Setting Lasso 9 permissions

Question

I'm attempting to configure a OSX Mavericks server running Apache and Lasso. For security and convenience I only want users belonging to a specific "web" group to be able to access the web root. I have succeeded in letting both permitted regular users and Apache (_www) access the files, but I cannot for my life manage to set the correct permissions for Lasso. I'm hoping someone here can point me in the right direction.

Basically, what I have done is the following:

sudo dseditgroup -o create web
sudo dseditgroup -o edit -a _www -t user web
sudo dseditgroup -o edit -a _lasso -t user web
sudo chgrp -R web webroot
sudo chmod -R 770 webroot

This apparently works for Apache, but any lasso files merely output a Lasso permission error:

An unhandled failure during a web request
Error Code: 13
Error Msg: Permission denied - While opening //Library/Server/Web/Data/Sites/...

I have also tried adding the _www and _lasso groups to the web group, as well as creating a new Lasso instance in the instance manager with the effective group set to "web".

Strangely, setting permissions to the _lasso user or group directly on the files (i.e. not through the web group) seems to work which makes me believe there's something wrong with how I'm creating my ACLs.

A little more info:

ls -l@e example.lasso
-rwxrwx---+ 1 danielpervan  web  0 Feb 19 15:20 example.lasso
 0: user:_spotlight inherited allow read,execute

Answer 1

I've encountered problems similar to this when I have ACLs above and beyond the standard Unix permissions. From your post, it looks like there are some ACLs on the example.lasso file. I would run the following script on your web root to remove all ACLs from every folder / file:

sudo chmod -R -N /path/to/webroot/

If that doesn't work, verify that the _lasso user is part of the web group:

dscl . -read /groups/web | grep GroupMembership