Group Access to Web Folders

Introduction

A Web folder is a UNIX directory on the www.udel.edu host machine. It is mounted on the central UNIX machines, copland and strauss, using the prefix /www/htdocs. This directory is where Web content providers can put information on the central University of Delaware machine. You can log in to UNIX and edit a file using an editor such as pico, you can copy files to this Web directory from your home directory, or you can create the files on some other machine and transfer them to the Web folder using sftp.

We are assuming in this document that the primary means of publishing information in a Web folder is through sftp. Programs such as Adobe Dreamweaver and Mozilla KompoZer can be configured to use sftp to publish the Web content. When you use sftp to transfer a new fileto the UNIX directory that holds the Web folder, it is automatically made "browsable" to the world. This means that any user can see the information on the Web, and any University of Delaware user can read or download the file through their UNIX account. This is normally what you want for Web publishing.

Obviously, you do not want the entire world to able to transfer files to your Web folder on the central University Web server. The ability to publish Web content, i.e., transfer files to a Web folder, is granted to the owner of the UNIX directory that holds the Web folder. When a Web folder is created, it is assigned to one UNIX account. If you are the owner, you are the only one who can transfer files to this directory using your UDelNet ID and password. This is called having write access to the directory, and you, as the owner, can assign write access to other users.

Here are detailed instructions with some discussion for five common scenarios:

Granting exclusive write access to a file

Scenario

You are the owner of the Web folder which contains an HTML file with the URL http://www.udel.edu/department/seminar/schedule.html. This file contains information that needs to be changed frequently, and you want to grant one other user exclusive write access so they can maintain this information. Your UDelNet ID is jsmith and the UDelNet ID of the other user is mjane, i.e., her email address is mjane@udel.edu.

UNIX Commands
 cd /www/htdocs/department/seminar
 chmod a=r schedule.html
 setfacl -r -m user:mjane:rw- schedule.html      
Session Listing
<1>% cd /www/htdocs/department/seminar 
<2>% chmod a=r schedule.html 
<3>% setfacl -r -m user:mjane:rw- schedule.html 
<4>% ls -l schedule.html 
-r--r--r--+  1 jsmith   1864      2575 Mar  1 14:05 schedule.html 
<5>% getfacl  schedule.html  

# file: schedule.html 
# owner: jsmith 
# group: 1864 
user::r-- 
user:mjane:rw-         #effective:rw- 
group::r--             #effective:r-- 
mask:rw- 
other:r-- 
Discussion

These three commands will normally be silent if they work properly. In the session listing above, we use two commands to check that things are set correctly. The ls -l will give a long-format listing, and the first few characters, -r--r--r--+, show that only read access is granted. But there is additional information indicated by the "+" sign. To see this additional information, use the getfacl command. The command shows that mjane has read/write access to the file, (indicated by the codes rw- appearing after the word "effective" on the user:mjane line. You only have read access, (indicated by the codes r-- appearing on the first user:: line). Since you only have read access, user:mjane has exclusive write access. This is recommended since two users can not simultaneously modify the same file.

Since you are the owner, you can take back write access with the chmod command:

     chmod u+w schedule.html

You can also take away write access from mjane with the setfacl command:

     setfacl -d user:mjane schedule.html 

These two commands would put you back to the default settings, where only you, as the owner, have write access. The "+" sign will also no longer appear in the long-format listing.

Top

Granting exclusive write access to a Web folder

Scenario

You are the owner of a Web folder and want to create a new Web folder to give another user a place to publish their Web content. Your Web folder is at the URL http://www.udel.edu/department/course101/. This is where you want to put a new directory, and you want to name it mjanepage. Your UDelNet ID is jsmith and the UDelNet ID of the other user is mjane. As the owner of the course101 Web folder, you can give any other user a directory for use within your directory.

