RhinoTrac
LassoSoft Ticket Tracking System
NOTE: If you are using Lasso Server 9.3 please Log your ticket directly via the LUX admin as this will give us more information about your issue.
Lasso 9 Issues
Ticket #7488: _lasso user's primary group shouldn't have to match web folder group
- Reported by:
- Eric Knibbe
- Date:
- 08 Jan, 2013
- Priority:
- minor
- Component:
- Lasso 9
- Version:
- 9.2
- Keywords:
- Platform:
I've found that for Lasso to be able to read files in an Apache-served folder which does '''not''' have world-execute permissions (e.g. 750), the primary group of the user that Lasso runs as (usually _lasso / _lasso) must match the folder's group.
While this is generally not a concern since most servers will have all folders set to 755 or 751 by default, with Plesk this can be a problem, since the httpdocs/ folders it creates are set to 750. Note that Apache itself does not have this limitation: on a CentOS / Plesk installation, on which the httpdocs/'s group is psaserv; the apache user's primary group is the apache group, and psaserv is one of its secondary groups. But if the _lasso user's primary group is _lasso and only has psaserv as a secondary group, it'll throw 404's every time. So, for Lasso to read a folder with permissions set to 750, the _lasso user must have its primary group set to the group psaserv with `usermod -g psaserv _lasso`.
Observed on Mac, CentOS, and Ubuntu.
Here's an exercise:
1. On a Mac, in a folder being served by Apache/Lasso, create a folder and put a .lasso file in it. By default, the folder should have permissions set to 755, owned by you, and inherit the group name of the parent folder (usually admin or staff). Ensure the .lasso file is readable via a web browser.
1. Remove all world permissions on the folder with `chmod 750 foldername`. This should cause Apache to give a "Forbidden" message.
1. Change the folder's group to one which contains the user that Apache runs as (_www), in this case, _www. Note how this causes Lasso 8 to serve the file without issue, while Lasso 9 throws a 404 error instead: `sudo chgrp _www foldername`
1. Add the _lasso user to the _www group, and see if that changes anything: `sudo dscl . append /Groups/_www GroupMembership _lasso` (hint: it doesn't, even after restarting Apache & Lasso)
1. Try the reverse: add the _www user to the _lasso group, then change the folder's group to _lasso (this will work): `sudo dscl . append /Groups/_lasso GroupMembership _www; sudo chgrp _lasso foldername`
1. Change the folder's group back to _www, but then change the _lasso user's primary group to _www and restart the Lasso instance—and it'll work: `sudo dscl . create /Users/_lasso PrimaryGroupID 70`
Please log in to your LassoSoft account to comment
While this is generally not a concern since most servers will have all folders set to 755 or 751 by default, with Plesk this can be a problem, since the httpdocs/ folders it creates are set to 750. Note that Apache itself does not have this limitation: on a CentOS / Plesk installation, on which the httpdocs/'s group is psaserv; the apache user's primary group is the apache group, and psaserv is one of its secondary groups. But if the _lasso user's primary group is _lasso and only has psaserv as a secondary group, it'll throw 404's every time. So, for Lasso to read a folder with permissions set to 750, the _lasso user must have its primary group set to the group psaserv with `usermod -g psaserv _lasso`.
Observed on Mac, CentOS, and Ubuntu.
Here's an exercise:
1. On a Mac, in a folder being served by Apache/Lasso, create a folder and put a .lasso file in it. By default, the folder should have permissions set to 755, owned by you, and inherit the group name of the parent folder (usually admin or staff). Ensure the .lasso file is readable via a web browser.
1. Remove all world permissions on the folder with `chmod 750 foldername`. This should cause Apache to give a "Forbidden" message.
1. Change the folder's group to one which contains the user that Apache runs as (_www), in this case, _www. Note how this causes Lasso 8 to serve the file without issue, while Lasso 9 throws a 404 error instead: `sudo chgrp _www foldername`
1. Add the _lasso user to the _www group, and see if that changes anything: `sudo dscl . append /Groups/_www GroupMembership _lasso` (hint: it doesn't, even after restarting Apache & Lasso)
1. Try the reverse: add the _www user to the _lasso group, then change the folder's group to _lasso (this will work): `sudo dscl . append /Groups/_lasso GroupMembership _www; sudo chgrp _lasso foldername`
1. Change the folder's group back to _www, but then change the _lasso user's primary group to _www and restart the Lasso instance—and it'll work: `sudo dscl . create /Users/_lasso PrimaryGroupID 70`
