[LON-CAPA-admin] filesystem permissions question

Todd Ruskell truskell at mines.edu
Mon Sep 22 18:29:39 EDT 2008 

Thanks Stuart,

Adding user www to all the new groups was the piece I was missing.

Todd

Stuart Raeburn wrote:
> Todd,
> 
> The key thing here is to ensure that user www is a member of the groups
> created for each of the filesystem authenticated users.
> 
> What does the following report?
> groups www
> 
> The default permissions for filesystem-authenticated users:
> /home/$username drwx--x--- (with ownership: $username:$username)
> /home/$username/public_html drwxrws---  (with ownership:
> $username:$username)
> 
> allow access to Construction Space for filesystem-authenticated users in
> a test instance of LON-CAPA which I run on Centos 5.
> 
> I did get access forbidden if I changed permissions to:
> /home/$username drwx------ (with ownership: $username:$username)
> 
> I don't see too much of a problem in changing permissions to:
> /home/$username drwx--x--x (with ownership: $username:$username)
> 
> as the diffence between this and drwx--x--- is that any user on the
> system (not just $username and members of the $username group) will now
> be able to list the contents of /home/$username.
> 
> As noted in a caveat included on the LON-CAPA hardware upgrade page
> (http://loncapa.org/hardwareupgrade.html) when transitioning from SuSE
> to Red Hat/Fedora/CentOS and vice versa it is recommended that
> filesystem-based users are created from the command line on the new
> system because the different distributions use different encryption
> algorithms, so transferring /etc/passwd etc. will be unsuccessful.
> 
> In order to preserve uids and gids between the old system and the new
> system, you'd need to use the -g and -u options with useradd when
> creating the new users to force use of the corresponding uids and gids
> from the old system.
> 
> Starting with LON-CAPA 2.5, the ability to add new filesystem
> authenticated users was eliminated except when using perl
> make_domain_coordinator.pl from the command line.  For the future,
> webDAV access to user directories is being considered as a replacement
> for login to accounts on the server for filesystem-authenticated users
> who need to achieve tasks which are not easy to carry out using the
> current Construction Space GUI provided as part of LON-CAPA.
> 
> Stuart Raeburn
> MSU LON-CAPA group
> 
> Quoting Todd Ruskell <truskell at mines.edu>:
> 
>> Hi,
>>
>> I just did a library server migration from Suse 9.3/LON-CAPA 2.6.3 to
>> CentOS 5/LON-CAPA 2.7.  On the old server, we had a "dummy" user which
>> contained a library of problems, and there was an actual username with a
>> local login account on that server.
>>
>> I decided that the local login account was no longer needed on the new
>> server, so didn't create it.  So when I copied files over via rsync,
>> that directory tree is now owned by UID 2136, but that UID is no longer
>> attached to a specific user.
>>
>> Now, when I log into LON-CAPA on the new system as either author or
>> co-author, I could not enter construction space, due to a lack of
>> permissions.  This actually happens even for users who have local
>> accounts on the new system:
>>
>> "Forbidden
>> You don't have permission to access /~username/ on this server."
>>
>> Further investigation revealed that a directory listing of the home
>> directory on the filesystem of the new server reveals the following:
>>
>> # ls -al
>> total 40
>> drwx--x---  3 2136 2136 4096 Jul 20  2003 .
>> drwxr-xr-x 54 root root 4096 Aug 15 11:19 ..
>> -rw-------  1 2136 2136  123 Jul 20  2003 .bash_history
>> -rw-r--r--  1 2136 2136   24 Jul 20  2003 .bash_logout
>> -rw-r--r--  1 2136 2136  191 Jul 20  2003 .bash_profile
>> -rw-r--r--  1 2136 2136  124 Jul 20  2003 .bashrc
>> -rw-r--r--  1 2136 2136  854 Jul 20  2003 .emacs
>> -rw-r--r--  1 2136 2136  118 Jul 20  2003 .gtkrc
>> drwxrwsr-x 35 www  www  4096 Jan 23  2008 public_html
>>
>> Note that the home directory is *not* executable by all.  Doing a chmod
>> a+x to the home directory seems to fix all access problems.  At one
>> level this makes sense to me, but is it something I should be doing?  Or
>> does access need to be granted in some other way?
>>
>> Thanks,
>>
>> Todd
>>
>> -- 
>> Dr. Todd Ruskell
>> Senior Lecturer, Department of Physics       Office:  Meyer Hall 326
>> Colorado School of Mines                     Phone: 303-384-2080
>> 1523 Illinois Street                         Fax: 303-273-3919
>> Golden, CO 80401
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>>
> 
> 
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

-- 
Dr. Todd Ruskell
Senior Lecturer, Department of Physics       Office:  Meyer Hall 326
Colorado School of Mines                     Phone: 303-384-2080
1523 Illinois Street                         Fax: 303-273-3919
Golden, CO 80401

More information about the LON-CAPA-admin mailing list