3965
Comment: UNIX typo
|
7616
Protect Your Files!
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
#pragma section-numbers off This page describes the minimal efforts you must take after creating an account in order to remain in good standing at HCoop. <<TableOfContents>> |
|
Line 5: | Line 11: |
You shouldn't read the above as an unreasonable requirement that you check Yet Another E-mail Account every day. Most members fall into one of the following categories: | Most members fall into one of the following categories: |
Line 7: | Line 13: |
* They choose to use HCoop as their primary e-mail provider. This often goes along with owning their own domains that they host with HCoop and use for their primary e-mail addresses. * They run `echo my.primary@email.address > ~/.forward` to set up forwarding of all HCoop messages to their preferred e-mail addresses. |
* They choose HCoop as their primary e-mail provider. In a case like this, the member usually has an Internet domain hosted at HCoop and uses it for a primary e-mail address. * They set up forwarding of all HCoop messages to their preferred e-mail addresses by running `echo my.primary@email.address > ~/.public/.forward`. |
Line 10: | Line 16: |
We want to have a simple recipe for how to reach any member. This is "e-mail `member_username@hcoop.net`", and we hold you responsible for configuring your e-mail settings so that this method for reaching you is effective. | We want to have a simple recipe for how to reach any member. That recipe is "e-mail `member_username@hcoop.net`", and we hold you responsible for configuring your e-mail settings so that this method for reaching you is effective. Big mail providers like Gmail have been known to filter important messages from us as "spam." However you set up your e-mail, it's a good idea to have the sender address `payment@hcoop.net` on a spam whitelist, so that you at least receive our notices that your account is about to be deleted because you owe us money. |
Line 25: | Line 33: |
= Setting Alternate Contact Information = It never hurts to give us even more ways to contact you, including in situations where e-mail to `hcoop.net` is down. Please take a moment to visit the [[https://members.hcoop.net/portal/contact|contact information page]] on the portal to tell us how we can reach you. |
|
Line 27: | Line 39: |
Many of our members are gung-ho about receiving many e-mails each day related to HCoop, and they '''do''' subscribe to the discussion lists without trouble. We encourage anyone interested to visit [https://members2.hcoop.net/portal/pref the portal preferences page] to subscribe to voluntary lists. Just remember that you can revisit that page to unsubscribe at any time. | Many of our members are gung-ho about receiving many e-mails each day related to HCoop, and they '''do''' subscribe to the discussion lists without trouble. We encourage anyone interested to visit [[https://members.hcoop.net/portal/pref|the portal preferences page]] to subscribe to voluntary lists. Just remember that you can revisit that page to unsubscribe at any time. If you send mail to one of our lists using a "from" address other than your member@hcoop.net address, an admin will need to review your message one time only to add your address to a whitelist. This is what is happening if you get an e-mail telling you that your message is being held for moderation. Expect that it might take a few days for the next regular perusal of the moderation queue to happen. If you think your message is time-critical and should be considered sooner, you can always [[https://bugzilla.hcoop.net/enter_bug.cgi|file a Bugzilla bug]] in the Mailman category to notify the moderator. = Other Preferences = You should also take a look at the other options on [[https://members.hcoop.net/portal/pref|the portal preferences page]]. You have the option of opting into [[http://hcoop.net/dyn/members/|our public member directory]], and you can set payment provider e-mail addresses to make it easier for us to process your payments. |
Line 31: | Line 49: |
We have members with a variety of financial situations. To help keep dues low, we allow members with more financial resources to pledge to pay higher dues than normal, thus lowering everyone else's dues. Visit [https://members2.hcoop.net/portal/pledge the portal's pledge page] to learn about this system or make a pledge yourself. | We have members with a variety of financial situations. To help keep dues low, we allow members with more financial resources to pledge to pay higher dues than normal, thus lowering everyone else's dues. Visit [[https://members.hcoop.net/portal/pledge|the portal's pledge page]] to learn about this system or make a pledge yourself. = Don't Forget to Change Your Password = ...by running `passwd` in an ssh session on `ssh.hcoop.net`, because we stored your initial password unencrypted during the application process. It was protected by proper Unix file modes, but it is still best if not even system administrators knew your password. = Protect Your Files = We use the AndrewFileSystem to store member home directories and other important data. This is very convenient, since it allows a consistent view of our file system to be mounted on all of our machines, and it even allows members to mount that filesystem locally, so that editing HCoop files is as easy as editing files on local disk. However, this adds security and privacy considerations beyond what is usual for UNIX systems. Anyone on the Internet can mount our filesystem as a guest user. Such people can then do anything with our files that has been allowed for system:anyuser. By default, system:anyuser is granted directory listing permissions, but no other permissions, on your home directory. Every time you create a subdirectory of your home directory or any other directory, the initial permissions for the new directory are copied from the parent directory. Thus, if you take no special action, anyone on the Internet will be able to list the full recursive contents of your home directory. The full details of AFS permissions are beyond the scope of this little blurb, but the most important thing to know is that, if you want to keep directory contents private, you should run this on each new subdirectory you create of your home directory: {{{ fs sa ~/SUBDIRECTORY system:anyuser none }}} It is important that you not run this command on your base home directory, since some utility processes need to be able to list the contents of your home directory to get to your ~/.public directory, which contains important contents like (possibly) a mail .forward file and Domtool configuration. |
This page describes the minimal efforts you must take after creating an account in order to remain in good standing at HCoop.
