Difference between revisions of "Configuring Apache without changing User and Group"

From EPrints Documentation
Jump to: navigation, search
(Added instructions for installing EPrints without changing Apache's User or Group)
 
(Fixed typo and improved SPAG)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
Instructions for installing EPrints on [[Installing_EPrints_on_RHEL/Fedora/CentOS|Red Hat based]] or [[Installing_EPrints_on_Debian/Ubuntu|Debian based]] Linux operating systems advises that you reconfigure Apache's configuration to set the Apache <tt>User</tt> and <tt>Group</tt> to <tt>eprints</tt> tather than <tt>apache</tt> (for Red Hat based Linux) or <tt>www-data</data> (for Debian based Linux, where these are defined as <tt>APACHE_RUN_USER</tt> and <tt>APACHE_RUN_GROUP</tt>).  It is not absolutely necessary to do this but if you choose not to change this the alternative configuration is more complex and may still lead to certain EPrints functionality not working as expected if at all if yor repository has certain plugins installed or uses particular bespoke configuration.
+
Instructions for installing EPrints on [[Installing_EPrints_on_RHEL/Fedora/CentOS|Red Hat based]] or [[Installing_EPrints_on_Debian/Ubuntu|Debian based]] Linux operating systems advises that you reconfigure Apache's configuration to set the Apache <tt>User</tt> and <tt>Group</tt> to <tt>eprints</tt> rather than <tt>apache</tt> (for Red Hat based Linux) or <tt>www-data</tt> (for Debian based Linux, where these settings are defined as <tt>APACHE_RUN_USER</tt> and <tt>APACHE_RUN_GROUP</tt>).  It is not absolutely necessary to set <tt>eprints</tt> as the Apache <tt>User</tt> and <tt>Group</tt> but if you choose not to do this, the alternative configuration is somewhat more complex and may still lead to certain EPrints functionality not working as expected.  Particularly functionality provided by Bazaar plugins or as a result of bespoke configuration.
  
If you choose to not configure <tt>eprints</tt> as the Apache <tt>User</tt> and <tt>Group</tt> you need to perform the following steps instead.  If you want to make these changes to an existing EPrints repository, it is sytrongly recommend that you do this on a pre-production test system first, so you can fix any snags.
+
If you choose to not configure <tt>eprints</tt> as the Apache <tt>User</tt> and <tt>Group</tt> you need to perform the following steps instead.  '''If you want to make these changes to an existing EPrints repository, it is strongly recommended that you do this on a pre-production or test system first.''' This will allow you to test and fix any snags before changing your production system.
  
1. Add the <tt>eprints</tt> user to the <tt>apache</tt> or <tt>www-data</tt> group, (depending on the Linux OS you are running).
+
1. As the root user, add the <tt>eprints</tt> user to the <tt>apache</tt> or <tt>www-data</tt> group, (depending on the Linux OS you are running).
 
  usermod -a -G apache eprints
 
  usermod -a -G apache eprints
 
  usermod -a -G www-data eprints
 
  usermod -a -G www-data eprints
  
2. Add the <tt>apache</tt> or <tt>www-data</tt> user, (depending on the Linux OS you are running), to the <tt>eprints</tt> group.
+
2. As the root user, add the <tt>apache</tt> or <tt>www-data</tt> user, (depending on the Linux OS you are running), to the <tt>eprints</tt> group.
 
  usermod -a -G eprints apache
 
  usermod -a -G eprints apache
 
  usermod -a -G eprints www-data
 
  usermod -a -G eprints www-data
  
3. Ensure that all the files and directories have the same permissions for the group as for the user.  If you are just starting you installation of EPrints this can be achieved with one of the following command depending on whether you want other users to have read access to EPrints code, configuration and dataChoose the former if you don't want other users to have read access
+
3. Ensure that all the files and directories have the same permissions for the group as for the user.  If you are just starting your EPrints installation this can be achieved by running one of the following commands as the root user.  (The former command is already in the main installation instructions.  Use the latter command if you do not want users other to be able to read EPrints code, configuration or uploaded files).
 +
  chmod 2775 /opt/eprints3
 
