Contents
Cal Poly Pomona

Accessing web pages

Introduction

Just because your web page is on the Intranet, that doesn't mean that the whole world can see it. Web pages, like any other files on the Intranet, have "access controls" that tell the web server who gets to see them.

This tutorial will present the basic priciples of access control, and a simple approach for managing access controls for both a user directory and a group directory. It will also provide some tips for experienced users.

Basic Principles

Users and Groups

Each person with an Intranet account is a user. Each user can be a member of one or more groups. For example, almost all users are a member of the group csupomona, which is the group of campus intranet users. Some groups are automatically created and others have users added manually. If you have an Intranet user name and password, you can view all the groups.

There is a special "group", Internet, which indicates that a file is accessible to everyone in the world with internet access.

Directories

Files on the Intranet are contained in directories (also called "folders" on Windows and Mac). There are three things you can do to a directory:

  1. Read it (get a listing of its files and included directories).
  2. Insert new files or directories into it
  3. Delete files and directories from it.

Each of these privileges can be given to users or groups.

For viewing web pages, none of these are technically necessary (the web server can find any page with "search" permitted—the default—even if it can't read the directory), but the method outlined below allows users to see listings of directories that contain web pages.

For creating or editing web pages, all three privileges are necessary

Files

There are three things you can do with a file:

  1. You can execute it, if it is a program (we won't deal with that here).
  2. You can read it.
  3. You can write changes to it.

Again, all these privileges can be given to users and groups.

For viewing web pages, only "read" access is necessary. You might think that "write" access would be necessary to edit an existing web page, but this isn't always true—some web page editors delete the old file and insert the new edited file, which requires insert and delete access to the directory, but not write access to the file.

Authentication

When a file is read-permitted to the Internet, anyone can go to it in a web browser and view it. If it is not permitted to the Internet, anyone attempting to view it will get a dialog box asking for his/her BroncoName and BroncoPassword. When a person's BroncoName and BroncoPassword are submitted, one of three things will happen:

  1. If the Intranet does not recognize the user, it will ask him/her for his/her BroncoName and BroncoPassword again three more times (in case it was mis-typed), and then it will give the "authorization required" message.
  2. If the Intranet recognizes the user, and the user or a group that the user belongs to has permission to read the page, the page will display.
  3. If the Intranet recognizes the user, but neither the user nor a group the user belongs to has permission to read the page, the user will receive the "access denied" message.

As you can see, web pages should ordinarily be set so that the Internet can read them, unless you specifically need to restrict access to certain users or groups.

New Users

By default, all files and directories in a user directory will be accessible only to the user. The steps below will set up your user directory to hold web pages accessible to the world, and leave the possibility of restricting some of them later on.

  1. Go to Intranet Services > select "Control Access to Files and Directories".
    1. You wil be asked to select either your home directory, another user directory or a group directory.
  2. Choose the button for your home directory.
    1. You will then be prompted for your BroncoName and BroncoPassword.
  3. You will see a button labeled "Modify Access throughout directory" and below that a table with four columns: "type", "name", "read" and "write".

    Note: The top row will have a type of "other" and name of "Internet". By default, both read and write access are turned off.

  4. Check the box under "read" in the "Internet" row.
    1. Then click the "Modify Access" button.
  5. Every existing file and all new files in your user directory will now be viewable to the entire world.
  6. There may be files you want to restrict. Place them in separate directories inside your user directory. Once the new directories exist, they will appear in the list below the table.
    1. You can click on one of them.
    2. Click the Internet read option "off".
    3. Hit the "Modify Access" button. Now all existing and new files and directories inside that directory will have the new restrictive permissions.
  7. If you want to give access to specific users or groups:
    1. Select "user" or "group" from a drop-down in the left ("type") column.
    2. Enter the BroncoName or group name in the "name" column.
    3. Click the "Modify Access" button.

Continuing Users

If you have already set permissions in your user directory using a method other than the one above, going back and using it could cause some of your settings to break. One approach is to use the "long form" (see below. Also view detailed User Directory Configuration instructions):

  1. Identify any directories or files that need to be restricted.
  2. Identify any CGI scripts that need special permissions, and what those permissions are.
  3. Follow the method for new users above.
  4. Go back and restore the restrictions to files that need restricting.
  5. Go back and restore correct permissions to CGI programs, as detailed in the User Directory Configuration documentation.

Groups

By default, files and directories in a group directory can be read by anyone on the internet, and can be modified by any member of the group.

To restrict access to specific files or directories:

  1. Go to Intranet Services > select "Control Access to Files and Directories".
    1. You wil be asked to select either your home directory, another user directory or a group directory.
  2. Enter the name of a group directory and click its button.
    1. You will then be prompted for your BroncoName and BroncoPassword.

      Note: You must be a member of the group to pass this point.

  3. You will see a button labeled "Modify Access throughout directory" and below that a table with four columns: "type", "name", "read", and "write".

    Note: The top row will have a type of "other" and name of "Internet". By default, read acess is turned on and write access is turned off.

  4. Below the table is a list of files and directories inside the group directory. Select the file you wish to restrict.

    Note: Ideally, all files to be restricted will be placed in a single restricted directory — new files in that directory will take on the same restrictions, so that you won't have to go through this again and again.

  5. You will see a new table for that file or directory. The group will have both read and write access, and the Internet will have read access.
    1. Click the "Internet read"option off.
    2. Click the "Modify Access" button.
  6. If you want to give access to specific users or groups:
    1. Select "user" or "group from a drop-down in the left ("type") column.
    2. Enter the BroncoName or group name in the "name" column.
    3. Click the "Modify Access" button.

Tips for Experienced Users

Use the "long form"

The interface described above is for setting basic permissions; it is often called the "short form". By clicking on the downward-pointing triangle below the right edge of the table, you can open the "long form", which lets you change more settings, including the ability to permit others to control the access to files and directories, and in the case of individual files, to control their ability to execute. Use of the "long form" is beyond the scope of this tutorial, but there are detailed User Directory Configuration instructions available through Intranet Services.

Be careful of cgi-bin

Scripts in your cgi-bin may require specific permissions to run correctly, and setting permissions globally using the "short form" may reset them, causing them to break. For example, some CGI scripts require that users have insert and delete access to a directory, or write access to a file, and both of these are turned off in the default configurations explained above.

Don't use chmod

If you are used to using chmod in the Unix shell to control file access, please instead use aclmod on the Intranet; it gives full control over file access. Enter aclmod -h at the shell prompt for help.

  Did you find what you were looking for?