We use open-shift, and the docker container only could be run as non-root user.
However, the cron failed start with error: seteuid: Operation not permitted
I have already done the following settings, the error is still there
chmod gu+rw /var/run
crontab -u my_user home/my_user/Base/cron.txt
usermod -a -G root,crontab my_user
How to avoid the error?
I use the following to solve the issue.
Hope could be the help to others
chmod gu+rw /var/run
chmod gu+s /usr/sbin/cron
# Optional
# chmod g+s, u-s /usr/bin/crontab
crontab -u my_user /home/my_user/cron.txt
Related
I need to launch a command with sudo rights out of a php file (user: www-data), explicitly as user www-data:
<?php
$command = 'sudo -u www-data /usr/bin/python3 /var/www/html/script.py';
shell_exec($command);
?>
to be able to use sudo for www-data I want to put the command in sudoers (sudo visudo), like:
www-data ALL=NOPASSWD: sudo -u www-data /usr/bin/python3 /var/www/html/script.py
or
www-data ALL=NOPASSWD: -u www-data /usr/bin/python3 /var/www/html/script.py
but the syntax is wrong (error message from visudo).
The following is working with sudoers (correct syntax)
www-data ALL=NOPASSWD: /usr/bin/python3 /var/www/html/script.py
but doesn't work for my script (apache error in log file):
Sorry, user www-data is not allowed to execute '/usr/bin/python3 /var/www/html/script.py' as www-data on raspberrypi.
it seems it needs sudo -u www-data. How can I solve this?
It makes no sense to use sudo to allow www-data to run commands as www-data, but you can easily do so:
www-data ALL=(www-data) NOPASSWD: /usr/bin/python3 /var/www/html/script.py
The problem with your approaches was that you tried to add the command sudo -u www-data .. to sudoers, which corresponds to double-sudo sudo sudo -u www-data ..
I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.
I would like the following command to run:
su user2 -C script.sh
but be able to run without password.
I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.
I've tried doing this with sudoers file and just got endlessly confused after hours of trying.
If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.
try running:
su -c "Your command right here" -s /bin/sh username
This will run the command as username given that you have permissions to sudo as that user.
Call visudo and add this:
user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh
The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.
`su -c "Your command right here" -s /bin/sh username`
The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example;
execl: couldn't exec /bin/sh
execl: Permission denied
I had to install setroubleshoot and setools and run the following to allow it:
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p
I want to create a new cronjob via Plesk. After submit the configuration i get the error from my topic.
I have tried chmod and chown to the crontabmng without success.
my crontabmng owner is
root:root and the permission is -rwxr-xr-x
Check for suid bit 's' on /usr/bin/crontab:
# ls -la /usr/bin/crontab
-rwsr-xr-x. 1 root root 57552 Mar 31 2016 /usr/bin/crontab
SOLVED i think with the following:
service psa stopall
chown root.psaadm /usr/local/psa/admin/sbin/wrapper
chmod 4110 /usr/local/psa/admin/sbin/wrapper
chown root.psaadm /usr/local/psa/admin/sbin/mod_wrapper
chmod 4110 /usr/local/psa/admin/sbin/mod_wrapper
and the last step takes some time
service psa start
for now its all running and i get no errors.
hope it helps.
I am trying to follow this documentation and install docker machine on my EC2 instance. However, the curl command:
curl -L https://github.com/docker/machine/releases/download/v0.8.2/docker-machine-`uname -s`-`uname -m` >/usr/local/bin/docker-machine
quits with the error:
-bash: /usr/local/bin/docker-machine: Permission denied
I tried to curl into the home directory, hoping that it would change the permissions on the directory and then copy it to destination, but it didn't work.
How can I by-pass this? Clearly, the ec2-user is lacking the root privileges on some directories.
-v When given the -v (validate) option, sudo will update the user's cached credentials, authenticating the user's password if necessary.
For the sudoers plugin, this extends the sudo timeout for another 5
minutes (or whatever the timeout is set to by the security policy) but
does not run a command. Not all security policies support cached
credentials.
ec2-user is in sudoers list by default.
[ec2-user ~]$ sudo -v
[ec2-user ~]$
Try this:
sudo bash -c "curl -L https://github.com/docker/machine/releases/download/v0.8.2/docker-machine-`uname -s`-`uname -m` >/usr/local/bin/docker-machine"
If you want to make the saved file an executable for all:
sudo chmod a+x /usr/local/bin/docker-machine
I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.
I would like the following command to run:
su user2 -C script.sh
but be able to run without password.
I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.
I've tried doing this with sudoers file and just got endlessly confused after hours of trying.
If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.
try running:
su -c "Your command right here" -s /bin/sh username
This will run the command as username given that you have permissions to sudo as that user.
Call visudo and add this:
user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh
The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.
`su -c "Your command right here" -s /bin/sh username`
The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example;
execl: couldn't exec /bin/sh
execl: Permission denied
I had to install setroubleshoot and setools and run the following to allow it:
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p