Trying to get ansible file/directory permissions to work.
In ansible I create a user:
user: name=testuser shell=/sbin/nologin uid=1234 comment="Test User"
Then I try to change ownership of a file directory:
file: path=/etc/myfile state=directory owner=testuser group=testuser mode=0644 recurse=yes
I also have tried setting a facl for a file:
acl:
name: /var/log/audit/audit.log
entity: filebeat
etype: user
permissions: rx
state: present
When observing the file permissions and the facl, they appear to be set correctly. However if I change the shell of my test user and login, I discover that I don't actually have the permissions that ansible presumably set. I keep getting a "Permission Denied" message.
If I understand what you mean, you get "Permission denied" when you try accessing to the directory content, e.g. running ls -l /etc/myfile .
This is the right *nix behaviour because you setted acces permission to mode=0644.
About directories, the execute bit allows the affected user to enter the directory, and access files and directories inside.
So, to allow your testuser going through the directory, set at least mode=0744.
To allow testuser group mode=0754 and to allow everybody mode=0755
Related
I want to add a user who can only execute a few commands and nothing else, at the same time I have created a shared folder (group) where my files are present. I want the user to only execute the files in the shared folder and restrict him from reading it or opening it and so on.
These are the set of commands I am using to create a restricted user. After these commands I am changing the PATH in the .bash_profile file to $HOME/commands directory.
This is how it looked when I login from the user account
I have added the user to the group using this command: sudo usermod -a -G bbc testuser
Now when I change the home directory to the shared file group using usermod --home /path/to/new/directory testuser, it shows like this when I login through the new user
This has no restriction on the commands being used, although ls and cd commands wont run other commands like nano to see the file content works. I want to restrict this as well
So after this If I try to import a python file in the new user it says 'module not found', this same command works in the ec2-user or root user.
Please help me solve this issue.
Thank you
I would like to create some users on my ubuntu server. I only want to let the users have read/write access to their home directories, and not be able to read or write to any other user's home directory. Does anyone have a suggestion how to do this? Like is there a way to create a group that has these permissions and then add all the users to the group? Or do I need to create each user, and just grant them only read/write permission on their home directory? I'm new to ubuntu server and when I create a new user, it seems to have all the same permissions that my account does.
First, this question is better suited for Ask Ubuntu, the stack exchange site specifically for ubuntu questions.
To answer your question, I'd recommend reading the ubuntu article on user management, everything you need to know is there. Here are the relevant sections:
To add or delete a personalized group, use the following syntax,
respectively:
sudo addgroup groupname
sudo delgroup groupname
To add a user to a group, use the following syntax:
sudo adduser username groupname
When a new user is created, the adduser utility creates a brand new
home directory named /home/username. The default profile is modeled
after the contents found in the directory of /etc/skel, which includes
all profile basics.
If your server will be home to multiple users, you should pay close
attention to the user home directory permissions to ensure
confidentiality. By default, user home directories in Ubuntu are
created with world read/execute permissions. This means that all users
can browse and access the contents of other users home directories.
This may not be suitable for your environment.
To verify your current user home directory permissions, use the
following syntax:
ls -ld /home/username
The following output shows that the directory /home/username has
world-readable permissions:
drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username
You can remove the world readable-permissions using the following
syntax:
sudo chmod 0750 /home/username
A much more efficient approach to the matter would be to modify the
adduser global default permissions when creating user home folders.
Simply edit the file /etc/adduser.conf and modify the DIR_MODE
variable to something appropriate, so that all new home directories
will receive the correct permissions.
DIR_MODE=0750
After correcting the directory permissions using any of the previously
mentioned techniques, verify the results using the following syntax:
ls -ld /home/username
The results below show that world-readable permissions have been
removed:
drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
I am using RStudio server (Version 0.98.994) on Ubuntu 12.04.
Our group works on a external share drive together and would like to open the same project.
When I open a project file created by other colleagues, I got an error with permission denied (Sorry I cannot show the error message as I already changed the permission manually).
After checking the file permission, I found the default permission is "-rw-r--r-x" for *.Rproj and .Rhistory, "drwxr-sr-x" for ".Rproj.user". So no write permission for group.
In the external share drive (no sure about system, should be Linux), the default permission is rw for group.
