This article contains instructions on how to set up file tag permissions in Lasso Professional 8.1+ on Mac OS X and Linux. Steps that are not specific to Mac OS X may be useful for other operating systems, and even those steps may be adapted. In other words the process to work with the file tags in Lasso is pretty much the same regardless of the operating system, although there are minor differences in the details of OS-specific steps. For complete information, please consult the Lasso Professional Language Guide and Mac OS X Tips that are included in the directory:

Lasso Server Administration

Visit:
http://localhost/ServerAdmin.LassoApp

Step 1

Navigate to:
Setup > Server > Tags
Enable the File tag category.

Step 2

For this step, you need to determine where you want to write the files. On Mac OS X, fully qualified paths begin with ///. For web root paths, begin the path with just /. Mounted Volumes begin with ///Volumes/.

Navigate to:
8.1: Setup > Sites > File Paths
8.5: Sites > Sites > File Paths
Add Path to the appropriate Site.

///Library/WebServer/Documents/webroot/pathname/
or
/webroot/pathname/
or
///Volumes/Library/WebServer/Documents/webroot/pathname/

Lasso Site Admin

Visit:
http://localhost/SiteAdmin.LassoApp

Step 3

Navigate to:
Setup > Site > File Extensions
Under File Tags Settings, Add Extension of the file that you want to manipulate. Click Refresh to make sure the settings take hold.

Step 4

Navigate to:
Setup > Security > Groups
Create or use an existing group that will have or already has permissions to work on files. If the group does not have status Enabled, click the group name, and enable it.

Step 5

Navigate to:
Setup > Security > Users
Add a User to the group for working on files, or ensure that there is a user in the group. Give the user a username and password, enable it, and add it to the group. Remember the username and password for later on when you need to use an inline to write files. Click Refresh to make sure the settings take hold.

Step 6

Navigate to:
Setup > Security > Files
Select group, click on desired filepath (the one you added in Lasso Server Admin), then assign appropriate file permissions. Click Refresh to make sure the settings take hold.

Either this group or the AnyUser group must be assigned permissions to work in the temporary files directory '///var/tmp'.

Step 7

Navigate to:
Setup > Security > Tags
Select Group, Set Group Permissions for the File Tag to Allow.

Note: Some users have reported that occasionally the permissions, users and groups they have just set don't take hold. Usually clicking Refresh after changing a setting will make the settings take hold. If that fails, restart Lasso so that it will reload the permissions tables.

Mac OS X and Linux Permissions and Ownership

Step 8

You must set at least one of the owner, group or other user permissions on Mac OS X such that Lasso can perform file tag operations on the directory or file. You must set permissions on the file as well as its containing directory.

Note: The following discussion applies to Mac OS X, and begins with 10.4 then moves on to 10.5.

The user lasso is a member of the group staff. A common setup that will allow Lasso to work on files and directories is where the owner of the file is your username and the group is staff. There are other situations where this will not work, and we will cover those next.

Example:

stevepiercy$ ls -al
total 1080
drwxr-xr-x   71 stevepie  staff   2414 Feb 28 09:32 .
drwxr-xr-x    6 stevepie  staff    204 Jun  8  2005 ..
drwxrwxr-x   16 stevepie  staff    544 Feb 27 22:18 uploads

Here the owner is stevepie and the group is staff. Lasso can operate on the directory 'uploads' because the user lasso is a member of the group staff, and the group staff has Read, Write and eXecute permissions on 'uploads'.

Generally, Lasso requires Read, Write and eXecute permissions on directories and only Read and Write permissions on files.

The above example might not work in situations where your username is the owner, the web server (apache) is the group and lasso is... left out of the picture. Here the problem is that your username must be the owner of the directory in order to FTP files into the directory, and the group apache must be the group of the directory in order to process or serve files within the directory, yet the user or group lasso is not the owner nor a member of the group.

To fix this dilemma, do the following. Mac OS X and Linux have slightly different group structures, but the process is essentially the same.

Edit the file /etc/group

The file consists of newline separated ASCII records, one line per group, containing four colon ':' separated fields. These fields are as follows:

group_name:password:group_id:members_separated_by_commas

MacOS X

Add lasso to the apache group. The group name is typically apache or www. Look for a line in the file like so:

apache:*:48:

Change that line by appending the user lasso:

apache:*:48:lasso

For 10.5 (and 10.6?), there are a few differences. 10.5 introduced Access Control Lists (ACLs or ackels) and the above procedures must be modified as follows.

When you create a new file manually, check its group. On my system the group is 'admin' instead of 'staff'. Therefore you will need to add the user 'lasso' to the group 'admin'. The procedure to do so is different from 10.4 and earlier.

sudo dscl . -append /Groups/admin GroupMembership lasso

Linux

Add lasso to your group. Look for a line in the file like so:

myuser:x:500:

Change that line by appending the user lasso:

myuser:x:500:lasso

Note: If you have modified your operating system's groups then you must restart Lasso Server (just the Lasso service, not the entire server) in order for Lasso to recognize the new users in groups.

Set the permissions so Lasso can operate in a directory

Change the group of the directory to staff and grant Read, Write and eXecute permissions to the group. The following example modifies a directory named mydirectory in the Web server root. The -R (recursive) parameter ensures that all files in the directory and sub-directories can be accessed by Lasso.

For Mac OS X 10.4-:

cd /Library/WebServer/Documents
sudo chgrp -R staff mydirectory
sudo chmod -R g+rwx mydirectory

For Mac OS X 10.5+:

cd /Library/WebServer/Documents
sudo chgrp -R admin mydirectory
sudo chmod -R g+rwx mydirectory

Set the permissions so Lasso can operate on a file

Change the group of the file and the directory in which the file exists to staff and grant Read, Write and eXecute permissions to the group. The following example modifies a file named log.txt inside a directory named mydirectory in the Web server root.

