9 | | We recommend that you create a separate user and group for the BOINC server, and add the web-server user to this group. Details are [GroupPermissions here]. |
| 9 | BOINC server programs run as two different users: |
| 10 | * The scheduler and file upload handler are CGI programs, so they run as the same user as the web server (typically user 'apache', group 'apache'). |
| 11 | * BOINC daemons runs as whoever created the project (let's say user 'boincadm', group 'boinc'). |
| 12 | |
| 13 | By default, the directories created by user apache are not world-writeable. This causes problems: for example, when the file upload handler creates a directory in the [DirHierarchy upload hierarchy], it's owned by (apache, apache), and the [http://boinc.berkeley.edu/trac/wiki/FileDeleter file deleter] (which runs as boincadm) won't be able to delete the files there. |
| 14 | |
| 15 | == Recommended solution == |
| 16 | |
| 17 | Edit /etc/group so that apache belongs to group boinc, i.e. the line: |
| 18 | |
| 19 | {{{ |
| 20 | boinc:x:566: |
| 21 | }}} |
| 22 | becomes: |
| 23 | {{{ |
| 24 | boinc:x:566:apache |
| 25 | }}} |
| 26 | (Apache will need to be stopped/restarted for this to take effect.) |
| 27 | |
| 28 | When you create a BOINC project using [MakeProject make_project], the critical directories are owned by boincadm and have the set-GID bit set; this means that any directories or files created by apache in those directories will have group boinc (not group apache). The BOINC software makes all directories group read/write. Thus, both apache and boinc will have read/write access to all directories and files, but other users will have no access. |
| 29 | |
| 30 | On an existing project, do: |
| 31 | |
| 32 | {{{ |
| 33 | chmod 02770 upload |
| 34 | chmod 02770 html/cache |
| 35 | chmod 02770 html/inc |
| 36 | chmod 02770 html/languages |
| 37 | chmod 02770 html/languages/compiled |
| 38 | chmod 02770 html/user_profiles |
| 39 | }}} |
| 40 | |
| 41 | You may also need to change the ownership of these directories and all their subdirectories to boincadm/boinc. If you're running several projects on the same server and want to isolate them from each other, you can create a different user and group for each project, and add apache to all of the groups. |
| 42 | |