A web folder is a Unix directory on the www.udel.edu host machine. It is mounted on all the central Unix machines, copland and strauss, using the prefix /www/htdocs. This directory is where web content providers can put information on the central University of Delaware machine. They can logon to Unix and edit a file using a editor such as pico or nedit, they can copy files to this web directory from their home directory, or they can create the files on some other machine and transfer them to the web folder using ftp.
We are assuming, in this document, that the primary means of publishing information in a web folder is via ftp (or the more secure protocol sftp). Programs such as Netscape Composer, Macromedia Dreamweaver and Adobe Go Live can be configured to use ftp as the way they publish the web content. When a new file is transferred using ftp to the Unix directory holding the web folder it is automatically made "browsable" to the world. This means any user can see the information on the web and any University of Delaware user can read or download the file through their Unix account. This is normally what is wanted for web publishing.
Obviously, you do not want the entire world to able to transfer files to your web folder on the central University web server. The ability to publish web content, i.e., transfer files ot a web folder, is granted to the owner of the Unix directory holding the web folder. When a web folder is created it is assigned to one Unix account username. This user, called the owner, is the only user who can transfer files to this directory using their Unix account and password. This is called having write access to the directory, and you, as the owner, can assign write access to other users.
Here are detailed instructions with some discussion for five common scenarios:
| Scenario | You are the owner of the web folder which contains an html file with URL http://www.udel.edu/department/seminar/schedule.html. This file contains information which needs to be changed frequently, and you want to grant one other user exclusive write access so they can maintain this information. Your user name is jsmith and the username of the other user is mjane, i.e., her Unix email address is mjane@udel.edu. |
| Unix Commands |
cd /www/htdocs/department/seminar |
| Session Listing |
<1>% cd /www/htdocs/department/seminar <2>% chmod a=r schedule.html <3>% setfacl -r -m user:mjane:rw- schedule.html <4>% ls -l schedule.html -r--r--r--+ 1 jsmith 1864 2575 Mar 1 14:05 schedule.html <5>% getfacl schedule.html # file: schedule.html # owner: jsmith # group: 1864 user::r-- user:mjane:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:r-- |
| Discussion |
These three commands will normally be silent if they work properly. In the
above session listing we use two commands to check and make sure things
are set correctly. The ls -l will give
a long format listing, and the first few characters,
-r--r--r--+, show that there is only
read access granted, but there is additional information indicated by
the "+" sign.
To see this additional information use the getfacl
command. User mjane has read/write access to the
file, which is indicated by the codes rw-
appearing after the
word effective on the user:mjane line.
You only have read access since the codes r--
appear on the first user:: line. Since you
only have read access the user user:mjane has exclusive
write access, this is recommended since two users can not simultaneously
modify the same file.
Since you are the owner you can take back write access with the chmod command: chmod u+w schedule.html You can also take away write access to user mjane with the setfacl command: setfacl -d user:mjane schedule.html These two commands would put you back to the default settings, where only you as the owner has write access. The "+" sign will also no longer appear in the long format listing. |
| Scenario | You are the owner of a web folder, and want to create a web folder to give some other user a place to publish their web content. Your web folder is at the URL http://www.udel.edu/department/course101/. This is where you should put a new directory and you want to name it mjanepage. Your user name is jsmith and the username of the other user is mjane. As the owner of the course101 web folder you can give any other user a directory for use in your directory. |
| Unix Commands |
cd /www/htdocs/department/course101 |
| Session Listing |
<1>% cd /www/htdocs/department/course101 <2>% mkdir mjanepage <3>% chmod a=rx mjanepage <4>% setfacl -r -m user:mjane:rwx mjanepage <5>% ls -dl mjanepage dr-xr-xr-x+ 2 jsmith 1864 512 Mar 1 17:58 mjanepage <6>% getfacl mjanepage # file: mjanepage # owner: jsmith # group: 1864 user::r-x user:mjane:rwx #effective:rwx group::r-- #effective:r-x mask:rwx other:r-x |
| Discussion |
This is similar to the last example, but here you are opening access
to a directory instead of a file. When you are permitting
directories is you must include search acess, "x" code along with read and/or write.