For Mac OS X 10.4-:

cd /Library/WebServer/Documents
sudo chgrp staff mydirectory
sudo chmod g+rwx mydirectory
sudo chown staff mydirectory/log.txt
sudo chmod g+rwx mydirectory/log.txt

For Mac OS X 10.5+:

cd /Library/WebServer/Documents
sudo chgrp admin mydirectory
sudo chmod g+rwx mydirectory
sudo chown admin mydirectory/log.txt
sudo chmod g+rwx mydirectory/log.txt

See the Mac OS X Tips PDF in your Lasso Professional application folder, under Documentation, for more specific details and other examples.

Lasso Code

Step 9

Finally use the username and password for the Lasso group that can use the file tags in an inline, like so:

inline(-username='XXXXXX', -password='XXXXXX');
...file tag stuff...
/inline;

Code Samples

The following code samples may be used to test whether you have set up file permissions correctly. If you get an error, then restart Lasso and try again. If you still get an error, go through this guide from the top. I recommend printing it out and checking off each point so you don't skip something along the way.

The following sample code can be used to test for the existence of a file, and therefore test for correct file permissions as well. Put it in a file, modify the username and password in the inline as required, then load it in a web browser.

The following sample code can be used to create and write a file to test file permissions. Put it in a file, modify the username and password as required as well as the other variables, then load it in a web browser. If successful, you will see No error and a valid link.

The following sample code can be used to test whether a file uploads and whether you have followed the directions above correctly. Put it in a file, modify the username, password and destination as required, then load it in a web browser.

Notes

There was an error uploading your file: (-1) Unknown error 4294967295

This error message appears on CentOS when attempting to upload a file, and the file cannot be copied from the tmp directory to the destination because there is an OS permissions mismatch between apache, lasso and the owner. See discussion in Step 8 for details and a fix.

Uploaded file type cannot be determined

The file_uploads array's upload.type parameter relies upon the original filename extension to arbitrarily assign a file type. For example '.jpeg' is assigned a file type of 'jpeg'. However, if the user uploads a file with a file extension that does not match its file type, or omits the file extension, then this method returns undesirable results.

To compensate, on Mac OS X and CentOS, the the command line utility 'file' can be used to reliably determine the file type.

file /path/to/file.jpg
=>
/path/to/file.jpg JPEG image data, JFIF standard 1.01


Use os_process, PassThru from Execuchoice, or os_process with shell to run the command line utility through Lasso.

The result can then be parsed to determine how to properly process the uploaded file.

Mac OS X 10.5 and later

With all versions of Mac OS X previous to Leopard, it was relatively easy to use NetInfo to add the user 'lasso' to the group 'admin' in order to allow Lasso to operate on files on Mac OS X. With Leopard, NetInfo is gone. In its place are several command line utilities that allow you to work with its replacement Directory Services, all of which start with 'ds'.

(Replace (foo) with foo or keystroke when typing the actual command.)

ds(tab)(tab)

A list of commands will appear. Use man (utility) to read details of what each does.

In Leopard use the commands dscl and dsmemberutil to perform the following tasks.

To check whether a given user is a member of a given group:

dsmemberutil checkmembership -U (user) -G (group)

To see who is in a given group:

dscl . -read /Groups/(group)

...and look for the attribute GroupMembership.

To add an existing user to an existing group:

dscl / -append /Groups/(group) GroupMembership (user)

To add the user 'lasso' to the group 'admin'

dscl / -append /Groups/admin GroupMembership lasso

Since moving to Leopard, I just wanted to get file stuff to work with Lasso and Mac OS X, so until now I always changed permissions on the parent directory to 777.

chmod 777 /path/to/webroot

That's fine on a development environment where there is no concern for file permissions, but it may be cause for concern in a shared hosting environment because other users may be able to access those files.

File permissions changes not working as expected

I recently spent several hours troubleshooting a problem where my ISP and I were using the exact same code samples above (except for username and password) on two different sites and every single setting enumerated above was identical. One site was able to write and upload files, but the other was not.

Both sites had file perms of 775 on the parent directory to start. When we toggled file perms to 777, then the non-working site worked, but the potential security issue was not acceptable. We at least required 775.

We tried a Lasso Site restart, but the settings would not take hold. Ultimately we had to resort to restarting Lasso Service in order for the settings changes to take hold. Yes, that is exceptionally lame, but it is what it is.

file_write fails

A common frustratration comes from the fact that file_write works only on existing files. If you try to use file_write on a file that does not exist, the operation will fail. You must first create the file, either through the Terminal or using Lasso code, like so:

file_create: 'file.txt';

file path rules of precedence

There are some undocumented rules of precedence concerning filepaths in Lasso Site Admin. I searched throughout the Lasso Language Guide and the Setup Guide, and found only two references to security that come close, but lack specific information. Please see the chapter "Setting up Security", sections "How Lasso Checks User Security" and "File Permissions".

To provide some assistance to the reader, here is the situation:

There is this default files setting:

/ (Read Only) Allow: Read, Inspect

And you have set up two additional filepaths:

/
///absolute/path/to/uploads/

Under Setup > Security > Files:

/

has permissions 'None'

///absolute/path/to/uploads/

has permissions 'Inspect, Read, Create, Write, Move, Copy, Delete, Any Extension'.

File uploads will fail (or require superuser authentication). But change the former's filepath permissions to match the latter's, and file uploads works.