Access Control Lists (ACLs) are a feature of the Unix operating system that controls which user IDs can read and write to files. Most directories used for web publishing on the www.ksu.edu server are controlled with ACLs.
Just as with other schemes of managing permissions, you must flag files
as being readable by the web server before they are accessible on the web.
In the past, most people used the Unix
chmod command to make the
change. Although some formats of the
chmod command work fine with
ACLs, it is simpler to use the
setfacl command, i.e.,
setfacl -m mask:rwx filename
where filename is the name of the file. Wildcards can be used, so most people use "*" as the filename to change all their files:
setfacl -m mask:rwx *
Note that you can only use the
setfacl command on files you own,
i.e., files that were created by you.
Those used to other access control schemes, such as simple file ownership (as used on the www-personal.ksu.edu server) or Unix groups (previously used for the www.ksu.edu server), should notice few differences.
Move into the directory (using the
cd command) and run the command
Using ACLs is a step towards people being able to control read/write access to their web directories. However, we have not yet built the web infrastructure to allow people to make changes in a secure, authenticated, and authorized manner. In the mean time, if you need changes, the web coordinator can mail them to firstname.lastname@example.org. We can generally make changes within a few days.
In theory, using the Unix
setfacl directly would allow people
to control access. In practice,
setfacl has three limitations
that hamper its use.
setfaclcommand doesn't have an option to recursively apply to subdirectories. This means that people with files in separate directories will have to run the setfacl command in each directory.
setfaclcommand has an intimidating syntax. To see the manual page, enter
man setfaclfrom a Unix prompt.
To help work around these limitations, we recommend that you leave the details of the ACLs to us. We can make the changes needed when people are to be added or deleted. Also, periodically we reset the ACLs on all the files. This helps recover from the situation where one authorized author forgets to allow read/write access by others cooperating on the same web site.
If you would prefer to use the
setfacl command directly, let
us know so that we don't accidentally reset your ACLs with the last version
we knew about.