  chmod 2770 /opt/eprints3
 
  chmod 2770 /opt/eprints3
chmod 2775 /opt/eprints3
+
If you already have an EPrints repository, changing permissions is slightly more difficult.  In theory, it should suffice to just run (as the root user) the following command to add group write permissions to all files and directories.  (This may take some time if you have a lot of items in your archive).   
If you already have an EPrints repository changing the permission is slightly trickier.  In theory, it should suffice to add just group write permissions to all files and directories.  (This may take some time if you have a lot of items in your archive).   
 
 
  chmod -R g+w /opt/eprints3
 
  chmod -R g+w /opt/eprints3
However, depending on how your permissions are current set, this may not be sufficient and therefore is not recommended to follow these instructions allowing you to retain the original Apache <tt>User</tt> and <tt>Group</tt>, unless you have a good understanding of Linux filesystem permissions and how to use Apache's error logs to debug any issues that may result from the change.
+
However, depending on how your permissions are currently set, this may not be sufficient and therefore is not recommended to follow the instructions on this page unless you have a good understanding of Linux filesystem permissions and how to use Apache's error logs to debug any issues that may result of following these instructions.
  
4. If you previously configured to use <tt>eprints</tt> as the Apache <tt>User</tt> and <tt>Group</tt>, change these back to their original values (e.g. <tt>apache</tt> in ,tt> /etc/httpd/conf/httpd.conf</tt> for Red Hat based Linux and <tt>www-data</tt> in <tt>/etc/apache2/envvars</tt> for Debian based Linux).
+
4. If you previously configured to use <tt>eprints</tt> as the Apache <tt>User</tt> and <tt>Group</tt>, change these back to their original values (e.g. <tt>apache</tt> in <tt>/etc/httpd/conf/httpd.conf</tt> for Red Hat based Linux and <tt>www-data</tt> in <tt>/etc/apache2/envvars</tt> for Debian based Linux).
  
5. Check you Apache configuration is still valid and then restart Apache. (Use <tt>apache2ctl</tt> rather than <tt>apachectl</tt> for Debian based Linux).
+
5. As the root user, check your Apache configuration is still valid and then restart Apache. (Use <tt>apache2ctl</tt> rather than <tt>apachectl</tt> for Debian based Linux).
 
  apachectl configtest
 
  apachectl configtest
 
  apachectl restart
 
  apachectl restart
  
6. Particularly if you are changing an existing EPrints repository rather than creating a new one, thoroughly test all functionality for your repository.  In particular any functionality that interacts with other applications or services.  E.g.  
+
6. Particularly if you are changing an pre-existing EPrints repository, thoroughly test all your repository's functionality.  In particular, any functionality that interacts with other applications or services.  E.g.  
* Logging into your repository, particularly if you don't use local authentication (e.g. you use LDAP, Shibboleth, etc.)
+
* Logging into your repository, particularly if you don't generally use local authentication (e.g. you use LDAP, Shibboleth, etc.)
 
* Creating new eprint records.
 
* Creating new eprint records.
 
* Uploading and downloading documents.
 
* Uploading and downloading documents.
* Check that abstract pages update are changing eprint records.
+
* Check that abstract pages update after changing eprint records.
 
* Check browse view menus update after running <tt>epadmin refresh_views</tt>
 
* Check browse view menus update after running <tt>epadmin refresh_views</tt>
 
* Searching for items.  Particularly those newly added since following these instructions.
 
* Searching for items.  Particularly those newly added since following these instructions.
Line 34: Line 34:
 
* Starting and stopping the EPrints Indexer.
 
* Starting and stopping the EPrints Indexer.
 
* Sending a test email.
 
* Sending a test email.
* Any bespoke plugins/functionality you have added to your EPrints repository.
+
* Any Bazaar plugins or bespoke functionality you have added to your EPrints repository.
  
