I can use any PORT above 1023 with server.listen(PORT) in an nvm-installed node. How can I use system ports (e.g. below 1024) with a non-privileged user?
On our Ubuntu 16.04 servers I used to do this:
sudo setcap CAP_NET_BIND_SERVICE=+eip `readlink -f \`which node\``
However, we've upgraded to Ubuntu 18.04 and it doesn't seem to work anymore. I'm seeing the following error:
Error listen EACCES 0.0.0.0:925
This happens with all ports below 1024, so it's not just a one-off case of port being already in use.
Why wouldn't this work (anymore)? I must be missing something, or things have changed since Ubuntu 18.04.
Check that the partition from which the executable is started is not mounted with nosuid.
getcap will not help with the troubleshooting, as it will show the attributes as set on the filesystem and not the actual capabilities available at run time.
You can check the run-time capabilities in /proc/PID/status.
They should look like
CapPrm: 0000000000000400
CapEff: 0000000000000400
CapBnd: 0000003fffffffff
On my nosuid partition, they were like this.
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
Hope it helps.
I was only able to find this out after consulting with a friend :)
#AdiRoiban's answer might be correct about why setcap doesn't work. Check the filesystem that node is installed on. In case of nvm, node might be installed in your home directory. You home directory might be encrypted. And your encrypted home might be mounted as nosuid.
This is the workaround I ended up using.
First, install authbind. Then create the ports you want to be able to access as empty files in /etc/authbind/byport/. Give them read permissions for your user or group. For testing purposes, you can go all in with user root:root and permission 777.
Next, start your node application like this:
authbind node index.js
If the application spawns a node process that needs access (e.g. nodemon) you need to give the process permission to give the child process permission, using the --deep command line switch.
E.g.:
authbind --deep nodemon --inspect index.js
Related
I got two network interfaces (ethernet and wlan). Now I found a little script on github (https://github.com/Intika-Linux-Firewall/App-Route-Jail) which seems to allow me to route specific applications through the none default gateway to loadbalance the traffic a little bit.
The script is using the following call:
setsockopt(sd, SOL_SOCKET, SO_MARK, &mark, sizeof(mark));
As I found out via an strace I got: '-1 EPERM Permission denied' (as show on http://man7.org/linux/man-pages/man7/capabilities.7.html this command needs cap_net_admin rights)
The tool works when I use "sudo" infront of the command the socket is created with the none default gateway and works like intended (e.g. wget a file)
Example:
MARK=10 LD_PRELOAD=./mark.so wget -qO- ifconfig.me uses the default gateway (so not what I wanted)
sudo MARK=10 LD_PRELOAD=./mark.so wget -qO- ifconfig.me returns the IP of the none default gateway (what I want but without using sudo)
Some things I found on the internet and tried:
Setting File Capabilities (setcap cap_net_admin+eip) (still requires root somehow)
Using SUID Bit (chmod u+s) (no change at all)
I expect the command to run without root privileges, so every application can use the none default gateway, but currently I need to use sudo to gain enough permissions to run the command on the correct interface.
What am I missing to archive my goals?
You are looking to your problem from the wrong angle. Instead of marking the packets, you should try to force the application to bind to the correct interface in the first place.
You could try the retro-solution explained here, which overrides bind() and connect() instead of socket().
But more modern solution would be to create a separate network namespace and then run applications in their own namespace. Google ip netns for the examples. Creating and setting up the network namespace still requires root, but these privileges can be dropped before running the application. There are likely to be tools available to do that also.
Trying to upload a code to arduino, but whether in the Arduino IDE or Arduino Create, both return this erro while uploading. Running on Linux Tara(mint 19 cinnamon).
./opt/arduino-builder/arduino-builder -compile -core-api-version 10611 -hardware opt/arduino-builder/hardware -hardware ./opt/cores -tools opt/arduino-builder/tools -tools ./opt/tools -built-in-libraries opt/libraries/latest -logger humantags -fqbn arduino:avr:mega:cpu=atmega2560 -build-cache /tmp -build-path /tmp/716441957/build -verbose -libraries /tmp/716441957/custom -libraries /tmp/716441957/pinned /tmp/716441957/sketch_oct8a
Sketch uses 8280 bytes (3%) of program storage space. Maximum is 253952 bytes.
Global variables use 443 bytes (5%) of dynamic memory, leaving 7749 bytes for local variables. Maximum is 8192 bytes.
