I can see my below folders having dot at the end of permissions
drwxr-xr-x. 2 root root 4096 May 26 2010 java-1.7.0
drwxr-xr-x. 2 root root 4096 May 26 2010 java-1.6.0
drwxr-xr-x. 2 root root 4096 May 26 2010 java-1.5.0
How can I create a new folder with similar permissions ?
I found a way to do it, in case anyone needs it.... posting answer :
[root#XXXXX share]# chcon -h system_u:object_r:usr_t:s0 java-1.8.0
[root#XXXXXXshare]# ls -dZ java-1.8.0
drwxr-xr-x. root root system_u:object_r:usr_t:s0 java-1.8.0
A good read: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html
you are using a Redhat based distro, that means selinux permissions, you can use:
ls -lZ
From man page
man ls
-Z, --context
print any SELinux security context of each file
If you want to use Selinux, you can start from here
Selinux permissions are a big topic.
Related
We are getting the error "permission denied" when trying to write to a file that is owned by a service user and a shared group. In particular that is www-data:www-data and the user trying to write to it is in the group www-data.
There is no acl on none of the parent folders and the permissions to the file and folders are correct.
Here some details:
$ sudo -u deploy id -Gn
www-data
$ ls -lah /tmp
drwxrwxrwt 17 root root 4.0K Jul 11 11:22 .
drwxr-xr-x 23 root root 4.0K Jul 8 10:08 ..
...
-rw-rw-r-- 1 www-data www-data 0 Jul 11 10:50 test
...
$ echo 'hello world' | sudo -u deploy tee -a /tmp/test
tee: /tmp/test: Permission denied
hello world
we tried that on different folders and made sure there is no acl on any of the folders or parents or files...
Unfortunately that is not described in the link stark posted in the comment. And also not in any other page I found until I found an answer here on stackoverflow that clarified it.
2018 two new filesystem configurations got added to sysctl that should prevent regular files and fifos from beeing opened with the O_CREAT flag (as append mode is doing) in directories with the sticky bit set unless the user is the owner of the file. This commit added the settings: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5
To change that behaviour you have to set fs.protected_regular to 0:
sudo sysctl fs.protected_regular=0
Or to persist the change add fs.protected_regular=0 to your sysctl.conf.
side node: since O_CREAT is not deleting or renaming the file I'm wondered why it is connected to the sticky bit. It really is possible to create a file in directories with the stick bit set.
In my open vpn server, i am ensuring cron file permission to be only accessable from root user.
I have removed the at.deny and cron.deny files and have created at.allow and cron.allow and 0600 permissions are applied for files, both files are empty and file permissions are as below, which clearly says root has read and write access.
-rw------- 1 root root 0 Jul 21 08:40 cron.allow
-rw------- 1 root root 0 Jul 21 08:40 at.allow
however this change allows my openvpnas user to still list the crontab and even allows to edit cron.
openvpnas#openvpnas2:~$ crontab -l
no crontab for openvpnas
Where as when the file permissions are as below,
-rw-r--r-- 1 root root 0 Jul 21 08:41 cron.allow
-rw-r--r-- 1 root root 0 Jul 21 08:41 at.allow
It restricts my non root users to access or edit cron files! This issue is only with one of my server, where as other server permissions and behaviours are as expected,
openvpnas#openvpnas2:~$ crontab -l
You (openvpnas) are not allowed to use this program (crontab)
See crontab(1) for more information
Please provide your inputs on this, this has kept me blocked from continuing my work.
This issue i faced was in Ubuntu 18.04 instance,
Current /usr/bin/crontab permission was as below,
-rwxr-sr-x 1 root crontab 39352 Nov 16 2017 /usr/bin/crontab
Had to change the group user from crontab to root and file permission to as below,
sudo chmod 4755 /usr/bin/crontab
sudo chown root:root /usr/bin/crontab
-rwsr-xr-x 1 root root 39352 Nov 16 2017 /usr/bin/crontab
This permission restricts the non-root user to schedule cronjobs. The access can be allowed to non-root users by adding the user names in cron.allow file.
openvpnas#openvpnas2:~$ crontab -l
You (openvpnas) are not allowed to use this program (crontab)
See crontab(1) for more information
I have added the following to the file /etc/sudoers using the visudo command:
nick ALL=(ALL:ALL) ALL
But when I log in as nick and attempt something like mkdir .ssh I get:
mkdir: cannot create directory ‘.ssh’: Permission denied
Likewise, I cannot save files I have edited.
Running ls -la from the home directory gives me:
drwxr-xr-x 5 nick nick 4096 Apr 7 19:07 .
drwxr-xr-x 3 root root 4096 Apr 7 17:32 ..
-rw-r--r-- 1 nick nick 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 nick nick 3771 Aug 31 2015 .bashrc
drwx------ 2 nick nick 4096 Apr 7 18:29 .cache
drwxr-xr-x 2 root root 4096 Apr 7 19:07 .nano
-rw-r--r-- 1 nick nick 675 Aug 31 2015 .profile
Which if I'm not mistaken is showing that I have no write access to anything. (Correct me if I'm wrong. I'm only passingly familiar with UNIX permissions.)
Why can't this user do anything despite being given full permissions in sudoers?
UPDATE:
This problem fixed itself. I do not know what the problem was but it was no longer a problem when I logged on a couple days later.
For the record, I was attempting to configure a fresh DigitalOcean server running Ubuntu 15.10 x64. My local computer is a MacBook running El Capitan.
My guess is that the remote server restarted or somehow otherwise incorporated the change automatically in the interim. I had already tried running sudo reboot producing no results, so I'm still not sure how this could be.
I was also experiencing some local WiFi connection dropping at the time but as my SSH connection seemed to be operational I'm not sure if this could be related.
I'm also not an expert to Linux, but to me it seems like you have to use sudo mkdir .ssh instead of mkdir .ssh. You allowed your user to behave like root(who has rights to write to directory), but for doing that you have to use sudo command.
Here is the simple explanation of how it works(with pictures): https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
Here is the serious documentation: https://help.ubuntu.com/community/Sudoers
How do I change the user back to user space instead of root?
I accidentally edit my code as root and then the user name changes from "yuki" to "root". After that, I could not edit my code as "yuki" anymore...
before:
-rw-rw-r--. 1 yuki yuki 5777 Apr 10 14:24 Makefile
after:
-rw-r--r--. 1 root root 5828 Apr 24 19:42 Makefile
Could someone please help?
Thanks.
As root use:
chown yuki:yuki Makefile
to change owner back.
I am a linux newbie and I have a very basic question. I have one machine which is machineA and I have a root access to that machine.
Now I need to create these below two directories and give permissions to app user.
Create ZooKeeper Data directory and give permissions to app : /opt/zookeeper/data
Create ZooKeeper Log directory and give permissions to app : /opt/zookeeper/log
I have already created those directories in /opt folder by logging as root -
root#machineA:/opt# ls -lt
drwxr-xr-x 4 root root 4096 Dec 17 13:46 zookeeper
root#machineA:/opt/zookeeper# ls -lt
drwxr-xr-x 2 root root 4096 Dec 17 13:46 log
drwxr-xr-x 2 root root 4096 Dec 17 13:45 data
Now I am not sure how to give permissions to app user as mentioned above? I believe this is pretty easy question but I am not sure how to do that?
Any thoughts?
Here you go:
chown -R app /opt/zookeeper
This will change owner of the /opt/zookeeper directory and all its subdirectories to app.
Use chown to change the owner of a file (or directory):
chown app log data