UNIX Commands
 cd /www/htdocs/department/course101
 mkdir mjanepage
 chmod a=rx mjanepage
 setfacl -r -m user:mjane:rwx mjanepage 
Session Listing
<1>% cd /www/htdocs/department/course101 
<2>% mkdir mjanepage 
<3>% chmod a=rx mjanepage 
<4>% setfacl -r -m user:mjane:rwx mjanepage 
<5>% ls -dl mjanepage 
dr-xr-xr-x+  2 jsmith   1864         512 Mar  1 17:58 mjanepage 
<6>% getfacl mjanepage  

# file: mjanepage 
# owner: jsmith 
# group: 1864 
user::r-x 
user:mjane:rwx          #effective:rwx 
group::r--              #effective:r-x 
mask:rwx 
other:r-x 
Discussion

This is similar to the last example, but here you are opening access to a directory instead of to a file. When you are permitting directories, you must include search acess, the "x" code along with read and/or write.

These three commands will normally be silent if they work properly. In the above session listing, we used two commands to check that things are set correctly. The ls -dl will give a long format listing of the directory wih the first few characters dr-xr-xr-x+ showing that there is no write access granted. But there is additional information indicated by the "+" sign. To see this additional information, use the getfacl command. mjane has full access to the directory (indicated by the codes rwx appearing after the word "effective" on the user:mjane line). You only have read and search access since the codes r-x appear on the first user:: line.

Important Note: You are granting write access to allow mjane to create new Web content. She may add many files and many levels of sub-directories. She can even create a directory and grant write access to a third user, just as you did for her. All of these files are owned by the user who puts them there. You will lose the ability to fix problems, since you cannot fix permission modes on files you do not own. You may even lose the ability to remove the mjane directory which you own. You must have write access to every sub-directory of files if you want to remove the entire directory.

Since you are the owner, you can take back write access with the chmod command:

      chmod u+w mjanepage 

You can also take away write access to mjane with the setfacl command:

     setfacl -d user:mjane mjanepage 

but this may not do what you expect. The user mjane will still have write access to all the files she has put in the directory and can continue to modify them. She can put new files in sub-directories she created while she had write access. The command

     setfacl -m user:r-- mjane 

will remove write access and search access and thus prevent her from adding new files or modifying the files she owns. She can still read them on the Web, just as the whole world can.

Top

Making a Web folder that will be owned by another user

Scenario

You are the owner of a Web folder and want to create a new Web folder that will be owned by another user as a place to publish their Web content. Your UDelNet ID is jsmith, and your Web folder is at the URL http://www.udel.edu/department/faculty/. This is where you want put a new directory named mjane to be owned by mjane. As the owner of the faculty Web folder, you can give mjane temporary full access to the directory for the purpose of creating her new directory.

UNIX Commands

Both users jsmith and mjane should be present for this session. Start by logging is as jsmith.

 cd /www/htdocs/department/faculty 
 setfacl -r -m user:mjane:rwx .
 su mjane
 mkdir -m 755 mjane
 exit
 setfacl -r -m user:mjane:rwx . 
Session Listing
<1>% cd /www/htdocs/department/faculty 
<2>% setfacl -r -m user:mjane:rwx . 
<3>% su mjane 
Password: XXXXXXXX 
Using project 4000, U. OF D. E-MAIL 
You have $49.24 remaining in this account. 
<1>% mkdir -m 755 mjane 
<2>% exit 
exit 
<4>% setfacl -r -d user:mjane:rwx . 
<5>% getfacl mjane  

# file: mjane 
# owner: mjane 
# group: 4000 
user::rwx 
group::r-x              #effective:r-x 
mask:r-x 
other:r-x 
Discussion

The goal in this example is similar to the last example, but here you are creating a directory that will be owned by a different user instead of giving a different user full access to a directory you own. The ownership of a new directory is determined by the current user and the current group. That is why we use the su (Switch User) command.

