Forum OpenACS Q&A: How to set permissions for reading files

I want to read this file from a tcl/Aolserver file in ./www

./majordomo/lists
-rw-rw---1 majordom mail  911 Sep 26 10:12 teamlist

But I get a "permission denied" error. I presume that tcl/AOL server are logged in as "nsadmin" and therefore don't have permission to view this file the the "mail" group owned by "majordomo".

I was planning to read this file with:
set member_file [open /var/lib/majordomo/lists/member r]

Help Please
TIA-Bob

Your presumption is correct: unless nsadmin is in your mail group, as long as the file is not world-readable then AOLserver won't be able to open the file. You have three options: either make the file world readable (chmod o+r teamlist), add the nsadmin user to the mail group, or create or reassign the group ownership of the file to a different group that nsadmin is a member of.

I'd go with the first unless there is a compelling reason not to.

Collapse
Posted by Bob OConnor on

I still havn't solved this one.

I've made the file -rw-rw-r-- and I've added nsadmin to the mail group and when I telnet in as the nsadmin user I can (even) edit the file. If I remove nsadmin from the mail group, I can't edit or read...correct as expected.

But, through aolserver which I assume is an NSADMIN user from ps:
...nsd76 -it .../nsd.tcl -u nsadmin -g nsadmin
I killed nsd76 so it would restart yet I get the same result in this tcl file:

if ** file owned /var/lib/majordomo/lists/teamlist **...
ns_log Notice "File IS NOT owned  (EXPECTED)

if **file readable /var/lib/majordomo/lists/teamlist **...
  ns_log Notice "File IS NOT readable (NOT EXPECTED)

set member_file **(open /var/lib/majordomo/lists/members RDONLY )**
  RESULT from Log:
Error: nsd.tcl: couldn't open "/var/lib/majordomo/lists/teamlist": permission denied
couldn't open "/var/lib/majordomo/lists/teamlist": permission denied
while executing
"open /var/lib/majordomo/lists/members RDONLY"

I even put nsadmin in the root group because the var & lib directories are root root and perhaps they couldn't be accessed. Yes I know this isn't safe but temporarily for testing....

So WHY the permission denied?

TIA -Bob

** square & curlies removed for this message

Collapse
Posted by Janine Ohmer on
It has been my observation that only the AOLserver user's primary group is in effect.  For example, if you run AOLserver as nsadmin and that user's primary group is nsadmin, then AOLserver will only be able to read and write files which are available to that group.  Adding additional groups for the nsadmin user will not help.  I don't know why this is so, but I've run into it a few times now.  I'm not sure whether to call it a bug or a security feature! :)