--------------------------------------------------------------------------
Filesystem Permissions for 'www' and User Directories on a LON-CAPA system
  contributed by Scott, sharrison@users.sourceforge.net
--------------------------------------------------------------------------

0. Synopsis

1. The 'users' group

2. The 'www' user and group (/home/httpd/html/res/)

3. /home/USERNAME/public_html/*

4. The Samba glitch

**************************************************************************

--------------------------------------------------------------------------
SECTION 0. Synopsis
--------------------------------------------------------------------------
(This file is only meant for those with experience administering
 a Linux filesystem.)

* THERE SHOULD NEVER BE A GROUP CALLED 'users'
* /home/httpd/html/res/* should be -rw-r-r--
                         and owned by www:www
* For any filesystem user,
  /home/USERNAME/public_html/* should be -rw-rw-r--
                               and owned by USERNAME:USERNAME
                               (www:USERNAME is also okay)
                               for _all_ the files
  /home/USERNAME/public_html/* should be drwxrwsr-x
                               and owned by USERNAME:USERNAME
			       (www:USERNAME is also okay)
                               for _all_ the subdirectories
			       including /home/USERNAME/public_html

--------------------------------------------------------------------------
SECTION 1. The 'users' group (IT IS NOT NEEDED OR WANTED)
--------------------------------------------------------------------------
Early installations of LON-CAPA erroneously made use of the 'users' group.
The 'users' group is conventionally meant to indicate individual users
BELONGING to a group called 'users'.

For example:
  A user named USER1 is a member of a group named 'users'.
  A user named USER2 is a member of a group named 'users'.
  A user named USER3 is a member of a group named 'users'.

However, on a LON-CAPA system, it is seldom the case where
USER1 should be able to access and/or alter USER2's information
directly through the filesystem.

Therefore, the conventional notion of a 'users' group is INVALID
for the purposes of LON-CAPA.

What is necessary on a LON-CAPA server system is a POWERFUL-USER
that belongs to one-member groups.

For example: (This describes what we DO want)
  A user named POWERFUL-USER is a member of a group named 'USER1'.
  A user named POWERFUL-USER is a member of a group named 'USER2'.
  A user named POWERFUL-USER is a member of a group named 'USER3'.

Since LON-CAPA is essentially a world-wide web program, the
POWERFUL-USER exists by the name 'www'.

**************************************************************************

--------------------------------------------------------------------------
SECTION 2. The 'www' user and group (/home/httpd/html/res/)
--------------------------------------------------------------------------
'www' needs to run important LON-CAPA programs on a LON-CAPA server.
No other entities need to run or access most of the LON-CAPA programs
via the filesystem.

Therefore most of the LON-CAPA *software* files
(described in loncapa/doc/loncapafiles/loncapafiles.lpml)
should be owned by user=www and group=www (www:www).

The LON-CAPA published files (/home/httpd/html/res)
should also be owned by user=www and group=www (www:www).

**************************************************************************

--------------------------------------------------------------------------
SECTION 3. /home/USERNAME/public_html/*
--------------------------------------------------------------------------
'www' also needs the power to ACCESS and ALTER user directories on a
LON-CAPA server as described in the following section.

/home/USERNAME/public_html/* should be -rw-rw-r--
                             and owned by USERNAME:USERNAME
                             (www:USERNAME is also okay)
                             for _all_ the files

/home/USERNAME/public_html/* should be drwxrwsr-x
                             and owned by USERNAME:USERNAME
                             (www:USERNAME is also okay)
                             for _all_ the subdirectories
                             including /home/USERNAME/public_html/

**************************************************************************

--------------------------------------------------------------------------
SECTION 4. The Samba glitch
--------------------------------------------------------------------------
Samba was changing permissions of user files and directories
to be set like -rw-r-r- and drwxr-xr-x respectively
(going from Windows to Linux).

There was no easy way to get Samba to produce a directory
setting like drwxrwsr-x.

Therefore, Samba (smb.conf) should be configured with:
   create mode = 0664
   directory mode = 0775

This will allow LON-CAPA to operate properly although
the rules in SECTION 3 are violated.

Difficulty could still emerge though, if a user
generates a directory with Windows and then logs
into the Linux filesystem and creates a file under
that directory (the file would, alas, be of the
mode 0644 (-rw-r--r--)).

Currently, for cases like this, we consider it to
be the responsibility of the user (who logs directly
into the Linux filesystem) to make proper use of the
'chmod' command.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>