The commands cd, setfacl, and mkdir will normally be silent if they work properly. The command su starts a new shell as a new user and it reports that person's current project (group) and the money left in the account. The exit command exits the shell started by the su command and returns to the original shell. That is why the numbers continue with the number 4.

The setfacl command with the -m option modifies the access control list for the current directory to add full access for mjane. The su command will switch the user to mjane. Make a note of the project, since this will be the group associated with the new directory. In this session, the group is 4000. At the Password: prompt, have mjane type her password. It will not be echoed. The mkdir -m 755 command will make a new directory owned by mjane with no write access for others, including those in group 4000. (The middle number determines the group access.) The exit command brings the session back to the original shell. The setfacl command with the -d option will delete the entry for mjane and thus remove full access to the faculty directory.

The final getfacl command is just a check to make sure the new directory is properly permitted. Notice user::rwx which shows that the user mjane has full access, and other:r-x which shows that this can be used as a Web folder.

UNIX directory

/www/htdocs/department/faculty/mjane

Web site URL

http://www.udel.udel/department/faculty/mjane

Important Note: You are creating a directory owned by another user and not just granting write access to a directory you own. This is their directory and you cannot fix things from your account if they get in trouble. Everything has to be done within their account. As the owner of the faculty directory, there are still some things you can do.

Remove the directory (if it is empty)

rmdir mjane

Rename the directory

mv mjane mjane-old

Remove access to the parent directory

setfacl -r -m user:mjane:--- . 

Top

Sharing write access to a file

Scenario

You are the owner of a Web folder that contains an HTML file with the URL http://www.udel.edu/department/seminar/schedule.html. This file contains information that needs to be changed frequently, and you want to share write access with some other users so they all can maintain the information (one at a time). The three users consist of you, jsmith, and the two other users: mjane and jdoe. You are all aware that only one user at a time will be able to successfully modify the file.

UNIX Commands

cd /www/htdocs/department/seminar
chmod og+r schedule.html
setfacl -r -m user:mjane:rwx schedule.html
setfacl -r -m user:jdoe:rwx schedule.html

Session Listing
<1>% cd /www/htdocs/department/seminar 
<2>% chmod og+r schedule.html 
<3>% setfacl -r -m user:mjane:rw- schedule.html 
<4>% setfacl -r -m user:jdoe:rw- schedule.html 
<5>% ls -l schedule.html 
-rw-r--r--+  1 jsmith   1864        5206 Mar  4 09:58 schedule.html 
<6>% getfacl schedule.html  

# file: schedule.html 
# owner: jsmith 
# group: 1864 
user::rw- 
user:jdoe:rw-           #effective:rw- 
user:mjane:rw-          #effective:rw- 
group::r--              #effective:r-- mask:rw- 
other:r-- 
Discussion

This is similar to the first example, but we are sharing the write access with several users. If possible, it is better to have just one user to avoid the possibility that two users try to modify the same file at the same time. You can add users to the access control list or remove them as needed.

These commands will normally be silent if they work. In the session listing above, we used two commands to check that things are set correctly. ls -l will give a long listing, and the first few characters, -rw-r--r--+, show that there is read access granted to all and write access granted to you as the owner. There is additional information indicated by the "+" sign. To see this additional information, use the getfacl command. jdoe and mjane also have write access to the file, which is indicated by the codes rw- appearing after the word "effective" on the lines with their UDelNet IDs.

Since you are the owner, you control the access control list. You can add other users with a setfacl command, just like the ones above, with a new UDelNet ID. You can also take away write access from a user. To take away write access for mjane, type the command:

      setfacl -d user:mjane schedule.html 

Deleting all users will put you back to the initial state where only you, as the owner, have write access. The "+" sign will also no longer appear in the long format listing.

Top

Sharing group write access to a Web folder

You should be in a UNIX group created for Web development. See the document UNIX Groups for a description of UNIX groups. Once you have a group set up, you can use the next scenario to share your Web folder with the group.