Contents
The most important thing to remember is that if you don't read all e-mail sent to you@hcoop.net promptly, your account may be removed. Here "promptly" probably means "at least once a month," but we do tend to assume that most members check their e-mail daily, and that almost everyone checks it at least weekly. With an all-volunteer staff, we just don't have the means to contact members otherwise, and we sometimes need your help on short notice to keep your sites running.
E-mail forwarding
Most members fall into one of the following categories:
- They choose HCoop as their primary e-mail provider. In a case like this, the member usually has an Internet domain hosted at HCoop and uses it for a primary e-mail address.
They set up forwarding of all HCoop messages to their preferred e-mail addresses by running echo my.primary@email.address > ~/.public/.forward.
We want to have a simple recipe for how to reach any member. That recipe is "e-mail member_username@hcoop.net", and we hold you responsible for configuring your e-mail settings so that this method for reaching you is effective.
Big mail providers like Gmail have been known to filter important messages from us as "spam." However you set up your e-mail, it's a good idea to have the sender address payment@hcoop.net on a spam whitelist, so that you at least receive our notices that your account is about to be deleted because you owe us money.
A Cautionary Tale
It happens fairly often that a new member stumbles down this unfortunate path:
- Bob joins and reads about our voluntary-subscription mailing lists, such as hcoop-discuss.
- Wanting to contribute to the HCoop community, Bob uses the portal to subscribe to the lists.
- N months later, Bob notices that the lists can get quite a lot of traffic.
- Bob concludes that "HCoop sends him too much e-mail," forgetting that he can unsubscribe from the voluntary lists at any time on his portal preferences page.
Bob stops reading all HCoop mailing list messages, including the hcoop-announce list that we sometimes use for important time-sensitive announcements; or, even worse, Bob originally decided that he didn't need to forward HCoop mail to his main e-mail account since he would just check his HCoop mailbox regularly, but now he ends up not reading any HCoop e-mail at all, even hand-crafted personal messages from desperate admins, who will always assume that bob@hcoop.net goes somewhere that Bob reads regularly.
- Bob misses a message asking him well in advance if he'd like to object to an increase in member dues, or Bob misses a message telling him he must make a dues payment soon or be expelled from the co-op, or Bob misses a message telling him that he must modify how his web site is set up or it will be taken down, etc..
If Bob just unsubcribed from the voluntary lists, he would be down to less than a message a month on average from our announcements list, plus a low balance reminder once a month if he gets behind in payments. We don't consider this to meet any reasonable definition of "too much e-mail," so we'll hold you responsible for problems that arise from your not reading messages of either of these two remaining kinds promptly.
Setting Alternate Contact Information
It never hurts to give us even more ways to contact you, including in situations where e-mail to hcoop.net is down. Please take a moment to visit the contact information page on the portal to tell us how we can reach you.
Now, About Those Lists...
Many of our members are gung-ho about receiving many e-mails each day related to HCoop, and they do subscribe to the discussion lists without trouble. We encourage anyone interested to visit the portal preferences page to subscribe to voluntary lists. Just remember that you can revisit that page to unsubscribe at any time.
If you send mail to one of our lists using a "from" address other than your member@hcoop.net address, an admin will need to review your message one time only to add your address to a whitelist. This is what is happening if you get an e-mail telling you that your message is being held for moderation. Expect that it might take a few days for the next regular perusal of the moderation queue to happen. If you think your message is time-critical and should be considered sooner, you can always file a Bugzilla bug in the Mailman category to notify the moderator.
Other Preferences
You should also take a look at the other options on the portal preferences page. You have the option of opting into our public member directory, and you can set payment provider e-mail addresses to make it easier for us to process your payments.
Sliding-Scale Pledges
We have members with a variety of financial situations. To help keep dues low, we allow members with more financial resources to pledge to pay higher dues than normal, thus lowering everyone else's dues. Visit the portal's pledge page to learn about this system or make a pledge yourself.
Don't Forget to Change Your Password
...by running passwd in an ssh session on ssh.hcoop.net, because we stored your initial password unencrypted during the application process. It was protected by proper Unix file modes, but it is still best if not even system administrators knew your password.
Protect Your Files
We use the AndrewFileSystem to store member home directories and other important data. This is very convenient, since it allows a consistent view of our file system to be mounted on all of our machines, and it even allows members to mount that filesystem locally, so that editing HCoop files is as easy as editing files on local disk.
However, this adds security and privacy considerations beyond what is usual for UNIX systems. Anyone on the Internet can mount our filesystem as a guest user. Such people can then do anything with our files that has been allowed for system:anyuser. By default, system:anyuser is granted directory listing permissions, but no other permissions, on your home directory. Every time you create a subdirectory of your home directory or any other directory, the initial permissions for the new directory are copied from the parent directory. Thus, if you take no special action, anyone on the Internet will be able to list the full recursive contents of your home directory.
The full details of AFS permissions are beyond the scope of this little blurb, but the most important thing to know is that, if you want to keep directory contents private, you should run this on each new subdirectory you create of your home directory:
fs sa ~/SUBDIRECTORY system:anyuser none
It is important that you not run this command on your base home directory, since some utility processes need to be able to list the contents of your home directory to get to your ~/.public directory, which contains important contents like (possibly) a mail .forward file and Domtool configuration.
And All the Rest...
Our MemberManual should contain everything else you need to know to use your HCoop membership effectively.