I'm running Ubuntu Server 18.04.01 and am somewhat a noob when it comes to Linux permissions settings.
I have application A which is creating files and dumping them in a directory, and application B which is then taking those files, processing them and moving them somewhere else.
The problem I have is that application B is reporting that it cannot access the files created by application A. I can get around this by manually SSH'ing onto the server and running:
sudo chmod 775 -R ./Directory
However this is tedious and more importantly, requires human input. The whole purpose of my server is to automate some home security tasks so manual intervention is not feasible.
Please could someone let me know how I can make sure that all files created by application A, have rwx permissions for application B?
Thanks
Depending on the type of application A (is it a script or is it a binary?) you could just add to have it change the permissions once it created it.
If the application is a binary, you can "enclose" it into a script, which changes the umask before and during its runtime or change the permissions once the application stops running (e.g. as final task of the script).
Another approach is to run application A as the same user as application B is running, if this is feasible.
Related
I installed Scratch on a fresh xubuntu-system via apt.
When I run the application everything works fine, but I can't save projects to disk. The message that occurs says, that I might be using a read-only filesystem.
I checked the scratch locations via "whereis" and also checked which user and group they belong to. It is always root:root whereas if I run scratch it is executed under my non-root-user.
What is the best way to solve this issue? I think adding myself to the root-group would be the worst thing I could do.
I am creating a WordPress framework that has an auto update facility. When the system updates the framework, it downloads a .zip file (works ok, stored in a temp folder), and afterwards tries to extract that zip file to a place within the theme. When unzipping, it throws an error complaining about not being able to create a directory ("mkdir_failed").
The parent of target folder has permission "775" for user "bitnami" and group "bitnami";
root#linux:/home/bitnami# ls -al /opt/bitnami/apps/wordpress/htdocs/wp-content/themes/nexus
...
drwxrwxr-x 6 bitnami bitnami 4096 Oct 23 14:02 nexusframework
...
And I tried to put the "daemon" user in the "bitnami" group;
usermod -a -G bitnami daemon
Which indeed is assigned correctly I would say, as i see:
root#linux:/home/bitnami# id daemon
uid=1(daemon) gid=1(daemon) groups=1(daemon),1000(bitnami)
So; if the "daemon" user is in the "bitnami" group and the folder has 775 access rights, then why does it fail with "mkdir_failed"?
(note; assigning "777" to the parent folder solves the problem, but this is not an option because of security).
Thanks!
- Gert-Jan
update;
After doing more investigation on Linux in general, I read that Linux automatically creates a 'private' group for each user (so bitnami group for the bitnami user, etc.). I don't know if the problem is caused by the fact that I was trying (and apparently succeeded?) to add other users to the same group or not.
update;
See my answer below on how I resolved my issue.
Ok, thanks for all the comments. I eventually decided not to continu my investigation but to head for another direction, as having to rely on the container's folder to have "775" permission would be unwise for the framework (many clients would have 755 instead, so getting this to work for a group is nice but would eventually not solve my problem).
Instead I further investigated how WordPress themselves download and unzip themes and decided to follow that route.
The key problem i was trying to tackle, was to not have the unzipped files be owned by the 'daemon' user, but by the 'bitnami' user. The reason why it "impersonated" to the daemon user, was because i manually told the code to use the "direct" fs_method (as it appears, WP offers various ways to interact with the filesystem, where the easiest one is 'direct', see here). However, using the 'direct' FS_METHOD is the core reason why I have this problem, as that one will use the credentials of the webserver (the 'daemon' user in my case). So by using a different FS_METHOD, I know am able to unzip the files in the folder, using the correct 'bitnami' user (since the container is owner and has permissions (775, or 755 wouldn't matter) now my problem is solved. Note that instead of writing directly to the filesystem, now PHP will use FTP (see here).
Does it work if you change the group of the folder to daemon?
chgrp -R daemon /opt/bitnami/apps/wordpress/htdocs/wp-content/themes/nexus
I run servers on my Linux Server (Ubuntu) and there's a bit of a problem. It may seem simple to fix, however I don't think it is. The servers run in my username (server), however, others access certain files with different users via FTP. Because the server is running in my username, whenever a plugin creates new files, they do not have permission to edit etc.
