How can I prevent changing the ownership of a file?
I have a file with permission as follows:
-rw-r-----. 1 netcool ncoadmin 1689 May 8 14:54 NCI_Constellation.proj
As part of RPM package installation, I am running a script which is supposed to write data into NCI_Constellation.proj file. Whereas the permission of the file is getting changed as follows during package installation and the writing to the file is not happening.
-rw-r-----. 1 root root 1689 May 8 14:54 NCI_Constellation.proj
Is there a way to not change the ownership of NCI_Constellation.proj file and keep it as it is as follows so that I will be able to write data to the file?
-rw-r-----. 1 netcool ncoadmin 1689 May 8 14:54 NCI_Constellation.proj
Please help.
The question is: what package does that file belong to and with what permissions?
rpm -qf /path/to/NCI_Constellation.proj
will give you the package owning this file (let's say NCI.rpm). Then
rpm -qlv NCI.rpm | grep NCI_Constellation.proj
will give you the owners and rights of this file as packaged by NCI.rpm. If you are the one packaging NCI.rpm; you should put something like this in your %files section:
%files
%attr(640,netcool,ncoadmin) /path/to/NCI_Constellation.proj
By the way make sure that you really can write to the file with those permissions; test that first... Who is running the script to change this file? As which user? then run it yourself manually as that user to make sure these file permissions will suffice.
you have two options in my opinion,
first : set netcool to root group by doing this:
$ sudo usermod -a -G root netcool
with this command you user is able to change and modify the file even after the permissions changed.
second : set netcool user a second root user by changing /etc/passwd file.
for this open the file with every file-editor you want then change UID and GID to 0. after doing this if you run $ grep netcool /etc/passwd you should see :
netcool:x:0:0: {the rest may change for anybody}.
We can prevent the changing of group of file by using setgid bit on directory. So if you add user netcool to ncoadmin and give write permission to ncoadmin then you can edit the file. Here is how you can set the SetGid bit on directory.
chmod g+s your_directory_containing_file(NCI_Constellation.proj)
Bit more about the setgid on directory:
setgid can be used on directories to make sure that all files inside the directory are owned
by the group owner of the directory. The setgid bit is displayed at the same location as the x
permission for group owner. The setgid bit is represented by an s (meaning x is also there)
or a S (when there is no x for the group owner). As this example shows, even though root
does not belong to the group proj55, the files created by root in /project55 will belong to
proj55 since the setgid is set.
root#RHELv4u4:~# groupadd proj55
root#RHELv4u4:~# chown root:proj55 /project55/
root#RHELv4u4:~# chmod 2775 /project55/
root#RHELv4u4:~# touch /project55/fromroot.txt
root#RHELv4u4:~# ls -ld /project55/
drwxrwsr-x 2 root proj55 4096 Feb 7 17:45 /project55/
root#RHELv4u4:~# ls -l /project55/
total 4
-rw-r--r-- 1 root proj55 0 Feb 7 17:45 fromroot.txt
Related
In an Amazon Linux instance, after deployment using ElasticBeanstalk, all the files are owned by root user:
drwxr-xr-x 25 root root 4096 jan 01 00:00 var
But the current user is ec2-user so I don't have permissions to create/modify inside /var folder anything. What is the best approach to make it work? chown and modify owner to ec2-user? add user to a user group if exists which I don't know... any other idea?
I don't have permissions to create/modify inside /var folder anything.
you can use following ways to achieve this.
Try sudo [your command]
sudo chown user directory
sudo bash //this will make your root directly
But beware for 2 and 3 way, it can break your system if you do something wrong.There is a famous saying hope you know what you will do
I would like to edit a file with a shell script which is in the same group but not the "caller" user.
-rwsr-xr-x 1 root root 4896 Oct 21 00:59 /usr/bin/luxus
-rw-rw-r-- 1 root root 4096 Oct 20 23:01 <path>/file1
lrwxrwxrwx 1 root root 0 Oct 20 23:00 <path>/dir1
/usr/bin/luxus: the shell script
file1: the file to edit
dir1: file1's parent directory (symlink)
In the shell script, this is the line where the permission issue is:
echo "string" > /usr/bin/tee <path>/file1
Output:
/usr/bin/tee: <path>/file1: Permission denied
I am trying to create an AUR package for the shell script. The latter is meant to be install on the system from a PKGBUILD. In vain, I attempted to give enough permissions to the script to edit the targeted file.
This is a PKGBUILD's sample:
install -Dm755 src/${pkgname} "${pkgdir}/usr/bin/${pkgname}"
chown root.root "${pkgdir}/usr/bin/${pkgname}"
chmod 4755 "${pkgdir}/usr/bin/${pkgname}"
After investigating, I think it is quite simply impossible because of security or because of the parent dir's rights.
Nevertheless I am asking you for a solution.
As you said "you can't do anything".
The following post quite simply explains why it won't work:
https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts
I am logged in as root in Linux. I have a file with 777 permissions. I copied the file in the same directory with cp.
cp settings.php settings_copy.php
However, the copied file has different file permissions.
[root#localhost default]# ls -l setting*
-rwxr-xr-x. 1 root root 29105 Apr 26 11:48 settings_copy.php
-rwxrwxrwx. 1 root root 29105 Apr 26 09:48 settings.php
Is this normal? How can I ensure that the copied file gets the same permissions? I believe that it is the default behaviour for the copy command in any OS.
