File and directory permissions needed for web access

On 19 December 2003, the main Department of Physics & Astronomy web server, running on the "kepler.pa.msu.edu" system, was switched over to the industry-standard Apache web server software, more robust and flexible than the old version of the Sun web server software previously used. This migration adds options and features for users, but also entails some necessary changes in what users must be aware of when publishing their web pages.

Most notably, the Apache web server appropriately checks for and obeys file and directory access permissions which the Sun web server ignored, for the most part. Because the Sun web server ignored them, permission settings were not critical, and the defaults for some other programs such as the ftp server were not always set to make sure that files created on or transferred to kepler had the "world-readable" permission set. The ftp server has for the past few months defaulted to setting this "world-readable" permission, but files transferred to kepler earlier may need some attention now.

Certain web page files which the Sun web server was willing to display will no longer be visible, as the Apache web server correctly notes that they are not set to be readable by just anyone. File and directory permissions in the main departmentally-managed web areas (including the courses area) have been updated to make sure they continue to be accessible. This leaves files and directories in the users' own areas to be checked and corrected, if necessary. The computing staff will not go into a user's personal file area and make changes without that user's explicit permission. Users, therefore, must check and correct the permissions settings themselves or explicitly request that the computing staff check and correct them.

The first thing to do is to use your web browser to look at your web pages. If your personal web pages still work, you must have the permissions set right already. You only need to follow the steps outlined below (or E-mail helpdesk@pa.msu.edu) if files do not show up.

In order to be seen by the web server process and displayed to the outside world, a file must

• be world-readable
• be in a directory whose entire path is no less than world-executable

Users' web-accessible files are in the 'www' subdirectory of their login directories. A file accessed on the web as http://www.pa.msu.edu/~username/file.name or http://www.pa.msu.edu/people/username/file.name is really the file at /home/username/www/file.name in the filesystem of the server ("kepler", in our case).

In this case, the file "file.name" must be world-readable, and both the login area /home/username and its /home/username/www subdirectory must be at least world-executable (i.e., world-read+execute will work, too).  To check permissions if a file is not being displayed by a web browser, use ssh (preferably) or telnet to log into www.pa.msu.edu, and do the following:

• check home directory permissions:
  >  ls -ld .
drwxr-xr-x  68 username users      14336 Dec 18 17:43 .
       ^^^
  if this is not "r-x" or "--x", issue the command "chmod o+x ." to fix the permissions.
   
• check www subdirectory permissions:
  >  ls -ld www
drwxr-xr-x   2 username users        512 Oct  1  1998 www
       ^^^
  if this is not "r-x" or "--x", issue the command "chmod o+x www" to fix the permissions.
   
• check file permissions:
  >  ls -l www/file.name
-rw-r--r--   1 username users        295 Oct 31  1999 www/file.name
       ^^^
  if this is not "r-x" or "r--", issue the command "chmod o+r www/file.name" to fix the permissions. (You may also "cd www" to change your current directory level to the www subdirectory, and then the commands would refer to "file.name" instead of "www/file.name" in this example.)
   

If you have a lot of files in your www subdirectory which need to be set "world-readable," log in and issue the commands:
> cd www
> chmod -R o+r .
and all files in your www directory and sub-directories below it will have the "world-readable" permission set. For each sub-directory (if any), issue the command:
> chmod o+x  sub-directory-name
to allow access to files in it. If you have a lot of sub-directories or a tree of nested sub-directories, there is a command which automates this process:
> find . -type d -exec chmod o+x {} \; 
(type this exactly as in the example; note that a backslash is paired with the semicolon, not a forward slash).
 

If you need assistance, send E-mail to helpdesk@pa.msu.edu with a request to get help in making sure your web-accessible files really are still web-accessible.