Programming with: Serial
Flashing with command:/home/jesus/.arduino-create/arduino/avrdude/6.3.0-arduino9/bin/avrdude -C/home/jesus/.arduino-create/arduino/avrdude/6.3.0-arduino9/etc/avrdude.conf -q -q -patmega2560 -cwiring -P/dev/ttyACM0 -b115200 -D -Uflash:w:/tmp/arduino-create-agent734074237/sketch_oct8a.hex:i
avrdude: ser_open(): can't open device "/dev/ttyACM0": Permission denied
ioctl("TIOCMGET"): Inappropriate ioctl for device
ioctl("TIOCMGET"): Inappropriate ioctl for device
1#
First, check the port in your IDE. In Arduino tools->port
If the port is hidden or you can not move the cursor over this then run this commands in your terminal.If everything ok then skips this and follow the second part.
sudo apt-get install librxtx-java -y
sudo usermod -aG dialout $USER
sudo apt-get install gnome-system-tools
2#
After this again check the first method. If it is not working then run this commands
ls -l /dev/ttyACM*
sudo usermod -a -G dialout <username>
You probably have another program running which is already using this port.
You should close most other programs like putty or another serial monitor app.
Otherwise, try to reconnect the Arduino to the PC.
I know that these ideas below come from using a Teensy, but they may help you.
Sometimes there are the ACM* ports listed in the Arduino IDE. Try looking at the ser ports. I know when I am running my Teensy, sometimes I have them switched and need to select the correct one.
Also, from my experience with the Teensy, you might need to add a udev rule to allow permissions to access the port from non-root user. Here is the link that shows the udev file.
There is no direct way to solve this issue. In addition to it, you are not using an IDE. I will list the things you need to check, I am sure this will solve your problem.
I am not good at Linux environment so I will refer to applications names as window, you go the corresponding application in Linux.
Go to linux device manager and see for your arduino board. It should have proper naming like "arduino uno at port 3", then use the correct port in your command. If this name does not come properly then it means Driver is not available in your machine. So, go to step2.
Find the driver online and install it in your system, I am not sure about the support of linux with arduino, once it is done please repeat step1.
So, I conclude in short that you do not have the proper driver (which is strongly believe) or pointing the wrong port. I am not an expert with the udev rules, but it is definitely an issue you can experience with these kinds of micro-controllers.
I am trying to start avahi-daemon but it responds with and error
Failed to create runtime directory /opt/var/run/avahi-daemon/
That directory do exist.
Even if I delete this folder and start avahi again it creates it but still keeps saying that its a fail.
What am I doing wrong?
It's possible that such cases be linked with a lack of privileges.
=> use sudo
e.g.
sudo service dbus start
sudo service avahi-daemon start
Another issue could be the missing space of the file system. To check that do:
df -h /opt/var/run/
Result musn't be 100%.
Agenda: To have an common Project Folder between Linux and Windows
I have changed my document root from : /var/www/html to /media/mithun/Projects/test in my ubuntu machine 14.04
I get error as :
Forbidden
You don't have permission to access / on this server.
Apache/2.4.7 (Ubuntu) Server at localhost Port 80
So i added some scripts to : sudo gedit /etc/apache2/sites-available/000-default.conf
# DocumentRoot /var/www/html
DocumentRoot /media/mithun/Projects/test
But Document Root /var/www/test works but not with Windows NTFS Partition Drive.
Even after referring to :
Error message "Forbidden You don't have permission to access / on this server"
Issue with my Ubuntu Apache Conf file. (Forbidden You don't have permission to access / on this server.)
No success :( So kindly assist me with it...
Note: Projects is an New Volume (Internal Drive: In Windows its E:/ Drive)
#Lmwangi - Please check my updates for your reference below:
Output of : ls /etc/apparmor.d/
abstractions lightdm-guest-session usr.bin.evince usr.sbin.cupsd
cache local usr.bin.firefox usr.sbin.mysqld
disable sbin.dhclient usr.lib.telepathy usr.sbin.rsyslogd
force-complain tunables usr.sbin.cups-browsed usr.sbin.tcpdump
I tried killing apparmor:
sudo /etc/init.d/apparmor kill
I receive output as : Usage: /etc/init.d/apparmor
{start|stop|restart|reload|force-reload|status|recache}
After this, i was also able to restart apache successfully
maybe the problem is simple : is your new root directory accessible to the www-data user ?
Try :
$ chown -R www-data:www-data /media/mithun/Projects
As you have you have discovered by now, you cannot just manipulate permissions on an NTFS partition (using tools like chmod)
However, you can try forcing a given owner/permissions for the entire partition when you mount it.
Now the wayto do this, depends on the NTFS-utilities you are actually using (and which i don't know, so I'm assuming you are using ntfs-3g)
E.g. mount the partition with the following parameters (replace dev/sdX with your actual partition, and /path/to/wheredrive/is/mounted` with your target path):
mount -o gid=www-data /dev/sdX /path/where/the/drive/is/mounted
should make all the files on the partition belong to the www-data group.
If the filesystem sets the group ownership explicitely, this still might not work.
In this case, you might need to setup a usermap, that maps your windows users/groups (as found on the partition) to your linux users/groups.
