proper use of the
'chmod' command.

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>