Permissions on TCM's web server

The intention is that members of the web group can edit any content (except users' personal pages), and that it is easy to give editing rights to individuals for certain pages.

Every effort is made to ensure that files under ~web/htdocs are in the web group and group writable. This is done with a mixture of setgid directories and ACLs.

Generally only the owner of a file (or directory) can modify its ACL. However, the web_setfacl command (on pc52) allows anyone in the web group to alter the ACL of any file in the web group whose path starts /u/fs1. The syntax of web_setfacl is a subset of those of setfacl, and it will not operate on multiple files at once. In the examples below, setfacl can be replaced by web_setfacl.

To give a user write access to a file or directory:

setfacl -m u:spqr:rwx filename

To give a user write access to all files created in a directory in the future:

setfacl -m d:u:spqr:rwx dirname

To remove a user's permissions:

setfacl -x u:spqr

And to display permissions for a file:

getfacl filename