Web Access Management

Managing Access to Web Content

Managing Access to Web Content

One of the responsibilities of web master is determing who has read and/or write access to the departmental web content. This can generally be split into two distinct categories,a controlling who can put up or edit web content, and who can access web content.

The departmental web pages reside on an AFS fileserver, and have available the robust access control of AFS Access Control Lists (ACLs). These ACLs can be used quite effectively to control who has the ability to create, delete, or modify web content.

The nature of the web, however, is such that most content is expected to be viewable by anyone through the web server. However, there are times when access to content should be more restricted. ACLs are basically useless for this purpose, as the web server must have access through the ACLs to see the page if it is to be presented to anyone over the web, and the AFS filesystem does not know for whom the web server wants the page. Any access control of pages presented as web pages requires use of access control mechanisms inside the web server. These, too, can be configured on a per directory basis through .htaccess files.

Restricting Write Access via Unix/Ftp/etc

The AFS ACLs restrict who can access files in a directory once they are logged into an PNCE-Unix/Glue system. This login can be from a telnet or similar session, or an ftp session (e.g. uploading web pages from a web designing program via ftp). People who have the right to control access rights (e.g. members of the phys:phys-www group), can grant or deny access to certain groups of users using the fs command.

AFS ACLs act on directories, and all files/web pages within the directory get the same access rights.

Listing ACLs for a directory

You can list the access rights for a directory with the fs listacl command. To use it, just type


fs listacl directory_name

where directory_name is the name of a file or directory. (Note: AFS ACLs apply to directories only, so if you give a non-directory file name, the ACLs listed are for the containing directory.) You can abbreviate listacl to la if desired.

If you have permissions to read the access rights on the directory, the command will list a bunch of Normal rights. Each line will consist of an user or group name (group names contain a colon), followed by a list of letters which give the access rights. The letter codes are:

r: Read access (the user can read the contents of the file)
l: List access (the user can see the file, but cannot read it unless has the r right)
i: Insert right (the user can insert, ie create a new file, in the directory)
d: Delete right (the user can delete a file in the directory)
w: Write right (the user can write/modify a file already existing in the directory)
k: Lock right (the user can lock the file for writing, etc)
a: Access control right (the user can give himself or others any right to the directory)

The codes generally occur in a rather small set of combinations, as follows:

None: No access codes. This user or group does not get any access. Note that this does not show up in the output of the fs listacl command, any user or group that doesn't show up has no access.
List access: l only: The user can issue the ls command, but really nothing else. Useful, however, if you want to give them greater access to some directory below this one (otherwise, they probably cannot see the directory you wanted to give them rights to).
Read access: rl only: The user can read the file, but cannot change anything.
Write access: rlidwk: The user can read and write to files, create new files, delete files, etc.
All access: rlidwka: The user has all the access of write access, plus can give anyone else any access level(or restrict access to other people)

Other combinations can occur, but are usually only found in odd situations where a very tailored ACL list is required.

ACLs are additive, so if group phys:a has rl rights, and group phys:b has wk rights, an user who is a member of both groups gets rlwk rights.

The other requirement to figuring out what the access on a directory is is figuring out what the groups are. The group names try to be descriptive of the group, but this is not completely possible. Groups starting with the name system are special groups, which generally should not be touched.

system:httpd: This is the web server. It should have read (rl) access to all pages. For security reasons, it should almost never get anything more (contact PCS before giving it more).
system:phys-managers: This is PCS staff. It should always have at least the access control (a) right.
system:administrator: This is Glue staff. It should always have at least the access control (a) right.
system:authuser: This gives access to anyone logged onto the system. It should never have more than read access, and even that should usually be restricted (for web pages, usually it is sufficient to just give read access to system:httpd).
system:anyuser: This gives access to anyone in the world, whether they have an account on the system or not. This should not be used, and certainly never have more than read access. Use system:authuser, or preferably, system:httpd instead.

