Holding IDs - runas

What is my Holding ID?

Every instance on a Cornell Stack VM will be assigned a new Holding ID. You can find this Holding ID on the Splash page of your instance,

or by logging into the Hosting Dashboard, locate the VM the instance is running on - or find the Instance name under the Instances tab. Click on Edit and halfway down the page you'll see the Holding ID (runas) option.

By default the first instance will be assigned lampuser1. All subsequent instances will increment up by one (lampuser2, lampuser3, and so on).

We've provided this functionality so instances cannot access files from another instance, which creates a multi-tenant environment where each instance runs as a different account/holding id. This provides more separation between instances, but does not guarantee complete isolation. If you have any security concerns about a particular instance, ensure that it is isolated to its own VM. Some use cases for using different ids is to separate a dev/test/prod instance or support multiple developers,but keep them isolated from accessing each other files.

The general steps involved:

1. The lamp user does exist and should be treated as an administrative user that will have access to all files (useful if you want to use PHP shell to browse the system)
2. keep instance permits separate and utilize ".wdaccess" files that limit individuals to their particular instance

Splash page links

There are two links to PHPShell on the splash page. The first link (blue arrow on below image) will log you into PHPShell with the lamp user permissions. The second link (red arrow) will log you into PHPShell with that instance's holding id's permissions.

Known issues

• It is possible to create a top-level directory that is not accessible to the webdav process. In this case via the PHP shell you will need to do something like:

chgrp -R lampgrp [problem directory]
chmod -R g=u [problem directory]

• The "fix-cgi" script does not work when using a "lampuserXXX" id (use PHP shell instead)
• Changing the "runas" user on an instance will reset all the group file permissions on an instance

Advanced configuration

It is possible to create a "locked" down configuration where the web server process only has "read" permission to files uploaded via webdav (by default the webserver has read/write).

To do this you will need to have at least one "instance" running as "lamp".

1. using the "lamp" PHP shell browse to the top-level directory of the instance that you wish to restrict

   cd [target directory]
   

2. Next remove "write" permission for the group

   chmod -R g-w .
   

3. (optional) Selectively enable "write" permission on specific directories

   chmod g+w uploads
   

4. As the "lampuserXXX" PHP shell verify that "write" access has been removed