WeBWorK Main Forum

WeBWorK File Permissions

WeBWorK File Permissions

by Andrew Parker -
Number of replies: 9
Okay, I'm clearly not grasping something when it comes to coherent file permissions and WeBWorK.

SETUP:

1) I have designated a folder in /opt/webwork/libraries named for my university, in an attempt to recreate a local library for problems we create at my institution.

2) All sections of the same course have /templates/local as a symbolic link to a subdirectory of /opt/webwork/libraries/our-institution/

3) in site.conf, I have designated wwadmin and wwdata as the userID and groupID respectively.

4) all folders and problem files in /opt/webwork/libraries/our-institution are set "chmod 775" "chown wwadmin" and "chgrp wwdata". (The sym-links are 777, wwadmin and wwdata.)

5) wwadmin is a member of wwdata in /etc/group

PROBLEM:

1) Whenever I add a blank problem to a set, a folder and problem file are automatically created: [TMPL]/local/setProblemSetName/blankProblem.pg

2) This folder and the file are both created with permissions 755, owner: www-data, group: www-data

3) Similarly for any newly created (and saved) problem within that file structure.

4) If I login through a different section of the same course and attempt to edit the newly created problem, I do not have the option to save it with the same path and filename. I must save it as a new file, despite the fact that both courses follow sym-links to the same directory.

====================================================

So, how can I coherently define my file permissions so that newly created content has the appropriate permissions, owners, groups so that instructors may edit our local problems regardless of who created them?

Thanks
-Andrew
In reply to Andrew Parker

Re: WeBWorK File Permissions

by Gavin LaRose -
Hi Andrew,

My first guess is that you need the sticky bit set for your local library directory tree, so that the permissions are inherited as expected: 

  # cd /opt/webwork/libraries/our-institution
  # find . -type d -exec chgrp g+s {} \;

That said, this doesn't seem directly to address the symptoms that you're reporting. It might be useful to see what the files created in one course are and what their file permissions are.

Gavin

In reply to Gavin LaRose

Re: WeBWorK File Permissions

by Andrew Parker -
Right, that fixes the problem _after_ the new content is created. But I'd prefer not to have to keep logging into the server to set file permissions.

I'm not clear on what you'd like to see...

user@server:/opt/webwork/libraries/NYCCT/0630$ ls -la
total 48
drwxrwxr-x 12 wwadmin  wwdata   4096 Oct  9 14:38 .
drwxrwxr-x  6 wwadmin  wwdata   4096 Jul 22 17:03 ..
drwxrwxr-x  2 wwadmin  wwdata   4096 Aug  8 16:11 chapter10
drwxrwxr-x  2 www-data www-data 4096 Sep 15 20:43 chapter2-Fractions
drwxrwxr-x  2 www-data www-data 4096 Sep 15 20:32 chapter4-DecimalNumbers
drwxrwxr-x  5 wwadmin  wwdata   4096 Aug  6 14:54 Library
drwxrwxr-x 16 wwadmin  wwdata   4096 Oct  9 14:38 oldFolders
drwxrwxr-x  3 wwadmin  wwdata   4096 Aug  6 13:08 opt
drwxrwxr-x  2 wwadmin  wwdata   4096 Aug  6 14:37 setchapter10-SimplifyingPolynomialExpressions
drwxr-xr-x  2 www-data www-data 4096 Oct  8 12:59 setchapter11-DividingPolynomials
drwxrwxr-x  2 www-data www-data 4096 Aug 29 20:23 setchapter1-realnumbers
drwxrwxr-x  2 www-data www-data 4096 Oct  7 14:11 setchapter1-RealNumbers
user@server:/opt/webwork/libraries/NYCCT/0630$ 

As you can see, any new content created after Aug 8 has different owner, group and permissions - since they were created in WeBWorK after I had recursively set the permissions during the WeBWorK server upgrade.

(the group-write permissions have been changed since Aug 8th in order that instructors in different sections can edit content. setchapter11-DividingPolynomials was the most recent content added, and as usual, was not created with group-write permissions...)


