22 | | * The scheduler and file upload handler are CGI programs, so they run as the same user as the web server (on Fedora this is user 'apache'; on Debian it's 'www-data'). |
23 | | * BOINC daemons runs as whoever created the project (let's say user 'boincadm', group 'boinc'). |
24 | | |
25 | | By default, the directories created by user apache are not world-writeable. This causes problems: for example, when the file upload handler creates a directory in the [DirHierarchy upload hierarchy], it's owned by (apache, apache), and the [http://boinc.berkeley.edu/trac/wiki/FileDeleter file deleter] (which runs as boincadm) won't be able to delete the files there. |
26 | | |
27 | | To solve this problem, edit /etc/group so that apache belongs to group boinc, i.e. the line: |
| 22 | * The scheduler and file upload handler are CGI programs, so they run as the same user as the web server (on Fedora this is user '`apache`'; on Debian it's '`www-data`'). |
| 23 | * BOINC daemons runs as whoever created the project (let's say user '`boincadm`', group '`boinc`'). |
| 24 | |
| 25 | By default, the directories created by user apache are not world-writeable. This causes problems: for example, when the file upload handler creates a directory in the [DirHierarchy upload hierarchy], it's owned by (apache, apache), and the [http://boinc.berkeley.edu/trac/wiki/FileDeleter file deleter] (which runs as `boincadm`) won't be able to delete the files there. |
| 26 | |
| 27 | To solve this problem, edit `/etc/group` so that `apache` belongs to group `boinc`, i.e. the line: |
38 | | Both boincadm and apache should have umasks that allow group read and write. |
39 | | |
40 | | When you create a BOINC project using [MakeProject make_project], the critical directories are owned by boincadm and have the set-GID bit set; this means that any directories or files created by apache in those directories will have group boinc (not group apache). The BOINC software makes all directories group read/write. Thus, both apache and boinc will have read/write access to all directories and files, but other users will have no access. |
| 38 | Both `boincadm` and `apache` should have umasks that allow group read and write. |
| 39 | |
| 40 | When you create a BOINC project using [MakeProject make_project], the critical directories are owned by `boincadm` and have the set-GID bit set; this means that any directories or files created by apache in those directories will have group `boinc` (not group `apache`). The BOINC software makes all directories group read/write. Thus, both `apache` and `boinc` will have read/write access to all directories and files, but other users will have no access. |
53 | | You may also need to change the ownership of these directories and all their subdirectories to boincadm/boinc. If you're running several projects on the same server and want to isolate them from each other, you can create a different user and group for each project, and add apache to all of the groups. |
54 | | |
55 | | When serving your project files from apache, note that all directories up to and including the html directory must have execute permissions. For example, if you use make_project to create the project template in your home directory, your home directory must have 711 permissions as opposed to the default of 700. If this is not corrected, you will receive a 403 Permission Denied error when attempted to browse to your project page. More information on dealing with apache permissions problems can be found [http://httpd.apache.org/docs/1.3/misc/FAQ.html#forbidden here]. |
56 | | |
| 53 | You may also need to change the ownership of these directories and all their subdirectories to `boincadm/boinc`. If you're running several projects on the same server and want to isolate them from each other, you can create a different user and group for each project, and add `apache` to all of the groups. |
| 54 | |
| 55 | When serving your project files from Apache, note that all directories up to and including the html directory must have execute permissions. For example, if you use make_project to create the project template in your home directory, your home directory must have 711 permissions as opposed to the default of 700. If this is not corrected, you will receive a '''403 Forbidden''' error when attempted to browse to your project page. See [http://httpd.apache.org/docs/1.3/misc/FAQ.html#forbidden more information] on dealing with Apache permissions problems]. |