File Permissions

Last Updated: October 2024

As NGINX is acting as the primary HTTP process, many of the files will need to be accessible by the NGINX user account. There are additional permissions that need to be granted if Security-Enhanced Linux (SELinux) is active on your server. This part of the production installation guide will show you how to manage the file permissions for your server.

1. Change Static and Workspace Ownership

Change the owner of the STATIC_ROOT and TETHYS_WORKSPACES_ROOT directories and contents to the NGINX_USER:

sudo chown -R <NGINX_USER|APACHE_USER>: <STATIC_ROOT>
sudo chown -R <NGINX_USER|APACHE_USER>: <TETHYS_WORKSPACES_ROOT>
sudo chown -R <NGINX_USER|APACHE_USER>: <MEDIA_ROOT>

Note

Replace <NGINX_USER|APACHE_USER> with the user noted in the NGINX Configuration step. Replace <STATIC_ROOT>, <TETHYS_WORKSPACES_ROOT>, and <MEDIA_ROOT> with the paths to the directories you set up in the Static and Workspaces Directories step.

2. Setup Shortcuts for Changing Permissions (Optional)

You will often need to change the ownership of the TETHYS_HOME, STATIC_ROOT, MEDIA_ROOT, and TETHYS_WORKSPACES_ROOT to your user and then back to the nginx user again. This needs to be done whenever you are making changes to files in one of these directories. For example, whenever you run tethys manage collectstatic, you will need to change the ownership of these directories to your user to allow the command to copy files into those directories. Then you will need to change it back to the nginx user to allow the server to have access to these files to serve them.

For convenience, you may consider setting up these or similar aliases in the activate script of your environment:

export ACTIVATE_SCRIPT="<CONDA_HOME>/envs/<CONDA_ENV_NAME>/etc/conda/activate.d/tethys-activate.sh"
export DEACTIVATE_SCRIPT="<CONDA_HOME>/envs/<CONDA_ENV_NAME>/etc/conda/deactivate.d/tethys-deactivate.sh"
export STATIC_ROOT="<STATIC_ROOT>"
export TETHYS_WORKSPACES_ROOT="<TETHYS_WORKSPACES_ROOT>"
export TETHYS_HOME="<TETHYS_HOME>"
export NGINX_USER="<NGINX_USER>"

# Add lines to the activate script that create aliases that change ownership of Tethys directories to the active user
echo "alias tethys_user_own='sudo chown -R \${USER} \"${STATIC_ROOT}\" \"${TETHYS_WORKSPACES_ROOT}\"'" >> "${ACTIVATE_SCRIPT}"
echo "alias tuo=tethys_user_own" >> "${ACTIVATE_SCRIPT}"

# Add lines to the activate script that create aliases that change ownership of Tethys directories to the NGINX user
echo "alias tethys_server_own='sudo chown -R ${NGINX_USER} \"${STATIC_ROOT}\" \"${TETHYS_WORKSPACES_ROOT}\"'" >> "${ACTIVATE_SCRIPT}"
echo "alias tso=tethys_server_own" >> "${ACTIVATE_SCRIPT}"

# Add lines that remove the aliases to the deactivate Script
echo "unalias tethys_user_own" >> "${DEACTIVATE_SCRIPT}"
echo "unalias tuo" >> "${DEACTIVATE_SCRIPT}"
echo "unalias tethys_server_own" >> "${DEACTIVATE_SCRIPT}"
echo "unalias tso" >> "${DEACTIVATE_SCRIPT}"
  1. Copy the lines above into a new shell script (e.g.: setup_aliases.sh) and then edit the file, replacing all of the variables in angle brackets (i.e. <CONDA_HOME>) with the appropriate values:

  • <CONDA_HOME>: Path to where you installed conda. The default is /home/<username>/miniconda3 or ~/miniconda3.

  • <CONDA_ENV_NAME>: Name of your Tethys environment. This is usually tethys unless you specifically changed it during the Install Tethys Platform step.

  • <STATIC_ROOT>: Path to the directory with the static files that you setup in the Static and Workspaces Directories step.

  • <TETHYS_WORKSPACES_ROOT>: Path to the directory with the app workspaces files that you setup in the Static and Workspaces Directories step.

  • <TETHYS_HOME>: Path to the Tethys home directory that you noted in the Portal Configuration step.

  • <NGINX_USER>: Name of the NGINX user that you noted in the NGINX Configuration step.

Important

Do not replaces the ${} variables in the script.

  1. Deactivate your environment and then run the shell script. For example:

    conda deactivate
    . setup_aliases.sh
    
  2. Activate your Tethys environment and test the commands and check permissions on the directories to verify they worked:

    conda activate tethys
    tethys_user_own
    
  3. Be sure to change ownership back to the NGINX user before moving on:

    tethys_server_own
    

3. Security-Enhanced Linux File Permissions (Rocky Linux, May not Apply)

If you are installing Tethys Portal on a Rocky Linux or RedHat system that has Security-Enhanced Linux (SELinux) enabled and set to enforcing mode, you may need to perform additional setup to allow the server processes to access files.

SELinux adds additional layers of security that define access controls for applications, processes, and files on a system. To learn more about SELinux see: Security-Enhanced Linux, What is SELinux, CentOS SELinux, RedHat SELinux.

Note

If you are using Rocky Linux for your deployment, it does not necessarily mean that you are using it with SELinux enforcing. You can check the SELINUX variable in /etc/selinux/config to see if SELinux is being enforced. Alternatively, you can check using the getenforce command.

For an example of SELinux configuration, see: Security-Enhanced Linux.