  
If everything is working as expected, then you are done.  If you hit an problems, trying using Apache's error logs to debug and fix the files with incorrect permissions.  If some functionality is still broken, then you may want to revert.  It should be sufficient to just change the Apache <tt>User</tt> and <tt>Group</tt> and group back to <tt>eprints</tt> and restart Apache.
+
If everything is working as expected, then you are done.  If you encounter any problems, try using Apache's error logs to debug and update the files with incorrect permissions.  If some functionality is still broken, then you may want to revert.  It should be sufficient to just change the Apache <tt>User</tt> and <tt>Group</tt> back to <tt>eprints</tt> and restart Apache.

Latest revision as of 11:33, 23 February 2024

Instructions for installing EPrints on Red Hat based or Debian based Linux operating systems advises that you reconfigure Apache's configuration to set the Apache User and Group to eprints rather than apache (for Red Hat based Linux) or www-data (for Debian based Linux, where these settings are defined as APACHE_RUN_USER and APACHE_RUN_GROUP). It is not absolutely necessary to set eprints as the Apache User and Group but if you choose not to do this, the alternative configuration is somewhat more complex and may still lead to certain EPrints functionality not working as expected. Particularly functionality provided by Bazaar plugins or as a result of bespoke configuration.

If you choose to not configure eprints as the Apache User and Group you need to perform the following steps instead. If you want to make these changes to an existing EPrints repository, it is strongly recommended that you do this on a pre-production or test system first. This will allow you to test and fix any snags before changing your production system.

1. As the root user, add the eprints user to the apache or www-data group, (depending on the Linux OS you are running).

usermod -a -G apache eprints
usermod -a -G www-data eprints

2. As the root user, add the apache or www-data user, (depending on the Linux OS you are running), to the eprints group.

usermod -a -G eprints apache
usermod -a -G eprints www-data

3. Ensure that all the files and directories have the same permissions for the group as for the user. If you are just starting your EPrints installation this can be achieved by running one of the following commands as the root user. (The former command is already in the main installation instructions. Use the latter command if you do not want users other to be able to read EPrints code, configuration or uploaded files).

chmod 2775 /opt/eprints3
chmod 2770 /opt/eprints3

If you already have an EPrints repository, changing permissions is slightly more difficult. In theory, it should suffice to just run (as the root user) the following command to add group write permissions to all files and directories. (This may take some time if you have a lot of items in your archive).

chmod -R g+w /opt/eprints3

However, depending on how your permissions are currently set, this may not be sufficient and therefore is not recommended to follow the instructions on this page unless you have a good understanding of Linux filesystem permissions and how to use Apache's error logs to debug any issues that may result of following these instructions.

4. If you previously configured to use eprints as the Apache User and Group, change these back to their original values (e.g. apache in /etc/httpd/conf/httpd.conf for Red Hat based Linux and www-data in /etc/apache2/envvars for Debian based Linux).

5. As the root user, check your Apache configuration is still valid and then restart Apache. (Use apache2ctl rather than apachectl for Debian based Linux).

apachectl configtest
apachectl restart

6. Particularly if you are changing an pre-existing EPrints repository, thoroughly test all your repository's functionality. In particular, any functionality that interacts with other applications or services. E.g.

  • Logging into your repository, particularly if you don't generally use local authentication (e.g. you use LDAP, Shibboleth, etc.)
  • Creating new eprint records.
  • Uploading and downloading documents.
  • Check that abstract pages update after changing eprint records.
  • Check browse view menus update after running epadmin refresh_views
  • Searching for items. Particularly those newly added since following these instructions.
  • Adding/editing phrases in the phrase editor.
  • Starting and stopping the EPrints Indexer.
  • Sending a test email.
  • Any Bazaar plugins or bespoke functionality you have added to your EPrints repository.


If everything is working as expected, then you are done. If you encounter any problems, try using Apache's error logs to debug and update the files with incorrect permissions. If some functionality is still broken, then you may want to revert. It should be sufficient to just change the Apache User and Group back to eprints and restart Apache.