I have tried putting the users into groups and then allowing group access to that folder (even for new files), but had no luck. Every time they need to edit the files, I need to chmod -R 777 it.
I thought about running the servers in their usernames, however that would produce complications. Is it actually possible to make new files retain the permissions of the parent (or a top folder)? All the solutions I've found doesn't seem to work.
Not for users but for groups. You can:
chmod g+s parent_dir
chgrp shared_group parent_dir
If you create files inside it, that files will have the group of the folder (shared_group).
Is there a way that I can secure the webapps folder in Tomcat from direct access from a system user? In other words, I dont want a user to logon to the server machine and access the webapps folder. However, id still like the contents of the webapps folder to be served accordingly.
Would a soloution such as TrueCrypt to encypt the folder work? Or something like Windows admin rights? However, id still need a user to logon to the server machine to start and stop tomcat (bin folder) but not have access to the webapps folder.
Update Feb 15 '11: Yes, it's to stop someone logging onto the server machine and deply/undeploy. Since I'm going to be using a windows machine, I will probably restrict access to the tomcat folder and create an exe on the desktop to start and stop the services.
I am not sure what you mean by "access webapps folder", I will assume this means user can deploy/undeploy webapps and start/stop Tomcat. In Unix this can be doable as follows:
create a user for Tomcat. Change umask so all created files are only readable by this user and no one else, similar for directories.
create a user (e.g. system) that will be stopping/starting Tomcat.
give sudo rights for user system just to be able to start/stop Tomcat. You can, for example, externalize catalina.sh start and catalina.sh stop scripts somewhere in /usr/local/bin and give sudo access to those.
create a script that takes yourwebapp.war and copies to $tomcat_home/webapps or invokes relevant Tomcat manager command (for deployment/undeployment). Again, give sudo rights just for that script but otherwise change it's mode to 700 so it is not even readable by system user.
My application is not supposed to perform any administrative tasks, so I want a normal User account to be able to run it. Only thing is, my application reads from and writes to a database file; if the user running Windows 7 (Or Vista) installs my app in drive C, the drive's default permission set configuration doesn't allow my app to write data.
How can I allow my app to write to C:, without requiring full administrative privileges?
If the database file exists at install time you can just grant the user write access to the file as part of the installation process (ordinary users do not have this permission by default). If the file needs to be created by the program the user running the program will need modify permissions on the c drive, which is not something that I would recommend.
I'd suggest storing your db file in Documents and Settings / App data / your app / directory. It exists specifically for this purpose. Writing to C:/Program Files is not so good practice. If that's possible in your case, that is.
You need to open UAC (User Account Access) and set security slider to the bottom. Then you can access drive C: as you did in windows XP.
I decided to modify directory permissions in the setup process, so I created an .exe file that changes the permissions of its start-up path, and gives all users access to that path. I simply included that .exe file in my deployment project, and created a Custom Action that would run the file in the Commit phase of installation.
Because the setup asks the user for administrative rights when it is being installed, my .exe also enjoys administrative privileges and can modify the permissions of the installation directory.
In my .exe, I used a Process instance to run the ACL utility shipped with Windows (icacls.exe) as follows:
ICACLS.EXE [TargetDir] /T /C /grant Users:F
(Make sure that [TargetDir] doesn't end with a "\" or the call will fail.)
This gives all users full control access to the target directory.
I could also write .NET code and change directory permissions manually, but I'm a little lazy!
You may however want to inspect your environment conditions thoroughly so that what you do wouldn't become a security hole in your environment; but this was suitable for me.
I hope this helps others who faced the same issue.
The user by default should have write permissions to drive C:, if not, then you will need to change the directory you read from and write to, to the executing directory (C:/Program Files/Your App/) rather than the root of C:
You can get this by
String Path = Path.GetDirectoryName(Application.ExecutablePath);