All other groups should start with phys:, usually followed by phys-. You can often see who is in a particular group by using the pts members command, as in
pts members group_name
where group_name is the name of a group, e.g. phys:phys-www. Some common groups are:

phys:phys-www: webmaster's group
phys:phys-pcs-mgr: This is another group for PCS staff. It should always have at least the access control (a) right.
phys:phys-RGRP-mgr: The computer managers for the RGRP research group.
phys:phys-RGRP: All members of the RGRP research group.
phys:physCRS-mgr: The professors teaching the course PhysCRS.
phys:physCRS-tas: The teaching assistants for the course PhysCRS.
phys:physCRS: The students for the course PhysCRS.

Setting ACLs for a directory or directory tree

If you have the access control (a) right on a directory, you can change the ACL list for that directory. For a single directory, this can be done using the fs setacl command, as follows:


fs setacl -dir directory -acl group ACLstring

where directory is a file or directory name (Note: ACLs only apply to directories, so if yo give a file name here, it will change the ACL on the directory containing the file, which means that any other files in that directory get the same ACL). group is the name of a group or user, although PCS strongly recommends that only group names be given ACLs in the web tree. See below for information on how to create your own groups. ACLstring is a string of the letters r, l, i, d, w, k, or a, listing which rights the group should get. You can also give the strings all, write, read, or none for the common access levels discussed previously. You can use the none access to remove an user or group from the ACL. You can give multiple group and ACLstring pairs in the above command, as long as every group is followed by its ACLstring. The word setacl may be abbreviated to sa if desired.

Note that the above command only changes the ACLs on a single directory; in particular, it will not change the access on subdirectories of that directory. For newly created directories, this is not generally a problem, as they will inherit their initial ACL from their parent directory (until someone manually changes it). For existing directories, you can use the setacl_tree command. This is run as:
setacl_tree directory group ACLstring where directory, group, and ACLstring are the same as above. However, any subdirectories beneath directory will also get their ACLs changed.

Setting ACLs for a directory or directory tree

PCS strongly recommends that only group names, not user names, be used in ACLs in the departmental web pages. This is because if user names are used, then if someone leaves the department or changes positions within the department, someone must go through every directory seeing if that username is in the ACL list and changing it. With groups, one just have to remove the username from the appropriate groups.

A strong feature of AFS is that anyone can create groups and manage the membership of groups they created. Thus, it really shouldn't be necessary to use usernames instead of groups in ACLs.

To create a new group for web access, anyone in the webmaster's groups can issue the command:
pts creategroup -name phys:name -owner phys:phys-www where phys:name is the name of the new group. E.g, to create a group called phys:webpeople, you would issue the command
pts creategroup -name phys:webpeople -owner phys:phys-www Note that all groups for web page access shold be owned by phys:phys-www, and all groups owned by phys:phys-www must start with phys:.

Once a group is created, the owners of the group (for web access groups these are the webmasters) can list who is in the group, add people to the group, remove people from the group, or delete the entire group with the commands:
pts members group pts adduser -user username -group group pts removeuser -user username -group group pts delete group respectively. group is the name of the group (include the leading phys:), and username is the login name of the user to add or remove.

To list all the web access groups that have been created, just issue the command:
pts listowned phys:phys-www

After creating a group, you need to use the fs setacl or the setacl_tree to grant members of that group rights to certain directories, as described above.

Restricting Read Access through the Web Server

Restricting access through .htaccess files is fairly standard, and no PCS write up exists at this time. Be sure that the AFS ACL on the directory you wish to exist gives:

Read (rl) access to system:httpd, otherwise the server cannot see your web page
No access or only list (l) access to system:authuser or system:anyuser, otherwise access to your web content will be restricted when people try to access it over the web, but anyone in thw world can access it via AFS.

For Content Questions contact the WebEditor.

For Technical Questions contact the WebTech.