The ntfs-3g.usermap utility will help you generate an initial usermap file, which you can then edit to your needs:
ntfs-3g.usermap /dev/sdX
Then pass the usermap to the mount options:
mount -o usermapping=/path/to/usermap.file /dev/sdX /path/where/the/drive/is/mounted
I suspect that you have apparmor enforcing rules that prevent Apache from reading non-whitelisted directory paths. I suggest that you
Edit the apparmor config for Apache to access your custom path. You'll need to hunt around /etc/apparmor.d/ . You may also find that using apparmor in non-enforcing mode helpful.
$ sudo aa-complain /etc/apparmor.d/*
Use mod_apparmor? See this
Or disable apparmor completely. See this
My order of preference would be 1,3,2. That should fix this for you :)
While using ubuntu with windows I faced same issue and it is resolved by remounting drive with read and write access. Below command will help you to do that:
sudo mount -o remount,rw /disk/location /disk/new_location
If it is still not working then in windows os, go to the power options and disable fast startup.
When you shut down a computer with Fast Startup enabled, Windows locks down the Windows hard disk. You won’t be able to access it from other operating systems if you have your computer configured to dual-boot. Even worse, if you boot into another OS and then access or change anything on the hard disk (or partition) that the hibernating Windows installation uses, it can cause corruption. If you’re dual booting, it’s best not to use Fast Startup or Hibernation at all.
Original article: https://www.howtogeek.com/243901/the-pros-and-cons-of-windows-10s-fast-startup-mode/
I am new to Linux , and I am trying to install AlteraQuartus 2 WEb Edition and NIOS2 EDS to play with Nios2 Processor.
However , after installing Quartus and when I am trying to execute jtagconfig.
I do not see something like below , even after running /altera/nios2eds/nios2_command_shell.sh
1.)[Nios2 EDS] $
2.) Unable to lock chain (Insufficient port permissions)
Please Help,
To check if this is indeed a port permission problem, start the trouble-shooting by running jtagd (the deamon between the Altera tool and the driver) as root. At first, you must make sure that jtagd is not running, since if it is already running as a user, trying to start it as root will have no effect.
$ sudo killall -9 jtagd # Kill jtagd, ...
$ sudo killall -9 jtagd # ...and verify jtagd is indeed not running.
jtagd: no process found # Good, verified.
$ sudo jtagconfig # Will also start jtagd as root
1) CV SoCKit [2-1]
02D020DD 5CSEBA6(.|ES)/5CSEMA6/..
4BA00477 SOCVHPS
If the above is successful, this is indeed a port permission problem. To fix it permanently, try with udev rules, as suggested by #eepp.
(On a side note, jtagd will be started by jtagconfig if not already running, as the same user that started jtagd. Hence #eepps command will work as well, but jtagd should be killed first.)
For further trouble-shooting, running jtagd with some debug command-line options can give useful information:
$ jtagd --foreground --debug
JTAG daemon started
Using config file /etc/jtagd/jtagd.conf
Remote JTAG permitted when password set
Cant bind to TCP port 1309 - exiting
(The above error message is typical if jtagd is already running.)
(Above is taken från http://www.fpga-dev.com/altera-usb-blaster-with-ubuntu/. See that page for more details.)
"Insufficient permissions" or "permission denied" or whatever relating to not having permissions on *nix usually means you must run the command as user root (or as another user who has the permissions, but root has all of them).
So run jtagconfig as root:
$ sudo jtagconfig
Alternatively, as root, put this in a new file /etc/udev/rules.d/51-altera-usb-blaster.rules:
SUBSYSTEM=="usb", ATTR{idVendor}=="09fb", ATTR{idProduct}=="6001", MODE="0666"
SUBSYSTEM=="usb", ATTR{idVendor}=="09fb", ATTR{idProduct}=="6002", MODE="0666"
SUBSYSTEM=="usb", ATTR{idVendor}=="09fb", ATTR{idProduct}=="6003", MODE="0666"
SUBSYSTEM=="usb", ATTR{idVendor}=="09fb", ATTR{idProduct}=="6010", MODE="0666"
SUBSYSTEM=="usb", ATTR{idVendor}=="09fb", ATTR{idProduct}=="6810", MODE="0666"
and then, run:
$ sudo udevadm control --reload
This should change the permission of your USB-Blaster Download Cable device so that any user may access it (if this is what you want), so you should be able to issue jtagconfig without sudo. Those five idProducts are all the known USB-Blaster Download Cable USB product IDs (for the Altera vendor ID, 0x09fb).
I wrote a fairly complete Arch Linux wiki page about Altera softwares on Linux if you want more details.
It may be obvious but make sure you're not going through a USB hub. That was my problem for Altera DE2-115 with Quartus Prime Lite 20.1.1 on Ubuntu 20.04.
The above answers fixed my permissions issue (Specifically adding ATTR{idVendor}=="09fb", ATTR{idProduct}=="6001", MODE="0666" to the new file /etc/udev/rules.d/51-altera-usb-blaster.rules).
But I was still getting.
1) USB-Blaster [1-2.1]
unable to lock chain - Chain in use - check
Going straight to my PC solved it.