I tried accessing data with FileZilla and additionally downloading it. This worked. However, now I tried accessing the same file with the same user with nodeJS with "GET". Here I get the Error "Access Denied".
I looked into the permissions, and the owner and group of the file are able to read and write the file, but no public permissions. My user is part of the "Group". However, I am now wondering, if the file needs to have public permissions to read and write in order to access the file via nodeJs?
Quick Info: I access the file both with FileZilla and NodeJS via SFTP. All configs / user etc. are the same.
Code:
let Client = require('ssh2-sftp-client');
let sftp = new Client();
sftp.connect({
host: config.development.host,
port: config.development.port,
username: config.development.username,
password: config.development.password
}).then(() => {
return sftp.get(`${config.development.pathToFile}/${filename}`);
}).then(async (data) => {
console.log('data', data);
csv({
noheader: true,
output: "csv"
})
Thanks!
Does NodeJs needs public file permissons to access file?
As long as the user that spawned the Node.js process has read permissions for the specific file, you shouldn't encounter any problems.
I would suggest learning how multi-user environments & permissions management works.
Recommended reading :
Learning the shell - Lesson 9: Permissions
Linux Tutorial - 8. Understand Permissions
Recommended further reading :
The default Linux security model is a bit inflexible. To give special
access (such as modification privileges) to a group of people, you
have to get your system administrator to create a group with those
people in it. Furthermore, if you would like to give a different set
of access privileges (such as read access) to another group of people,
you can’t do it because you can only assign one group owner per file
or directory. To solve this problem, you can use ACLs (Access Control
Lists). You can learn more about them from this link: ACLs
(Quote extracted from here)
After all, it will come in handy and it wont take you much effort to understand.
Related
I am trying to connect to a Realm instance from an aws lambda (node) with the following code:
await Realm.Sync.User.login('https://server.realm.io', 'username', 'password')
.then((user) => {
let config = user.createConfiguration();
config.schema = [Schema];
Realm.open(config).then((realm) => {
//Do some cool stuff });
The problem is it tries to create a directory realm-object-server when it logins. As we know the lambdas file system is read-only except for the tmp folder. Is there a way to tell realm to write this realm-object-server to the tmp folder or is there a way to login that doenst create a direcotry at all?
Thanks in advance for the help
I ran into the same issue using Realm from a Google Cloud Function. None of the Realm configuration options like path or inMemory seemed to have any effect. After much digging, the solution I found was to call process.chdir('/tmp') prior to opening the Realm. This changes the current NodeJS process's working directory as explained in the NodeJS documentation. This allowed me to open the realm successfully.
I'm using the framework Yii2 for the first time and I was wondering if it is secure to write in plain text my database's password in config\db.php? Or is their a more secure way to access to the database?
It should be secure enough as long you are not exposing this file to public users.
You can store it anywhere on the server basically (as long as it's not exposed to public users) but application should be able to get it fast and easy (to not provide additional delay for the database connection).
If you are using Git, I believe it is a bad idea to commit any file with a password in it. Personally I keep a separate file with a few crucial passwords outside of Git and load that file in to get the values, like this...
$ini = parse_ini_file('path/passwords.ini', true);
return [
'class' => 'yii\db\Connection',
'dsn' => $config['db']['dsn'],
'username' => $config['db']['username'],
'password' => $config['db']['password'],
'charset' => 'utf8',
];
Where passwords.ini would look like...
// My password file
[db]
dsn="mysql:host=localhost;dbname=xxx"
username="xxx"
password="xxx"
You could leave db.php out of Git, but I find this more convenient, especially for other config-files where many settings does not affect security.
I don't know why you created an extra file. In your common\config folder,you will get main-local.php. You can define your Connection credentials in there.
By default that file will be ignored by git.
I'm developing a Parse App and currently checking the backend security. I'm a bit lost regarding the Installation Class permissions. It is (by default) readable and writable by everyone. Thus, any user could delete every object of the class.
