[LON-CAPA-admin] filesystem permissions question

Stuart Raeburn raeburn at msu.edu
Mon Sep 22 16:24:58 EDT 2008


The key thing here is to ensure that user www is a member of the  
groups created for each of the filesystem authenticated users.

What does the following report?
groups www

The default permissions for filesystem-authenticated users:
/home/$username drwx--x--- (with ownership: $username:$username)
/home/$username/public_html drwxrws---  (with ownership: $username:$username)

allow access to Construction Space for filesystem-authenticated users  
in a test instance of LON-CAPA which I run on Centos 5.

I did get access forbidden if I changed permissions to:
/home/$username drwx------ (with ownership: $username:$username)

I don't see too much of a problem in changing permissions to:
/home/$username drwx--x--x (with ownership: $username:$username)

as the diffence between this and drwx--x--- is that any user on the  
system (not just $username and members of the $username group) will  
now be able to list the contents of /home/$username.

As noted in a caveat included on the LON-CAPA hardware upgrade page  
(http://loncapa.org/hardwareupgrade.html) when transitioning from SuSE  
to Red Hat/Fedora/CentOS and vice versa it is recommended that  
filesystem-based users are created from the command line on the new  
system because the different distributions use different encryption  
algorithms, so transferring /etc/passwd etc. will be unsuccessful.

In order to preserve uids and gids between the old system and the new  
system, you'd need to use the -g and -u options with useradd when  
creating the new users to force use of the corresponding uids and gids  
from the old system.

Starting with LON-CAPA 2.5, the ability to add new filesystem  
authenticated users was eliminated except when using perl  
make_domain_coordinator.pl from the command line.  For the future,  
webDAV access to user directories is being considered as a replacement  
for login to accounts on the server for filesystem-authenticated users  
who need to achieve tasks which are not easy to carry out using the  
current Construction Space GUI provided as part of LON-CAPA.

Stuart Raeburn

Quoting Todd Ruskell <truskell at mines.edu>:

> Hi,
> I just did a library server migration from Suse 9.3/LON-CAPA 2.6.3 to
> CentOS 5/LON-CAPA 2.7.  On the old server, we had a "dummy" user which
> contained a library of problems, and there was an actual username with a
> local login account on that server.
> I decided that the local login account was no longer needed on the new
> server, so didn't create it.  So when I copied files over via rsync,
> that directory tree is now owned by UID 2136, but that UID is no longer
> attached to a specific user.
> Now, when I log into LON-CAPA on the new system as either author or
> co-author, I could not enter construction space, due to a lack of
> permissions.  This actually happens even for users who have local
> accounts on the new system:
> "Forbidden
> You don't have permission to access /~username/ on this server."
> Further investigation revealed that a directory listing of the home
> directory on the filesystem of the new server reveals the following:
> # ls -al
> total 40
> drwx--x---  3 2136 2136 4096 Jul 20  2003 .
> drwxr-xr-x 54 root root 4096 Aug 15 11:19 ..
> -rw-------  1 2136 2136  123 Jul 20  2003 .bash_history
> -rw-r--r--  1 2136 2136   24 Jul 20  2003 .bash_logout
> -rw-r--r--  1 2136 2136  191 Jul 20  2003 .bash_profile
> -rw-r--r--  1 2136 2136  124 Jul 20  2003 .bashrc
> -rw-r--r--  1 2136 2136  854 Jul 20  2003 .emacs
> -rw-r--r--  1 2136 2136  118 Jul 20  2003 .gtkrc
> drwxrwsr-x 35 www  www  4096 Jan 23  2008 public_html
> Note that the home directory is *not* executable by all.  Doing a chmod
> a+x to the home directory seems to fix all access problems.  At one
> level this makes sense to me, but is it something I should be doing?  Or
> does access need to be granted in some other way?
> Thanks,
> Todd
> --
> Dr. Todd Ruskell
> Senior Lecturer, Department of Physics       Office:  Meyer Hall 326
> Colorado School of Mines                     Phone: 303-384-2080
> 1523 Illinois Street                         Fax: 303-273-3919
> Golden, CO 80401
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list