SID-00282: Action "Change" not allowed; Action "Change" not requested

Status:	Answered	TWiki version:	4.3.0	Perl version:	Perl 5.8.9
Category:	CategoryAccessControl	Server OS:	Mac OS X 10.5	Last update:	16 years ago

I have very recently installed TWiki and would like to keep the fine grained access control. I am still in testing and learning stage so I registered myself via another external network to test some things and on installing LatexModePlugin I found I could not read the documentation on My TWiki web as that user. The result on selecting was

"Access check on LatexModePlugin failed. Action "CHANGE": access not allowed on web."

There was no "changing" going on as far as I can tell. This was with access settings at

#Set ALLOWWEBCHANGE = TWikiAdminGroup

#Set ALLOWWEBRENAME = TWikiAdminGroup

I had to set it to

#Set ALLOWWEBCHANGE =

#Set ALLOWWEBRENAME = TWikiAdminGroup

before I could read it as that user. I would rather keep some things as readable but read only if possible. I don't think it is a plugin problem as I could read LatexIntro.

I'm not asking about reading the MathModePlugin yet as doing that actually changed ownership of the file to something I did not recognise and the *,v file to "root:_www". This is scary.

-- JanPompe - 2009-04-25

Discussion and Answer

I have worked out what was going on I think. For some unknown reason some files were not owned by "_www:_www" but by 48:48 and apparently with SUID bit set even though I had run "sudo chown -R www:www * from twiki root. Some of the files to be read also weren't there until they had been read by the SuperAdminUser this I think a bit weird.

It's working now.

However I am curious and must ask before I go through and change all the permissions on most of the files reads "-rw-rw----@" and directories likewise have that '@' I don't know what that '@' is but it goes when I set permissions to '660'. What ever it is I don't think anything here should be running SUID.

-- JanPompe - 2009-04-25

The @-symbol in ls indicates extended attributes for a file or directory in OS-X, see http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man1/ls.1.html, http://developer.apple.com/documentation/Darwin/Reference/ManPages/man2/listxattr.2.html

As you found out, you need to set the file ownership of all files below twiki/data and twiki/pub to be owned by the webserver user. Also, .txt and attachment files should be -rw-r--r--, and the ,v RCS files -r--r--r--. See details in TWikiInstallationGuide.

TWiki internal access control is different. A * #Set bullet is a commented out setting, remove the # to active the setting. Details in TWikiAccessControl.

-- PeterThoeny - 2009-04-25

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.