My question is: is it protected by default like the User class? Or should I add ACL for every new registration to push notifications? Or change the class level permissions?
Many thanks for your help,
Parse defaults to public read/write access for everything outside of User to streamline development.
Security measures will vary from one app to another depending on use-case, but assuming that you have associated each Installation to a User, I would highly recommend applying an ACL which gives public read and limits writes to the specific user.
In case you are not already associating each Installation to a User, here's a nice piece of cloud code to take care of it for you.
Parse.Cloud.beforeSave(Parse.Installation, function(request, response) {
Parse.Cloud.useMasterKey();
if (request.user) {
request.object.set('user', request.user);
} else {
request.object.unset('user');
}
response.success();
});
It's a good place to start by creating ACLs which provide public read and user-specific write access. That one step alone will drastically improve security.
How do I create a directory with multiple groups owning it using Puppet?
I would like to have users in 'group1' and 'group2' to all have access to the directory.
I tried the code below and it only grants ownership to group1.
file { [ "some/path1", "some/path2" ]:
ensure => directory,
owner => 'root',
group => ['group1', 'group2'],
mode => 0770,
}
As far as I know, the basic file type in Puppet only handles discretionary permissions that only allow for one group and one owner. It is a limitation of the underlying system.
Depending on your client's platform you can use ACLs to grant varied permissions to more than one group or user. To do this in Puppet you would have to use an Exec and invoke setfacl (if you were on Linux, for example) directly.
There are some third-party modules available in the PuppetForge ( puppet-acl I think ) that provide this functionality; however it is not in native puppet at this moment in time though I believe the feature request is under consideration.
Puppet's file{} resource type only implement the Unix permissions, sometime known as User-Group-Other (UGO)... so only one group since Puppet does the same as chown, chgrp, chmod:
file { [ '/path/to/file' ]:
owner => 'root',
group => 'marketing',
mode => 0770,
ensure => directory,
}
There are many extra modules available to manage ACL with Puppet:
puppet-acl for POSIX, mentioned by Steve Shipway, which I use a lot.
fooacl for POSIX
puppetlabs-acl for Windows ACLs
I use the puppet-acl. Here is an example :
acl {'/path/to/file' :
action => 'set',
permission => ['user::rwx',
'group::rwx',
'group:sales:rwx',
'mask::rwx',
'other::---',
'default:user::rwx',
'default:group:sales:rwx',
'default:group:marketing:rwx',
'default:mask::rwx',
'default:other::---'],
require => File['/path/to/file']
}
Side notes:
RTFM, there are many interesting options (recursive, action=strict|unset|purge)...
make sure the file{} and acl{} permissions for user: and group: and other: are consistent (otherwise the permission will balance at each puppet run).
Our SVN administrator is on holidays, and I need to add a new user to subversion.
We're using Collabnet Subversion on a RedHat box.
I've found the CollabNet_Subversion/conf/ directory with all the configuration files, including an auth file that I can see contains all our users and the groups that they belong to.
All our users need to log in with their LDAP credentials, so I don't need to change any of that.
It looks something like this:
company_auth_production
`[groups]
it-leads = jsmith, hsimpson, pgriffin
it-all = ajolie, rwitherspoon, #it-leads
[/]
* =
[prod:/]
#it-all = rw
`
So I added the new user and restarted subversion. But that doesn't seem to have done the trick. Am I missing something else ? Thanks
a. You have mention that there is "company_auth_production" file. Please check if there is some other authorization file, probably "authz". Can you please provide more information on this.
As per the structure in your file
[prod:/]
#it-all = rw
should have given the read write access to all the users of "it-all" till the path "prod".
b. If this is not working then please try using "VisualSVN Server". It has a very nice gui to add users and give them priviledges also.
Hope this helps.
In your apache Configuration is usually a require directive (eg "require group" or "require user"). Often there is a specific group which user has to belong to access svn (eg svnusers, etc...)