Information Technology Division
Computing & Communications Center

Groups

There is occasional confusion with the use of the word groups on UNIX systems.

The UNIX systems offer different ways that groups can work together.

Begin the Process

Group Account Access

As mentioned above, the group or project account does not exist on Windows.

Since the CCC web servers run on UNIX, and the group or project account is on UNIX, the accounts are accessible for display on the web. The subdirectory named public_html is the root of the web tree. i.e. http://www.wpi.edu/~account-name accesses the public_html subdirectory. Since the web tree is rooted in this subdirectory, you are free to have other subdirectories in the account which are not exposed to the web. You would map that directory as \\filer\homes\account-name\public_html

If you are comfortable working with RedHat Linux, you can work directly on a CCC UNIX system to work on the account. You can ssh to ccc and login with the account-name and the account's password. The account's password is distinct from your personal password and the account owner can set the password at the group account page, http://www.wpi.edu/+groupaccount. Even if you choose to mainly maintain the account's files via Windows, you are going to occasionally need to access the account directly in UNIX to update permissions on the account.

Although the account exists on UNIX, the disk space for the account rests on the filer, and the disk space is accessible to a Windows user by mapping the account with \\filer.wpi.edu\homes\account-name If you are more familiar with Windows, you should find this type of access convenient.

The problem accessing the account from your personal login, whether in Windows or UNIX, is that your account is different from the account-name login. You can make the group or project account accessible from your account, and from the accounts of others who may have an interest, through the use of UNIX groups.

There is confusion here, since the word group crops up again. In one sense, the account represents a group of individuals, but a mechansism called a UNIX group lets a group of individuals' accounts access directories and files the account.

There are three sets of permissions which control access to directories and files on UNIX. Those three sets are for the owner of the file, for the group of the file, and for others, who are neither owners nor in the group. A new file automatically has the owner set to be the account that created the file. If there was no other factor, the group of the file would be the owner's personal group. e.g. if your account created a file in the group account, the file would belong to you. You want to arrange things so that others in the group can edit that file in the future. Also, if the file was part of the group's web space, you would want the web to be able to display it.

When someone tries to access the file, if they are the file owner, the permission that applies is the owner permission of the file. If they are not the owner, but are in the same group as the file, the group permission applies. If they are neither the owner of the file, nor in the group of the file, the other permission applies.

If you have a group (club, fraternity, sorority, project) account and you, and maybe others, want to maintain the information in the account, you should add the individuals' accounts to the group account's UNIX group. The account owner can use the group edit page, http://www.wpi.edu/+gred to add or remove individuals' accounts from the group account's UNIX group membership. You would not add everybody in the club to the account's group, you would only need to add those who will be maintaining the information.

Now that the account's UNIX group has been expanded to include the individuals who will be maintaining the account, you should use the ssh access, as described above, to log in to a CCC UNIX system. Use these commands to set up group access:

chmod g+rws ~ public_html

That chmod command adds to the group, g+, permission of the home directory, ~, and the web root directory, public_html, so that they are readable and writable by the group (r is readable, w is writable), and so that any files or directories which are created in those directories will be in the account's UNIX group, no matter what individual creates the file. The s makes the group be stickey for any files or directories which any of the group members create. As mentioned before, normally if an individual account creates a file, the file is normally in the individual's UNIX group, which would limit access by others who want to work on the account's files. The s option puts the file in the group's UNIX account, so that everyone in the UNIX group will have access.

You only need to do that chmod setup once, so that all future files and directories are in the group.

An account starts with a public_html directory and, of course, a home directory, so we list those two in the chmod command above. If an account is passed to you with other directories already in it, it would be a good idea to change the modes of those directories, too, so that the rest of the account's files are easier to maintain.

By the way, the web server runs in its own account. That account is not yours, and it is not in your group, so the other permissions should be set on any file that the web must access so that the web server can read and display your site. The server does not need to write anything in your account, or create any files, so you should only grant read access to others for files in your web site.

Maintained by itweb
Last modified: Aug 21, 2012, 14:27 EDT
[WPI] [CCC] [Back] [Top]