Description:
I used root account login in,and create a file (only root can write & read)in other account(if user is test)home directory.issues comming,when i use test account login in ,use 'vim' & 'wq!' command unexpectedly can save success!!,what happen ?why?
It is very difficult to understand your post. I'm really trying to, but I might interpret it wrongly:
You log in as root and create a file in user test's home directory?
Then, you log out from root and log in as test?
Then, as user test, you launch Vim and issue command "force write & quit?
You are perplexed as to why you are allowed to create a file as user test, inside a directory owned by user test?
Related
On occasion, the user initiates an action in my Node app that requires escalated administrator or root privileges. Rather than ask users to run the app with sudo, I would like to prompt the user for their password and escalate the privileges of the already-running Node process.
I am not interested in my app executing a child process with sudo (as is already possible with sudo-prompt). I want the node process itself to gain root privileges after having been started by a non-root user without sudo.
One example of an app that displays behavior exhibiting the problem:
var process = require('process');
var http = require('http');
var server = http.createServer(...);
// Several steps here that are unsafe to run as root
promptUserForAdminPassword();
server.listen(80); // Fails, needs to be root
I would like to write the function promptUserForAdminPassword(), which would prompt the user for their password, escalating the privileges of Node so it can run server.listen(80) with root privileges, but run everything prior with user privileges.
You are essentially wanting to change the uid of the node process to 0, the id for root. This is done using Node's process.setuid(0), but only root or processes run with sudo will be successful with that call, so this is not possible.
It is not possible for a process with a uid of a non-privileged user to change its uid to 0.
Alternatives
Start Another Process
// Prompts user for password in terminal running Node process
child_process.spawn('sudo', ['node', 'serverlistener.js']);
// Prompts user for password using UI element
child_process.spawn('gksudo', ['node', 'serverlistener.js']);
This question has some options for the missing gksudo on macOS.
Effective User ID
If starting the app with sudo is a possibility, you can reduce the exposure of root by:
Starting as root
Immediately changing the effective user id to a safer user
Later change the effective user back to root as needed
Example:
var userid = require('userid');
var sudoUserId = userid.uid(process.env.SUDO_USER);
process.seteuid(sudoUserId);
// Do things
process.seteuid(0);
server.listen(80);
Uses userid module.
Usually what you want to do is launch your server as root and then drop permissions, not the the other way around.
https://thomashunter.name/blog/drop-root-privileges-in-node-js/
If all you want to do is run on port 80 then that's what I recommend.
If you need permissions for other things you should probably have the user your server is running as have permission for those things. (write access to directories etc) Running as root is generally bad.
I have created a build using electron and npm. The application is using sqlite as a database. The application is ruuning great before creating the build(npm run build). But after creating the build the database become redonly. I have checked the permission by command "ls -asl" but it is showing read/write both the permission to the database file. But when I am trying to insert/update any records is throwing the error "Error: SQLITE_READONLY: Attempt to write a readonly database". I don't know why this is happning. Please provide some help here.
Don't put the database file inside the application installation directory, put it in the directory returned by app.getPath('userData') instead.
The folder the database resides in must have write permissions, as well as the actual database file.
In my case, I had my sqlite file inside database folder as below
database (Initial permission 665)
- app.db (Initial permission 665)
changed above permission as
database (Initial permission 667)
- app.db (Initial permission 666)
TutorialsPoint Java Compiler
In tutorialspoint, they have created linux terminal using term.js.
I have integrated same github library in my project, it is working fine but I am trying to understand the flow of tutorialspoint.
My assumption:
In tutroialspoint each time they are creating new user_id under root user(cg) and running terminal(nodejs server) using that user_id so every time when you reload page there will be a different user_id (run whoami in terminal), so another user can't operate other users files.
I am running nodejs server using forever.js under root user, I want to implement same type of functionality. What is correct way to do this? and if there is another way please elaborate.
I think they are creating a new user each time you visit the page and providing you a subshell of that user. It can be easily achieve by using Shell Programming techniques. Creating a new user each time thing is probably nothing more than a security measure.
So I will briefly explain the concept in 5 steps:
1 - Create a new user:
shell_exec('useradd --expiredate 2016-09-10 [username]');
http://www.computerhope.com/unix/useradd.htm
2 - Login to this newly created user account:
shell_exec('su [username]');
3 - Get user input to the PHP script using AJAX(dynamically).
4 - Execute user's command and send the output to user:
<?php
$output = shell_exec("[user's command]");
echo "<pre>$output</pre>";
?>
5 - Repeat from 3.
I have been recently introduced to fabric and trying to approach the following:
access remote host
su root
perform a command, for example change password for multiple users
done!
Please note that I cant use sudo, nor connect directly to the remote host using root. The commands I need to perform can only be performed if I explicitly change user to root.
I was able to approach the main concept of getting to the remote host and play with some commands, using fabric, but the problem im having is that once I switch to root "su root" I cant perform the rest of the commands unless I exit.
example of what im trying to approach:
def mytask():
with settings(user="root"):
run('whoami')
run('echo "TEST using root user"')
run('echo "ITS WORKING!!!"')
or something like this
def mytask():
run ('su root')
run ('passwd testUser')
In both cases once I enter the root password nothing would get executed, I would get the remote command line back, unless I exit back to the original user. I have seen few suggestions about using "fexpect" for prompts but not sure if that would make a difference.
I'm developing on a Linux environment.
You have to use fexpect and fexpect run command
from ilogue import fexpect
prompt = ['Password', 'mypassword'] # ('prompt', 'answer') Case sensitive
def test():
with fexpect.expecting(prompt):
fexpect.local("su -")
I have an Android app with some C code that uses the link(2) system call to create a hard link to an existing file. When I execute the app on Android 5.0.2, this part of the app works. When I execute the exact same app on an Android-M device the link() system call returns -1 "permission denied".
I notice in my log getting messages like this:
09-02 17:10:34.222 5291 5291 W ona.crackerjack: type=1400 audit(0.0:59): avc: denied { link } for name="fixed28" dev="mmcblk0p28" ino=82829 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=lnk_file permissive=0
This message appears nearby my app's log message that link() returned -1 "permission denied", sometimes earlier, sometimes later.
Is creating a hard link considered unsecure? I notice the "scontext=u:r:untrusted_app". Is there a way to make the app trusted and if so, would that let the link() system call work?
Apparently there are new SELinux rules, which forbid making hard links (or maybe accessing the folder or file).
Normal users cannot alter SELinux rules and even with root permissions this is not straightforward.
More on SELinux: https://source.android.com/devices/tech/security/selinux/
It looks like this is "by design".
At https://code.google.com/p/android-developer-preview/issues/detail?id=3150 , a member of the project explains that:
Hard linking files is blocked and an attempt to call link() on a file will return
EACCES.