Scenario

You are the owner of an empty Web folder, and you belong to a UNIX group created for Web development. You want all members of this group to have full and equal access to all Web content in this Web folder so that any member can create files and modify files created by other members of the group. Conversely, anybody not in the group can see the files, but they can not create new content, delete files, or modify existing files. Your empty Web folder is at the URL http://www.udel.edu/department/homepage/. This is where your group will be publishing Web content. Your UDelNet ID is jsmith and the UNIX group name is 0217. As the owner of the homepage Web folder, you can give your group full access to this directory.

UNIX Commands
 cd /www/htdocs/department/homepage
 chgrp 0217 .
 chmod g+rwxs,o+rx .
 setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x . 
Session Listing
<1>% cd /www/htdocs/department/homepage 
<2>% ls -l total 0 
<3>% chgrp 0217 . 
<4>% chmod g+rwxs,o+rx . 
<5>% setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x . 
<6>% ls -dl . 
drwxrwsr-x+  2 jsmith   0217         512 Mar  4 14:50 . 
<7>% getfacl .  

# file: . 
# owner: jsmith 
# group: 0217 
user::rwx 
group::rwx              #effective:rwx 
mask:rwx 
other:r-x 
default:user::rwx 
default:group::rwx 
default:mask:rwx 
default:other:r-x 
Discussion

Notice that commands <3> to <7> in the listing above have a trailing dot to indicate the current directory. For a discussion of UNIX groups, see the document UNIX Groups, and for a more in-depth discussion of these commands, see the document Group Sharing. In particular, the Group Sharing document describes some options if the Web directory is not empty.

The three commands, chgrp, chmod, and setfacl will normally be silent if they work properly. In the session listing above, we used two commands to check that things are set correctly. The initial ls -l will list the contents to check to make sure the directory is empty. The command ls -dl gives a long listing of the directory, and the first few characters drwxrwsr-x+ show that this directory has group write access. There is additional information indicated by the "+" sign. To see this additional information, use the getfacl command. You, as the owner, have full access since the codes rwx appear on the first user:: line. Your group, 0217, also has full access since the codes rwx appear on the first group:: line. Finally, check the defaults listed from the getfacl command. The defaults will be used to set permissions for all new Web content. With these defaults, all new Web files and directories will be set correctly for group sharing.

It is important to note that you are granting full access to any member of group 0217, which allows them to create new Web content. They may add many files with many levels of sub-directories. All of these files are owned by the user putting them there. You will lose the ability to fix problems, since you can not fix permission modes on files you do not own, but with the correct defaults, you will have write access to every sub-directory. This gives you (and other members of the group) the ability to remove or rename files, which can be used to fix problems on the homepage. It is possible for members of your group to take away these default permissions for any files or directories they own.

Cooperation is essential. Remember, only one person at a time can modify a file. Members of your group should not change permission modes from the defaults. Also removing and renaming files should be used with care and only when the owner of the files is not available to fix the problem.

Changing Content

If you notice there is an error in one of your group Web pages, you should have the owner of the file fix the problem. They can edit the file on UNIX using an editor such as pico or download the file to a PC, fix the problem, and then upload the corrected file back to the same location on the server. Since you have properly set up the Web folder, any member of your group can do the same thing.

Changing Permission

If you notice there is an access error in one of your group Web pages, this means that the permission modes are incorrect. This should not happen with this setup, but if it does, the owner of the file will have to log in to UNIX and issue the following UNIX commands (assume that the file with the access problem is index.html)

      cd /www/htdocs/department/homepage/
      chmod o+rX index.html 

If you can not find the owner, any member of the group can fix the problem with the following commands:

      cd /www/htdocs/department/homepage/
      mv index.html index-bad.html
      cp index-bad.html index.html
      chmod o+rX index.html 

You just moved the bad file to a safe location and named it index-bad.html. Then you made a copy which you will own with the original name. You own this file and can fix the permission modes with the chmod command. Later you should have the owner of the bad file remove it with the rm command.

Top