I am trying to understand the following commands:
mkdir /data 0770 root system
mkdir /data 0770 system system
mkdir /data 0770 system room
https://android.googlesource.com/platform/system/core/+/b4d65399fde02280b718e3b5b5cb1464a885c4b0/rootdir/init.rc
Line 58
mkdir is creating the directory,
/data is path,
0770 giving read write permissions to the directory,
root system I don't know.
The format is
mkdir <path> [mode] [user] [group]
The path defines which directory has to be created. The mode defines the permissions for the directory. The user and group define who is the owner of the directory. The permissions are relative to the user and the group owning the directory. For example, mkdir /data 0770 root system means the /data directory is owned by the user root and the group system. The root user has read/write/execute permissions (because of the first 7) and the same holds for every user that is a member of the system group (because of the second 7). Every other user has no permissions (because of the last 0). The leading 0 has no special meaning in this case, it just signifies the beginning of an octal number.
The commands that can be used in the init.rc are defined here.
You can also inspect the user and group that owns a directory from the command line, using ls -l:
# ls -l
...
drwxrwx--- 45 root system 920 1971-02-01 00:26 data
Since you mentioned security labels: These permissions are unrelated to SE Linux labels. The file permissions are considered Discretionary Access Control (DAC), whereas SE Linux labels are Mandatory Access Control (MAC).
You can inspect the SE Linux label with ls -lZ:
# ls -lZ
...
drwxrwx--x 45 root system u:object_r:system_data_file:s0 920 1971-02-01 00:26 data
So in this case the SE Linux label would be u:object_r:system_data_file:s0. In general, the SE Linux label of a file would not be set dynamically via the init.rc. Rather, the labels are defined statically via the file_contexts file in the SE Linux policy (reference). Newly created files by default inherit the SE Linux label of their parent directory. To apply the label from the policy to a newly created file, the restorecon command can be used, as can be seen e.g. here.
Related
I am trying to change the permission of a file to 444 (read-only).
This directory resides in a NTFS drive. All files in this drive seem to be owned by root.
This is the present permissions for the directory.
drwxrwxrwx 1 root root 0 Jul 23 11:41 xxx_directory
I've tried sudo bash and then execute chmod 444 xxx_directory to no avail.
The expected outcome was dr--r--r-- for xxx_directory.
Thoughts? Thank you.
The directories need at least R-X
First, create a mount point in a terminal using 'mkdir'. Then, type the following line to mount the partition with options 'permissions':
sudo mount /dev/sdXN -t ntfs-3g -o permissions [Mount point]
Example:
sudo mount /dev/sdb1 -t ntfs-3g -o permissions /media/Data/
Then, you will be able to edit the permissions of the files on the NTFS partition with 'chmod' and 'chown' !
Check thia reference LINUX - MOUNT NTFS PARTITION WITH PERMISSIONS
You should at least require the x permission for directories otherwise you won't be able to cd into it.
You can specify the permissions (via fmask and dmask) while mounting the partition ( or in fstab if an entry is there).
An example of an fstab entry :
#mounting by UUID
UUID=<partition UUID> /mount/point ntfs-3g user,uid=1000,gid=1000,dmask=0022,fmask=0033
This would give all directories in that partition drwxr-xr-x parmissions. Any file created will get .rw-r--r-- permissions. And the ownership would be by the user with uid 1000 so he can change permissions (without sudo)
We have a RHEL server where multiple users have access to it through application. Application RStudio running on these servers default the workspace to the users /home folder. Though there is separate space provided for individual users, users tend to store the files onto /home filling up the /home.
Is there any possibility to restrict users from storing data to their home folders either at server level or R Studio level which would force them to use the provided location?
Though there are options to change the default workspace for all the users, due to the large number of teams each having their sensitive data, it is not possible to have a shared folder as default location.
You could create a group without write permissions on home folder and start rstudio through the command sg, which allows you to start it with the group id with reduced permissions.
The ls -l command displays directory contents in long format. The long format contains both permissions and ownership.
# ls -l
With chown you can change owner and group associated to a file/directory (-R == recursive)
# sudo chown -R user01:groupA Directory
By setting the owner and the single group, the others will have restrictions (if set) in accessing files / folders.