How could I change the default permission for *.Rproj, .Rhistory and .Rprojt.user?
Thanks for any advice. Please let me know if my question is not clear.
EDIT:
I created new file and folder in the external share drive from command line. The default permission is -rw-rw-r-- for file and drwxrwsr-x for folder, as I expected. It seems RStudio server created these new files with their own default permission.
Could I change the default permission of these files *.Rproj, .Rhistory and .Rprojt.user when RStudio server creates them? i.e. Add write permission to group.
The default permissions for Directories are 777 which is read/write/execute and for Files it is 666 which is read/write. But then every system has a umask value, which is normally 022.
So when you create a directory it will have permissions 777 but it will take away the umask value of 022 and leave you with your default permissions of 755 which is rwxr-xr-x
You can change the value of umask by simply entering the command
umask=055
This will set the umask value to 055 and whenever you create a new file/directory, 055 will be taken away from the permissions.
Again look at a newly created directory with permissions of 777 and the umask value is taken away so the directories permission is 722 which is rwx-w--w-
Again look at a new directory with permissions
When logging into my virtual server as a non-root user, I suddenly get the following error:
"Could not chdir to home directory
/var/www/vhosts/prosodylab.org/web_users/username: Permission denied
-bash: /var/www/vhosts/prosodylab.org/web_users/username/.bash_profile:
Permission denied"
I checked the permissions in the user directory (they're set to 700, and I also changed to 777 to check, with now effect).
This affects all users (including if I create a new user), but as root user I can still change into the relevant directories without problem.
echo $HOME returns the right directory.
Here is the directory entry of the home directory of the user (when set to 700):
drwx------ 20 username psaserv 4096 Jun 5 16:56 username
grep username /etc/passwd returns the following output, so the directory seems to be set correctly:
username:x: [...] ::/var/www/vhosts/prosodylab.org/web_users/username:/bin/bash
The server is a 1&1 dedicated virtual linux server, and it's worked fine for many years. I might have inadvertently changed something, but if so the I don't know what.
Does anyone know what might be the problem?
Gain more access login as root and check the permissions on the parent folder
I have a script (test.sh) on a local server, which works fine when executed in a terminal. The script removes a directory, and recreates a directory local. It then connects to a remote server using "ssh -i $private_key .." and copies a file there.
When I execute this script in jenkins with
sh test.sh
it doesnt work. I get the following errors:
rm: .. Permission denied
mkdir: .. Permission denied
Warning: Identity file /.ssh/private_key not accessible: Permission denied.
Jenkins is on the same server as the script.
I see that Jenkins is another user and cant do everything that I'm doing as root; how can I set the permissions without losing all security. Especially in case of the private_key, it would be silly to set the permissions to easy - it is currently set to 600 (read and write permission for the owner) and the owner is root.
The whole point of setting the private key's permissions to 600 is that no other user should be able to access it. If you have placed the keys in another user's home directory (/home/anotheruser/.ssh), then neither the Jenkins user, nor anyone else (except root) will be able to access it. This is as designed.
If you want your Jenkins user to be able to use the private key, copy it over to the jenkins users home directory as well (/home//.ssh).
Also, if you are trying to delete/create directories in some other user's directory as the Jenkins user without providing permissions, you will get a permissions error. This is because of security. The only way to allow this is the allow the Jenkins user to make changes to those directories.
One safe option is to add the Jenkins user to the same group as the other user. Once you do this, set the permissions on the directories you want to read from and write to, to allow anyone in the user's group to make changes.
rwxrwx---
The above permissions will allow the owner of the folder and any other users in the same group to make changes, but will not allow anyone else. This is safe, since you control who is part of the other user's group.
EDIT
It looks like your error has changed, though. You're not getting permission denied any more. Can you still do it through terminal? The reason (I think) it is saying that the host key verification has failed is because your key was originally created for the other user. I realise I said to do this in the answer above, but it is not the right way.
As the jenkins user, can you run the following commands:
ssh-keygen (say yes or agree if it asks if you want to replace your current keys)
ssh-copy-id -i ~/.ssh/id_rsa.pub remoteuser#remote_server
ssh remoteuser#remote_server
If this works, try your script through the terminal, and then through jenkins again...