Controlling Group Read/Write Access to a Directory

Question: Our official University organization has a directory on the www.udel.edu web server. Our group is currently working on a new version. We would like this new version to only be available to the members of our group. How should we set things up so our draft version is available over the Web to only members of our group to review and edit.
Answer: The easiest way to do want you want is to make a separate directory in your official www.udel.edu server directory. There are two ways you or any member of your group can potentially get to the pages in this directory (1) over the web or (2) from a copland account. For example, if you group directory name is ourGroup and your private directory name is draft Then you can get to it using any web browser and the
URL = http://www.udel.edu/ourGroup/draft/
or from your copland account using the full directory name
directory = /www/htdocs/ourGroup/draft/
It is important to restrict access to this directory for both Web users and copland users. If you are using the Netscape edit/publish feature of Netscape composer then you need to set the publish URL to
URL = ftp://copland.udel.edu/www/htdocs/ourGroup/draft/
this is because ftp on copland can write to the files using the full directory name.

Once the directory is created, using the mkdir Unix command, you must do several things to safely restrict it to just your group.

  1. Set the group ownership of this directory so your group owns the pages in this directory.
  2. Set the permission modes so members of your group can get to the information but others can not.
  3. Put the www account name in the file access control list so the information will be available on the web to your group.
  4. Put a special file called .htaccess in this directory so that only members of your group can get to the pages in this directory.

Initial Commands to set the access on the directory

Here we assume you already have a directory named, ourGroup and this directory is owned by your project - 0217. Any user with read/write access to this directory can execute the following commands.
[1]% cd /www/htdocs/ourGroup/ [2]% mkdir draft [3]% chgrp 0217 draft [4]% chmod g+rwxs draft [5]% setfacl -r -m u:www:r-x draft [6]% echo "AuthType Basic\ <limit GET>\ require group 0217\ </limit>" > draft/.htaccess [7]% chmod o+r draft/.htaccess
Here is an explanation of these 7 command:
[1]% cd /www/htdocs/ourGroup/
This changes to your group directory, you must have execute access to this directory.
[2]% mkdir draft
This will make a new directory in the group directory. You must have write access to the group directory to do this and the directory name must be new.
[3]% chgrp 0217 draft
This change group command will set to the correct group ownership of the file. This is necessary so members of your group can read and write the to files using Unix commands. It is also necessary if you want group members to be able to use the Netscape "publish" feature.
[4]% chmod g+rwxs draft
This change permission mode command will allow access for your group to read, write and use the directory. The "s" will also make it so all pages will automatically be set with the proper group ownership.
[5]% setfacl -r -m u:www:r-x draft
This set file access control command will set things so the www user can get to your pages. This is necessary so your members can use a local web browser on a PC or Mac to get to the files.
[6]% echo ... > draft/.htaccess
The echo command will write a file with four lines.
AuthType Basic <limit GET> require group 0217 </limit>
You can use an editor like pico to put these lines in the file if you prefer.
[7]% chmod o+r draft/.htaccess
Finally, the new .htaccess file must be readable to others so the www user can read it and decide whether or not a web browse can get to your information.

Start with the index.html file.

The index.html is the special name used for the main html file which your members will see when they enter your private web page. As the name implies, this usually has links to the various parts of your web page. It is probably a good idea to give every member of your group write access to this file. This will give them the ablility to add links to their parts of the total web page as they are completed and tested.

Here are the commands to set up the index.html. Any member of the working group can issue these commands from inside the ourGroup directory. (Use the cd command to change to this directory if you are not already in it.)
[1]% touch draft/index.html [2]% chmod a+r,g+w draft/index.html
Here is an explanation of these 2 command:

[1]% touch draft/index.html
This touch command will create an empty file named index.html
[2]% chmod a+r,g+w draft/index.html
This is the change permission mode command on the index.html file to allow "all read" and "group write".

What can you do now?

New Files This is all you need to get going. One member of your group should start by putting something interesting in the index.html file. This can point to graphics and other html files, which need to be added to the directory. This file may also contain a frameset if you are using frames. If you have one set of members in charge of the graphics, they can create the graphics anyplace they like, and then use ftp to transfer the graphics files to this location.

The graphics and new html files should be tested before they are added to the index.html file. You can test them by typing the full location name in the Netscape "location" window. Once they are tested they can be added to the common index.html file.

Whatever method you use to put files in the directory, check to make sure your files are readable to all and writeable to the group This way any member of your group can down load them using Netscape, modify them and publish the modified pages. No other user can do this, in fact, they can not even see the files if they try to load them. If any file is incorrectly permitted then the owner of the file can issue the command chmod a+r,g+w file name to correct the permission modes. This command just needs to be done on new files, the netscape publishing does not change the permision modes on existing files.

Changing Files With this set up each user can create, rename and modify any file in the group directory. It is easy to destroy some other member's work, so be careful. If two members simultaneously download the same file to their PC for editing then one will be surprised to see their modifications lost when the older modified version is loaded by the other member. This should not be too much of a problem if all changes to common files are are kept short, and longer changes are put in separate files that only one member is working on. In the worst case, you may need to make your changes again.
New directories If you want to add a subdirectory to organize your information even further. This is done with the Unix mkdir command just as above. The directories should be executeable and setgroup bit set. The Unix command for correct directory permission modes is: chmod a+rx,g+ws directory name