The chmod command is used to modify the various permissions/restrictions.
# sudo chmod -c ug=rwx,o= file1
going specifically
-c == report if the change is made
u == user
g == group
rwx == read, write, execute
o == others
=null == no permission
For create a new group you can use groupadd
# sudo groupadd rstudiogroup
You will have to set the new group created as the owner of the save destination folder and finally start the software through the command sg
# sudo sg rstudiogroup -c rstudio
I have a folder that has permissions set to 2760. The folder seems to be owned by www-data user and group.
drwxrwS--- 2 www-data www-data 196 Dec 5 19:52 folder
I added new user to www-data group, but it still cant access the folder without modifying permissions on the folder?
How can I modify the user to allow it to read that folder?
I tried re-logging in, but it still doesn't let the user view the folder.
I just need this user to be able to read / download the files from that folder.
UPDATE:
Added out put of:
getfacl folder
Output:
# file: folder
# owner: www-data
# group: www-data
# flags: -s-
user::rwx
group::rw-
other::---
With the mode 2760, resp. drwxrwS---, the group has permission to read and write the directory, but can not access anything inside the directory (because the executable bit is missing). You likely want to use 2770, resp. drwxrws--- instead.
The setgroup-id bit is not important when reading files as (in this case, i.e., when set on a directory), it affects the default group of newly created files within the directory. Instead of using the primary group of the current user, new files will be created with the group set to the group of the parent directory (if allowed)
With that being said, if you only want the owner to add files and members of the group to read files from the directory, you can simply use mode 0750, resp. rwxr-x--- on your directory.
How can I prevent changing the ownership of a file?
I have a file with permission as follows:
-rw-r-----. 1 netcool ncoadmin 1689 May 8 14:54 NCI_Constellation.proj
As part of RPM package installation, I am running a script which is supposed to write data into NCI_Constellation.proj file. Whereas the permission of the file is getting changed as follows during package installation and the writing to the file is not happening.
-rw-r-----. 1 root root 1689 May 8 14:54 NCI_Constellation.proj
Is there a way to not change the ownership of NCI_Constellation.proj file and keep it as it is as follows so that I will be able to write data to the file?
-rw-r-----. 1 netcool ncoadmin 1689 May 8 14:54 NCI_Constellation.proj
Please help.
The question is: what package does that file belong to and with what permissions?
rpm -qf /path/to/NCI_Constellation.proj
will give you the package owning this file (let's say NCI.rpm). Then
rpm -qlv NCI.rpm | grep NCI_Constellation.proj
will give you the owners and rights of this file as packaged by NCI.rpm. If you are the one packaging NCI.rpm; you should put something like this in your %files section:
%files
%attr(640,netcool,ncoadmin) /path/to/NCI_Constellation.proj
By the way make sure that you really can write to the file with those permissions; test that first... Who is running the script to change this file? As which user? then run it yourself manually as that user to make sure these file permissions will suffice.
you have two options in my opinion,
first : set netcool to root group by doing this:
$ sudo usermod -a -G root netcool
with this command you user is able to change and modify the file even after the permissions changed.
second : set netcool user a second root user by changing /etc/passwd file.
for this open the file with every file-editor you want then change UID and GID to 0. after doing this if you run $ grep netcool /etc/passwd you should see :
netcool:x:0:0: {the rest may change for anybody}.
We can prevent the changing of group of file by using setgid bit on directory. So if you add user netcool to ncoadmin and give write permission to ncoadmin then you can edit the file. Here is how you can set the SetGid bit on directory.
chmod g+s your_directory_containing_file(NCI_Constellation.proj)
Bit more about the setgid on directory:
setgid can be used on directories to make sure that all files inside the directory are owned
by the group owner of the directory. The setgid bit is displayed at the same location as the x
permission for group owner. The setgid bit is represented by an s (meaning x is also there)
or a S (when there is no x for the group owner). As this example shows, even though root
does not belong to the group proj55, the files created by root in /project55 will belong to
proj55 since the setgid is set.
root#RHELv4u4:~# groupadd proj55
root#RHELv4u4:~# chown root:proj55 /project55/
root#RHELv4u4:~# chmod 2775 /project55/
root#RHELv4u4:~# touch /project55/fromroot.txt
root#RHELv4u4:~# ls -ld /project55/
drwxrwsr-x 2 root proj55 4096 Feb 7 17:45 /project55/
root#RHELv4u4:~# ls -l /project55/
total 4
-rw-r--r-- 1 root proj55 0 Feb 7 17:45 fromroot.txt
I created a directory /share and gave chmod 2770 permission and chown root:stock /share.