In reply to Andrew Parker

Re: WeBWorK File Permissions

by Davide Cervone -
I don't see how this can be a permission issue, since the WeBWorK logins have nothing to do with the unix accounts that underly WeBWorK. All the structors are using the same server, which (apparently) is logged in as www-data, based on the output above. Since www-data has write access as the owner of the directory (and files in the directories, I presume).

So there should be no problem with the server viewing or overwriting any of these files.

You say that you have set site.conf to use wwadmin and wwdata as the userID and groupID, but it looks like the apache server is running as www-data as both user and group ID. You might want to check the apache configuration file to see what user and group is set there, since those are the ones that actually control the settings for the server (I'm not sure what the WeBWorK versions are used for).

Files that have the name of the blank problem (like the one list in your original message) are treated specially, and you can not save them under that name. They must be saved under a different name. But once you use a different name, you SHOULD be able to edit them and save them (with that new name) from both courses.

If that's not the case, there should be a warning message at the top of the page indicating that the file is protected. Are you getting that? if so, can you give the complete message you see?
In reply to Davide Cervone

Re: WeBWorK File Permissions

by Michael Gage -
The webwork settings for site-url, server user name and server group should be set to agree with the actual values (which are set in the apache configuration files).  

At least when I set these up it was surprisingly hard to obtain these three values automatically at run time so the easiest work around was to simply define them in site.conf.  They need to be defined correctly.

They are used for a few things -- such as call backs when doing relative urls won't work, and I expect that the command line script that sets permissions
gets it's data from the .conf files in webwork2/conf.


In reply to Michael Gage

Re: WeBWorK File Permissions

by Hedley Pinsent -
I tried it and it seems to have happened more smoothly. My ownership looks different. Image attached.
Attachment DuelAccounts.png
In reply to Hedley Pinsent

Re: WeBWorK File Permissions

by Hedley Pinsent -
Perhaps I am being a bit of an amateur here but the contents of my site.conf (working system) adds weight to a comment above.
Attachment site.png
In reply to Hedley Pinsent

Re: WeBWorK File Permissions

by Davide Cervone -
What does your apache's configuration file say?

I'm still convinced this is not a permission or ownership issue. I only mentioned the owner and group because it seemed inconsistent with the results, and might mean that you had them set differently in site.conf and apache configuration files. I note that your site.conf isn't actually what you originally said it was (you indicated that the userID was wwadmin when it is actually www-data), unless you have changed it since then.

From the unix side, all professors will appear as the user www-data, since that is what the server is running. Since this account owns the directories and files, the group permission won't matter, and owner permission gives the server write access, so there is no reason from a unix permission standpoint that all faculty logged into WeBWorK should not be allowed to save the file.

So it has to be something within WeBWorK itself. I've looked at the code, and the only reasons that the save button is not included is of the file is not writable to the server (which it is, and that is true regardless of the WeBWorK login name), or if the problem name is the blank problem name.

The filename from your original post IS the blank problem, so my expectation is that the difficulty you are having is from problem name, not the file permissions. Your faculty need to rename the problem (i.e., save it under a new name). It would be best to delete the blankProblem.pg file (though that would require using the file manager). I suspect that if the name is changed, all the faculty will be able to edit it.
In reply to Davide Cervone

Re: WeBWorK File Permissions

by Andrew Parker -
Okay. I'm changing our local library back to www-data as owner, and setting that in site.conf as well. New "new" problems can be edited across courses, but older "new" problems could not - due to the fact that they'd been set to "wwadmin" and "wwdata".

I'm not sure why the comments in site.conf would suggest the use of wwdata and wwadmin, when apache is installed by default to use www-data for both...
In reply to Andrew Parker

Re: WeBWorK File Permissions

by Arnold Pizer -
Hi,

Not sure what you are referring to. In site.conf, I see:

# The following two variables must match the user ID and group ID respectively
# under which apache is running.
# In the apache configuration file (often called httpd.conf) you will find
# User www-data   --- this is the $server_userID -- of course it may be wwhttpd or some other name
# Group wwdata   --- this is the $server_groupID -- this will have different names also

Arnie