These three commands will normally be silent if they work properly. In the above session listing we used two commands to check and make sure things are set correctly. The ls -dl will give a long format listing of the directory, and the first few characters dr-xr-xr-x+ show that there is no write access granted, but there is additional information indicated by the "+" sign. To see this additional information use the getfacl command. User mjane has full access to the directory, which is indicated by the codes rwx appearing after the word "effective" on the user:mjane line. You only have read and search access since the codes r-x appear on the first user:: line. It is important to note you are granting write access to allow mjane to create new web content. She may put many files with many levels of sub-directories. She can even create a directory and grant write access to a third user, just as you just did for her. All of these files are owned by the user putting them there. You will lose the ability to fix problems, since you can not fix permission modes on files you do not own. You may even lose the ability to remove the mjane directory which you own. You must have write access to every sub-directory of files if you want to remove the entire directory. Since you are the owner you can take back write access with the chmod command: chmod u+w mjanepage You can also take away write access to user mjane with the setfacl command: setfacl -d user:mjane mjanepage but this may not do what you expect. The user mjane will still haves write access to all the files she has put in the directory and can continue to modify them. She can put new files in sub-directories she created while she had write access. The command setfacl -m user:r-- mjane will remove write access and search access and thus prevent her from adding new files or modifying to the file she owns. She can still read them from the web just as the whole world can. |
| Scenario | You are the owner of a web folder, and want to create a new web folder owned by some other user as a place to publish their web content. Your user name is jsmith, and your web folder is at the URL http://www.udel.edu/department/faculty/. This is where you want put a new directory named mjane, to be owned by user mjane. As the owner of the faculty web folder you can give mjane temporary full access to the directory for the purpose of creating her new directory. | ||||||||||
| Unix Commands | Both users jsmith and mjane should be present for this session. Start by logging is as user jsmith
cd /www/htdocs/department/faculty | ||||||||||
| Session Listing |
<1>% cd /www/htdocs/department/faculty <2>% setfacl -r -m user:mjane:rwx . <3>% su mjane Password: XXXXXXXX Using project 4000, U. OF D. E-MAIL You have $49.24 remaining in this account. <1>% mkdir -m 755 mjane <2>% exit exit <4>% setfacl -r -d user:mjane:rwx . <5>% getfacl mjane # file: mjane # owner: mjane # group: 4000 user::rwx group::r-x #effective:r-x mask:r-x other:r-x |
||||||||||
| Discussion |
The goal in this example is similar to the last example, but here you are
creating a directory owned by a different user instead of giving a different
user full access to a directory you own.
The ownership of a new directory is determined by the current user
and the current group. That is why we use the su
(Switch User) command.
The commands cd, setfacl and mkdir will normally be silent if they work properly. The command su starts a new shell as a new user and it reports the current project (group) and the money left in the account. The exit command exits the shell started by the su command and returns to the original shell. That is why the numbers continue with the number 4.
The setfacl command with the -m
option modifies the access control list for the current directory
to add mjane
as a user with full access. The su command will switch
the user to mjane. Make a note of the project, since this
will be the group associated with the new directory. In this session the group is
4000.
At the Password: prompt have user mjane
type her password. It will not be echoed.
The The final getfacl command is just a check to make sure the new directory is properly permitted. Notice user::rwx which show the user mjane has full access, and other:r-x shows this can be used as a web folder.
It is important to note you are creating a directory owned by another user and not just granting write access to a directory you own. This is their directory and you can not fix thinks from your account if they get in trouble. Everything has to be done with their account. As the owner of the faculty directory there are still somethings you can do.
|
| Scenario | You are the owner of the web folder which contains an html file with URL http://www.udel.edu/department/seminar/schedule.html. This file contains information which needs to be changed frequently, and you want to share write access with some other users so they all can maintain this information (one at a time). The three users consist of yourself, jsmith, and the two other users: mjane and jdoe. You are all aware that only one user at a time will be able to successfully modify the file. |
| Unix Commands |
cd /www/htdocs/department/seminar |
| Session Listing |
<1>% cd /www/htdocs/department/seminar <2>% chmod og+r schedule.html <3>% setfacl -r -m user:mjane:rw- schedule.html <4>% setfacl -r -m user:jdoe:rw- schedule.html <5>% ls -l schedule.html -rw-r--r--+ 1 jsmith 1864 5206 Mar 4 09:58 schedule.html <6>% getfacl schedule.html # file: schedule.html # owner: jsmith # group: 1864 user::rw- user:jdoe:rw- #effective:rw- user:mjane:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:r-- |
| Discussion |
This is similar to the first example, but we are sharing the write
access with several users. If possible, it is better to have just one
user to avoid the possibility that two users trying to modify the
same file at the same time. You can add and remove users to the
access control list as needed.