1) When I create touch a file inside /share, I see the file has rw-rw-r-- and I don't see rwxrws---
2) When I create a directory in /share/data I see the permission as drwxrwsr-x where are the parent directory is drwxrws---
How can I get parent child files and child directories to inherent parent permissions exactly the same.
The setgid bit on a directory makes new files inherit the group from the directory, not its permissions.
The standard way of controlling the bits that get set on the creation of a file is to control the umask (askubuntu) of the creating process, not the file system.
When you create a file or directory
The owner of the new file or directory will be your effective user id (euid). You can change user id beforehand with the su other_user command (which will prompt you for the password of other_user), or sudo su other_user (which will allow you or not, possibly asking for your password, according to the settings in /etc/sudoers*). After creating the file or directory, you can change its owner with sudo chown other_user file_name.
The group of the new file or directory will be your effective group id. You can change your group id with the newgrp other_group command beforehand. If your current directory has other_group as group and its setgid bit is set, your effective group id will be other_group. After creating the file or directory, you can change its group with chgrp other_group file_name. newgrp, chgrp and setgid will work if you are a member of other_group. If you are not, they won’t: a group password mechanism is theoretically still in place, but it was deprecated decades ago and I’ve never seen anybody using it. Of course, you can always sudo chgrp other_group file_name, or even sudo chown other_user:other_group file_name if you want to change both.
The read and write permissions of the new file or directory will depend on your umask, which is normally set by your configuration files at login. The most used umask values are 022 which, for files, will give you -rw-r--r-- and 002 which will give you -rw-rw-r--. The command umask will give you your current value. You can set another value with umask new_value and it will be effective till you change it or exit your shell. Directories will have also all execution permissions set by default, unless you have odd values in umask, which will block the corresponding execution bit. E.g. a umask value of 027 will create files with -rw-r----- and directories with drwxrwx---. Please refer to documentation for a complete explanation. Also, if the parent directory has the setgid bit, the new directory will have it too. There is no way of setting the setuid and sticky bits by default, nor the setgid bit for files.
After the fact, you can always set the permissions you want with the command chmod.
That said, there is no standard command which will do what you want. However, you can easily write bash functions like the following and use them (write them in a file mycreat_functions and source mycreat_functions when needed). This will do for manually created files and directories. For file created by programs, shell redirections and the like, you will still have to correct the permissions manually.
function mymkdir () {
local parentperms
for a in "$#"; do
mkdir "$a"
# This copies all permissions of the parent,
# exactly as they are
parentperms="$(stat -c%a $(dirname "$a"))"
chmod "$parentperms" "$a"
# if I’m root...
if [ $(id -u) = 0 ]; then
chown "$(stat -c%u:%g "$a")" "$a"
fi
done
}
function mytouch () {
local parentperms newperms
for a in "$#"; do
touch "$a"
# This inherits all permissions of the parent,
# but removes the excution and setgid bits, as is
# appropriate for files.
parentperms="$(stat -c%a $(dirname "$a"))"
newperms="$(printf %o $((8#$parentperms & 8#5666)))"
chmod "$newperms" "$a"
# if I’m root...
if [ $(id -u) = 0 ]; then
chown "$(stat -c%u:%g "$a")" "$a"
fi
done
}
Note: Owner, group and permissions are stored in an inode, where there is also other information on how to retrieve the file contents; the directory entry associates the inode with the file name, and ls -i shows the inode numbers of the listed files. When you copy a file, you create a new directory entry and allocate a new inode, so everything mentioned here applies. When you move a file, you create a new directory entry in the new location, but have it point to the old inode, so that owner, group and permissions are effectively untouched. If you want them to change according to the new directory entry’s parent, you have to create a mymv function along the lines of mytouch and mymkdir above.