Web Guide is no longer being maintained and the information on this page may be out of date. For assistance with managing course materials, please visit MIT's Stellar course management system.

Publishing Your Pages > Using an Athena Course Locker > Controlling
Access to Athena Lockers
Controlling Access to Athena Lockers
Note: The following information applies to Web sites which are world-readable
(i.e., whose contents can be viewed from any Web browser). Information on other
access options is covered in Restricting Access to
Your Site.
On this page:
Access to Browse Your Web Site
Standard Configuration: World-readable
New course lockers include a www directory with access permissions preconfigured
so that files placed inside www can be viewed from any Web browser,
but if you inherited
an older locker or wish to house your Web site in a different
directory than
www, you may need to adjust access permissions as described below.
Note that Section
7 of MIT's Student Information Policy stipulates that some types of
information on course Web pages must be restricted to use by the staff and students of that
class only; if this applies to any of your materials, see the
section on Restricting Access to Your Site.
To make Web pages accessible to all Web browsers, the files must be world-readable.
On Athena, this means two things:
- The group system:anyuser must have "read" access to the directory containing
the Web site. This lets anyone read the files in that directory.
- The group system:anyuser must have "list" access to every directory in
the locker above the Web site. Also called "pass-through" access, this is
necessary for Web browsers to descend to your Web site through directories
above it. It lets anyone list the files on those directories, but not read
their contents (you may hide such a directory listing if this concerns you,
by putting a "dummy" file named index.html in the directory).
Checking Access Settings (ACLS) on Directories
To check the access permissions on a directory, the command is fs la
(file server, list ACL). You can specify the path, as follows, or omit the path
for the current directory:
athena% fs la path
This displays the ACL (Access Control List) for the specified directory. For example,
a new course locker will look something like the following. On the top level,
system:anyuser has list access (l at the end of the line):
athena% fs la /mit/29.123
Access list for /mit/29.123 is
Normal rights:
system:expunge ld
system:29.123 rlidwka
system:facdev rlidwka
system:authuser rl
system:anyuser l
jqprof rlidwka
On the www directory, system:anyuser has read access (rl at the
end of the line)
athena% fs la /mit/29.123/www
Normal rights:
system:expunge ld
system:29.123 rlidwka
system:facdev rlidwka
system:authuser rl
system:anyuser rl
jqprof rlidwka
(The other entries are explained in the Default Access Settings
for Course Lockers section, below.)
Changing ACLs
To change the access permissions, the command is:
athena% fs sa path user-or-group access
where access specifies the access-level, such as rl
for read access, or l for list access. For example, to give system:anyuser
list access to the top-level of the 29.123 course locker:
athena% fs sa /mit/29.123 system:anyuser l
To give system:anyuser read access to the Web site (in the www directory):
athena% fs sa /mit/29.123/www system:anyuser rl
- If you wish to restrict access to some or all of your Web pages,
see the section on Restricting Access to Your Site.
- If you inherited a locker which does not yet contain Web pages, you can
set the standard access configuration as follows:
- Create a www directory if it does not exist.
- Check the access permissions on the locker's top level and www directory
and modify them as necessary, following the directions above.
Similarly, if you wish to use a subdirectory with a name other than www
for your top Web page, set the access permissions as above (substituting
your directory name for www) and make sure any directories above it have
list access (system:anyuser l).
- If you are not using your course locker for purposes other than a Web site,
you may want to keep the site at the top level rather than in a www directory.
Set the ACL to make the top level world-readable. For example, use the command:
athena% fs sa /mit/29.123 system:anyuser rl
Put a file named index.html at the locker's top level and you can then use
the URL:
http://web.mit.edu/29.123/
- If you wish to move or rename an existing Web site, think carefully about
how your site is accessed and how existing links (both to your site and within
your site) will resolve after you make the change. For general information
on moving a Web site, see How do I automatically redirect people to my page?
from MIT's WCS group. WCS (formerly known as CWIS) and
the Faculty Liaisons can discuss
these considerations with you in further detail.
