Dear Leo,

On Thu, 2014-08-21 at 05:24 +0200, CHAVAS Leonard wrote:
> Dear all
> 
> I came along a disturbing feature and I would appreciate to get your lights on this.
> 
> After rebuilding our data server, plenty of access rights have been
> changed and various folders have been ‘secured’ by restricting access
> to few users and groups. The whole ccp4 suite has also been subjected
> to this new policy; no writing in the folders and in sensitive files
> can be done anymore by unknown users. Good to feel safe :D

This seems like a sensible policy, and most centralised installations of
software like CCP4 is best done in this way.

> Now, when running Refmac5, we came up with plenty of complains about
> library files not readable, or more specifically some library files
> that ‘failed to open’. After few juggling around, we understood what
> was wrong: all the involved library files needed to be ‘writable’ to
> be properly read.

The libraries should not need to be writable to be loadable.

> Here is therefore my disturbing piece: why would you need to be able
> to write in a file if you just want to be able to read / execute it? I
> don’t think that this is a bug, but rather a feature, and would like
> to understand the logic behind it.

I doubt very much that this is a feature of CCP4. Unfortunately, you
have not given nearly enough information for anyone to make concrete
suggestions. Having said that, I would speculate that the problem lies
on one or both of two areas:

(i) Some sort of system or kernel-level hardening. Assuming that you
are using Linux (and if so, which distribution/version?) you may find
that something like Apparmor or SELinux is enabled and is restricting
your access. You can check for SELinux with the command "getenforce"
(/usr/sbin/getenforce on RedHat/CentOS). If it returns "enforcing", try
'tail -f /var/log/audit/audit.log' in one window while you try to run
refmac in another window (with the libraries read-only), and see if any
audit violations appear. There are tools within the SELinux suite that
can convert violations reported in audit.log into SELinux commands
and/or configurations to permit the access that you need.
Alternatively, you could disable SELinux if the security policy of your
institution allows it.

(ii) You mentioned a "data server". Are you seeing this problem on the
server, on client machines, or both? If client machines are involved,
the configuration of the technology that you are using to serve the
CCP4 installation may also be responsible. [What is this technology?
NFS? (and if so, version 3 or version 4?) A clustering filesystem? (and
if so, which one?) Samba? Something else?] 

(i) and (ii) can interact, for example the SELinux configuration can
mean that local and NFS file accesses have different characteristics,
even though the basic Unix permissions look the same from both points of
view.

Assuming once again that you are using Linux, the utility "strace" can
also be very useful for finding the exact errors returned when files
fail to opened. Be warned, there will be lots of "-1 ENOENT (No such
file or directory)" errors as shared libraries are searched for and not
found in all sorts of different directories. The important diagnostics
are the ones associated with attempts to open shared libraries that do
exist.

> Please note that I did not check how other programs responded, nor
> other versions of the suite (I am on the latest CCP4 release). I
> haven’t deeply screened the bb either for a potential previous notice
> on this.

If I were you, I would take this whole question to a system
administration forum or mailing list, unless you have really compelling
evidence to show that this is specifically a CCP4 problem.

I hope that this is of some use,
Peter.

> 
> Cheers, Leo
> 
> -
> Leonard Chavas
> -
> Mailing address:
> Center for Free-Electron Laser Science (CFEL)
> Deutsches Elektronen-SYnchrotron (DESY)
> Notkestrasse 85. Bldg 99
> 22607 Hamburg, Germany
> Room 03.051
> Phone : +49 (0)40 8998 6384
> Mobile: +49 (0)40 8998 96384
> -
> E-mail (DESY) : [log in to unmask]
> E-mail (CFEL) : [log in to unmask]
> -

-- 
Peter Keller                                     Tel.: +44 (0)1223 353033
Global Phasing Ltd.,                             Fax.: +44 (0)1223 366889
Sheraton House,
Castle Park,
Cambridge CB3 0AX
United Kingdom