Use the -p option to preserve the permissions:
cp -p settings.php settings_copy.php
When you copy a file, you are creating a new file. So, its (new file) permissions depends on the current file creation mask, which you change via umask command. Read man umask for more information.
have you looked at man cp
This is the relevant section:
-p same as --preserve=mode,ownership,timestamps
--preserve[=ATTR_LIST]
preserve the specified attributes (default: mode,ownership,timestamps), if possible additional attributes: context, links, xattr, all
So to keep the same ownership and mode you would run the command:
cp --preserve=mode,ownership
If you know that's always what you want and don't want to remember it, you can add it as an alias to your .bashrc;
alias cp='cp --preserve=mode,ownership'
I have application running on ubuntu 12.04 and when user submit file using submit form I got permission denied error. So it seems that user don't have permission to write. when I'm logged in as root and use ls -l folder_name it write
drwxrwxr-x 2 root root 4096 Dec 5 01:17 folder1
drwxrwxr-x 2 root root 4096 Dec 5 01:17 folder2
when I use chown myuser folder_name and repeat ls -l folder_name it gives me the same output so myuser is still not owner of the folders. How can I add myuser as owner of existing folders and all newly created folders inside existing folders.
`
Several things to consider-
owner is root so either 'sudo chown' or become root to do the change
chown myuser:mygroup to change both the owner and group (or chgrp)
from your question it sounds like this is from a web page, so it will probably need to be owned by apache:apache or whatever your webserver runs as
you can't specify the owner of all newly (future) created folders inside these, just who has permissions (chmod) to create folders and then depends on what user is trying to do the creates.
the command is:
sudo chown -R apache:apache folder1
I want to create a file in a directory owned by the staff group which I am a member of. Why can I not do this?
bmccann#bmccann-htpc:~$ ls -l /usr/local/lib/R/
total 4
drwxrwsr-x 2 root staff 4096 2010-07-31 16:21 site-library
bmccann#bmccann-htpc:~$ id -nG bmccann
bmccann adm dialout cdrom plugdev staff lpadmin admin sambashare
bmccann#bmccann-htpc:~$ touch /usr/local/lib/R/site-library/tmp
touch: cannot touch `/usr/local/lib/R/site-library/tmp': Permission denied
Did you logout and log back in after making the group changes? See:
Super User answer involving touch permissions failure
I had the same issue, check if the folder has any more ACL rules or not!
If you can see + (plus sign) when you list folder, that means it has special access rules. For example:
[user_in_apache_group#web02 html]$ ls -l
total 16
drwxrwxr-x 16 apache apache 4096 Sep 4 13:46 ilias
drwxrwxr-x+ 15 apache apache 4096 Sep 4 13:46 ilias5
View the permission:
[user_in_apache_group#web02 html] getfacl ilias5
# file: ilias5
# owner: apache
# group: apache
user::rwx
user:user_in_apache_group:r-x
group::rwx
mask::rwx
other::r-x
So that means my user (user_in_apache_group) has no write permission for that folder.
The solution is what #techtonik said, add write permission for user:
[user_in_apache_group#web02 html]$ sudo setfacl -m u:user_in_apache_group:rwx ./ilias5
Check permission again:
[user_in_apache_group#web02 html] getfacl ilias5
...
user:user_in_apache_group:rwx
...
Hope it helps. ;)
Why can't Linux user edit files in group he is a part of?
I am using Ubuntu 12.04 and had the same problem where a user cannot write to a file to whom he is allowed group access to. For example:
whoami //I am user el
el
touch /foobar/test_file //make a new file
sudo chown root:www-data /foobar/test_file //User=root group=www-data
sudo chmod 474 /foobar/test_file //owner and others get only read,
//group gets rwx
sudo groupadd www-data //create group called www-data
groups //take a look at the groups and see
www-data //www-data exists.
groups el //see that el is part of www-data
el : www-data
Restart the terminal now to ensure the users
and groups have taken effect. Login as el.
vi /foobar/test_file //try to edit the file.
Produces the Warning:
Warning: W10: Warning: Changing a readonly file"
What? I've done everything right why doesn't it work?
Answer:
Do a full reboot of the computer. Stopping the terminal isn't enough to fix these problems.
I think what happens is apache2 also uses the www-data group, so the task was somehow preventing the users and groups from being enforced correctly. Not only do you have to logout, but you have to stop and restart any services that use your group. If a reboot doesn't get it, you've got bigger problems.
Use Linux ACL (access control lists) - it is more fine-grained version of permission system,
setfacl -R -m 'group:staff:rwx' -m 'd:group:staff:rwx' /usr/local/lib/R/
This sets both active rights for directory and default rights for anything created within.
This fails to work without relogin if you've just added yourself to the staff group, but you may set the permission only for yourself for the current session.
I had an issue when a user could not access the /foo/bar/baz directory even when he had permissions because he did not have an access to the bar directory.
Maybe your hard disk is full. use this command to check out the "/dev/..." rows.
df -h
Check if your parent directory have permission before you add content to that file
sudo chmod -R 777 /yourDir/file.log