Security recommendations for course directories

Some faculty like to use their course directories and courses.csail.mit.edu Web sites as collaboration tools to aid fellow faculty, teaching assistants, and graders in their work on the course. Some courses even allow students to submit assignments and papers online. This is a good thing, and we’re glad to see people making good use of the resource. However, there are some security issues which need to be addressed when setting up for your course.

For most courses, there is an AFS protection group with the same name as the course directory; e.g., for 6.XXX there will be a protection group 6.XXX. In the past, we have created two such groups, 6.XXX and 6.XXX-admin, with the -admin group self-administered and the main group owned by -admin. Going forward, we’re creating a single self-administered group. There are two ways you can make use of this:

1 You can put all of the course staff in that one group, and only use it. 2 You can use that group only for the course administrators (typically a faculty member and/or AA) and create dependent groups containing the rest of the course staff. For example:

     $ pts createg 6.xxx:staff -owner 6.xxx
     $ pts add -user john paul george ringo -group 6.xxx:staff

(The pts command is available on all TIG supported platforms when OpenAFS is installed.)

You can add users’ Athena accounts to your protection groups if you wish, provided that each user has first run aklog -cell csail.mit.edu while logged in to an Athena system. (This initializes the cross-cell user ID for a user.) They can then be identified as username@athena.mit.edu in your ACLs and group memberships.

As you probably know, Federal law and MIT policies place requirements on how students’ educational records are handled. The term educational records is defined very broadly, and includes not only grades, ID and phone numbers, and other “ordinary” private information, but also any assignments or other coursework submitted by the student (with a few exceptions). If you use your CSAIL course directory for instructor and TA collaboration, you are responsible for setting approprate access-control lists to prevent disclosure of this information.

If you store student educational records in your course directory, it is essential that you make certain it is only accessible to the course staff. By default, directories inherit the permissions of their parent, which in the case of your Web directory allows all CSAIL Web servers (including any user-written CGI or PHP scripts) to read all files. You should make sure that special groups such as www, system:anyuser, and system:authuser do not have access to these directories. (The best course of action is to keep this information in the non-Web portion of your course directory.) If you wish to create a drop-box where students can submit their assignments via the Web, create a separate directory with the permissions =www lik=; this allows the Web server to create new files, but not read or write existing ones.

P.S.: It will be a boon to future students and instructors if you take care to create a new subdirectory for each term in which the course is taught, so that old URLs are both preserved and clearly distinguished – particularly when subject numbers are reassigned to a new course. See Sending redirects for more information.