These commands will normally be silent if they work. In the above session listing we used two commands to check and make sure things are set correctly. The ls -l will give a long listing, and the first few characters -rw-r--r--+ show that there is read access granted to all, write access granted to you as the owner, and there is additional information indicated by the "+" sign. To see this additional information use the getfacl command. Users jdoe and mjane also have write access to the file, which is indicated by the codes rw- appearing after the word effective on the lines with their username. Since you are the owner, you control the access control list. You can add other users with a setfacl just like the ones above with a new username. You can also take away write access to a user. To take away write access for mjane type the command setfacl -d user:mjane schedule.html Deleting all users will put you back to the initial state with where only you as the owner has write access. The "+" sign will also no longer appear in the long format listing. |
You should be in a Unix group created for web development. See the document Unix Groups for a description of Unix groups. Once you have this set up you can using the next scenario to set up a group sharing of your Web Folder.
| Scenario | You are the owner of an empty web folder and the member of a Unix group created for web development. You want all members of this group to have full and equal access to all web content in this web folder. Any member can create files, and modify files created by other members of the group. Conversely, anybody not in the group can see the files, but they can not create new content, delete files, or modify existing files. Your empty web folder is at the URL http://www.udel.edu/department/homepage/. This is where your group will be publishing web content. Your user name is jsmith and the unix group name is 0217. As the owner of the homepage web folder you can give your group full access to this directory. |
| Unix Commands |
cd /www/htdocs/department/homepage |
| Session Listing |
<1>% cd /www/htdocs/department/homepage <2>% ls -l total 0 <3>% chgrp 0217 . <4>% chmod g+rwxs,o+rx . <5>% setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x . <6>% ls -dl . drwxrwsr-x+ 2 jsmith 0217 512 Mar 4 14:50 . <7>% getfacl . # file: . # owner: jsmith # group: 0217 user::rwx group::rwx #effective:rwx mask:rwx other:r-x default:user::rwx default:group::rwx default:mask:rwx default:other:r-x |
| Discussion |
Notice all the commands in the above listing, <2> - <7> all have a
trailing dot to indicate the current directory. For a discussion
of Unix groups see the document Unix Groups,
and for a more in depth discussion of these commands see
the document Group Sharing. In particular,
this Group Sharing document describes some options if the web directory is not
empty.
The three commands, chgrp, chmod and setfacl will normally be silent if they work properly. In the above session listing we used two commands to check and make sure things are set correctly. The initial ls -l will list the contents to check to make sure the directory is empty. The command ls -dl gives a long listing of the directory, and the first few characters drwxrwsr-x+ show that this directory has group write access, and there is additional information indicated by the "+" sign. To see this additional information use the getfacl command. You, as the owner, have full access since the codes rwx appear on the first user:: line. Your group 0217 also has full access since the codes rwx appear on the first group:: line. Finally, check the defaults listed from the getfacl command. The defaults will be used to set permissions for all new web content. With these defaults all new web files and directories will be set correctly for group sharing. It is important to note you are granting full access to any member of group 0217 which allows them to create new web content. They may put many files with many levels of sub-directories. All of these files are owned by the user putting them there. You will lose the ability to fix problems, since you can not fix permission modes on files you do not own, but with the correct defaults you will have write access to every sub-directory which gives you (and other members of the group) the ability to remove or rename files, which can be used to fix problems on the homepage. It is possible for members of your group to take away these default permissions or any files or directories they own. Cooperation is essential. Remember only one person at a time can modify a file. Members of your group should not change permission modes from the defaults. Also removing and renaming files should be used with care, and only when the owner of the files is not available to fix the problem. |
| Changing Content | Say you notice there is an error in one of your group web pages. You should have the owner of the file fix the problem. They can edit the file on Unix using an editor such as pico or download the file to a PC, fix the problem, and then upload the corrected file back to the same location on the server. Since you have properly set up this Web folder, any member of your group can do the same thing. |
| Changing Permission |
Say you notice there is an access error in one of your group web pages,
then the permission modes are incorrect. This should not happen
with his set-up, but if it does the owner of the file will have
to logon to Unix and issue the following Unix commands (assume to
file with the access problem is index.html)
cd /www/htdocs/department/homepage/ If you can not find the owner any member of the group can fix the problem with the following commands:
cd /www/htdocs/department/homepage/ You just moved the bad file to a safe location and named it index-bad.html. Then you made a copy which you will own with the original name. You own this file and can fix the permission modes with the chmod command. Later you should have the owner of the bad file remove it with the rm command. |
