[LON-CAPA-admin] filesystem permissions question
Todd Ruskell
truskell at mines.edu
Mon Sep 22 18:29:39 EDT 2008
Thanks Stuart,
Adding user www to all the new groups was the piece I was missing.
Todd
Stuart Raeburn wrote:
> Todd,
>
> The key thing here is to ensure that user www is a member of the groups
> created for each of the filesystem authenticated users.
>
> What does the following report?
> groups www
>
> The default permissions for filesystem-authenticated users:
> /home/$username drwx--x--- (with ownership: $username:$username)
> /home/$username/public_html drwxrws--- (with ownership:
> $username:$username)
>
> allow access to Construction Space for filesystem-authenticated users in
> a test instance of LON-CAPA which I run on Centos 5.
>
> I did get access forbidden if I changed permissions to:
> /home/$username drwx------ (with ownership: $username:$username)
>
> I don't see too much of a problem in changing permissions to:
> /home/$username drwx--x--x (with ownership: $username:$username)
>
> as the diffence between this and drwx--x--- is that any user on the
> system (not just $username and members of the $username group) will now
> be able to list the contents of /home/$username.
>
> As noted in a caveat included on the LON-CAPA hardware upgrade page
> (http://loncapa.org/hardwareupgrade.html) when transitioning from SuSE
> to Red Hat/Fedora/CentOS and vice versa it is recommended that
> filesystem-based users are created from the command line on the new
> system because the different distributions use different encryption
> algorithms, so transferring /etc/passwd etc. will be unsuccessful.
>
> In order to preserve uids and gids between the old system and the new
> system, you'd need to use the -g and -u options with useradd when
> creating the new users to force use of the corresponding uids and gids
> from the old system.
>
> Starting with LON-CAPA 2.5, the ability to add new filesystem
> authenticated users was eliminated except when using perl
> make_domain_coordinator.pl from the command line. For the future,
> webDAV access to user directories is being considered as a replacement
> for login to accounts on the server for filesystem-authenticated users
> who need to achieve tasks which are not easy to carry out using the
> current Construction Space GUI provided as part of LON-CAPA.
>
> Stuart Raeburn
> MSU LON-CAPA group
>
> Quoting Todd Ruskell <truskell at mines.edu>:
>
>> Hi,
>>
>> I just did a library server migration from Suse 9.3/LON-CAPA 2.6.3 to
>> CentOS 5/LON-CAPA 2.7. On the old server, we had a "dummy" user which
>> contained a library of problems, and there was an actual username with a
>> local login account on that server.
>>
>> I decided that the local login account was no longer needed on the new
>> server, so didn't create it. So when I copied files over via rsync,
>> that directory tree is now owned by UID 2136, but that UID is no longer
>> attached to a specific user.
>>
>> Now, when I log into LON-CAPA on the new system as either author or
>> co-author, I could not enter construction space, due to a lack of
>> permissions. This actually happens even for users who have local
>> accounts on the new system:
>>
>> "Forbidden
>> You don't have permission to access /~username/ on this server."
>>
>> Further investigation revealed that a directory listing of the home
>> directory on the filesystem of the new server reveals the following:
>>
>> # ls -al
>> total 40
>> drwx--x--- 3 2136 2136 4096 Jul 20 2003 .
>> drwxr-xr-x 54 root root 4096 Aug 15 11:19 ..
>> -rw------- 1 2136 2136 123 Jul 20 2003 .bash_history
>> -rw-r--r-- 1 2136 2136 24 Jul 20 2003 .bash_logout
>> -rw-r--r-- 1 2136 2136 191 Jul 20 2003 .bash_profile
>> -rw-r--r-- 1 2136 2136 124 Jul 20 2003 .bashrc
>> -rw-r--r-- 1 2136 2136 854 Jul 20 2003 .emacs
>> -rw-r--r-- 1 2136 2136 118 Jul 20 2003 .gtkrc
>> drwxrwsr-x 35 www www 4096 Jan 23 2008 public_html
>>
>> Note that the home directory is *not* executable by all. Doing a chmod
>> a+x to the home directory seems to fix all access problems. At one
>> level this makes sense to me, but is it something I should be doing? Or
>> does access need to be granted in some other way?
>>
>> Thanks,
>>
>> Todd
>>
>> --
>> Dr. Todd Ruskell
>> Senior Lecturer, Department of Physics Office: Meyer Hall 326
>> Colorado School of Mines Phone: 303-384-2080
>> 1523 Illinois Street Fax: 303-273-3919
>> Golden, CO 80401
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>>
>
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
--
Dr. Todd Ruskell
Senior Lecturer, Department of Physics Office: Meyer Hall 326
Colorado School of Mines Phone: 303-384-2080
1523 Illinois Street Fax: 303-273-3919
Golden, CO 80401
More information about the LON-CAPA-admin
mailing list