Access to Modify Your Site
Administrative Group for a Course Locker
By default, each course locker has associated with it an "administrative group"
which usually consists of the faculty and TAs for the class. The locker is set
up to give administrative privileges to this group, which means that each member
of the administrative group has full write access to the locker, as well as permissions
to modify the group membership. This makes it easy to change who has administrative
privileges on the locker: you simply add new teaching staff to the group, or remove
old staff from it, rather than modifying the ACL on each directory in the locker.
You can modify the membership of the administrative group either via
the web, or by logging onto Athena.
- The web interface is located at http://web.mit.edu/moira/:
- From Athena, you can use a command-line
utility called blanche, or a menu-driven program
called listmaint:
- Using blanche to modify group membership
- To view the current membership:
athena% blanche group
For example:
athena% blanche 29.123
jqprof
janeta
joeta
- To add a member to the group:
athena% blanche group -a username
For example:
athena% blanche 29.123 -a fredta
- To remove a member from the list:
athena% blanche group -d username
For example:
athena% blanche 29.123 -d fredta
- Using listmaint to modify group membership
athena% listmaint
-------------------------------------------------------------------
List Menu
1. (show) Display information about a list.
2. (add) Create new List.
3. (update) Update characteristics of a list.
4. (delete) Delete a List.
5. (query_remove) Interactively remove an item from all lists.
6. (members) Member Menu - Change/Show Members of a List..
7. (list_info) List Info Menu.
8. (quotas) Quota Menu.
9. (help) Print Help.
t. (toggle) Toggle logging on and off.
q. (quit) Quit.
Command:
--------------------------------------------------------------------
- From this menu, type 6 (for members), and press Enter.
- At the prompt Name of list: enter the name of the administrative
group (e.g. 29.123).
- You will get a menu from which you can view the current membership,
and add or remove members.
- When adding or removing a member, you will first get the prompt:
Type of member (KERBEROS, LIST, STRING, USER) [user]:
- Press the Enter key to accept the default type (user).
- You will see a prompt as follows, with your username as the default,
in brackets:
Name of USER to add [jqprof]:
- Type the Athena username of the person to add, and press Enter.
At any point in listmaint, you can type r to go back up
to the previous menu.
Default Access Settings for Course Lockers
Note that while MIT's Student
Information Policy has specific language about restricting Web
pages, it may also be necessary to restrict other areas of your locker
if you have sensitive materials, to prevent unwanted access via Athena
or AFS mroe generally; feel free to contact us if you have questions.
When the course locker is created, it is set up with administrative
access for the locker's owner (usually the faculty member who requested
the locker), the locker's administrative group, and a group named facdev
(which consists of the Faculty Liaison staff). The other settings on the
default ACL give any user logged onto Athena read-only access to the
locker, give list-only access for other users (in particular, for Web
browsers) and give the Athena system access to remove old files marked
for deletion (the group expunge has delete access).
Here is an example of the default ACL on a course locker's top level:
athena% fs la /mit/29.123
Access list for /mit/29.123 is
Normal rights:
system:expunge ld | delete access for expunge process
system:29.123 rlidwka | admin access for 29.123 (locker's admin. group)
system:facdev rlidwka | admin access for facdev (group of Faculty Liaisons)
system:authuser rl | read access for Athena users
system:anyuser l | list access for all users
jqprof rlidwka | admin access for jqprof (locker owner)
A few basic facts about ACLs:
- When you create a new directory in the course locker, it inherits the ACL
of the directory above it.
- When you modify the ACL on a directory, it does not change the ACL on any
other existing directories.
- It is generally much easier to control access through group membership
than by adding users directly to a directory's ACL.
If you wish to set your access permissions differently from the default, or if
you inherited an old locker which needs different settings, feel free to contact
the Faculty Liaisons for help. For more information on how ACLs work and how to
modify them, see Access Control in the
Course Locker Maintenance Guide.
Student Project Space and Other Limited Write Access to a Course Locker
Some course instructors wish to give students write access to space in the course
locker for projects or other purposes. In general, it is best to do this by creating
student groups, and giving them write access to limited areas of the course locker.
This way you can easily add and remove access for each student by modifying the
group membership. This ensures that they don't have write access to all of the
files in the course locker. The Faculty Liaisons will help you set this up, and
can also advise you on disk space needs (for projects requiring extra space, we
can make a temporary extra allocation in addition to the course locker quota).