Permissions to delete generated files from another user in linux (gitlab-runner) - linux

Im using gitlab-runner to deploy my php application to nginx web server.
To deploy im using this steps:
1. delete all files in folder /var/www/site
2. move files from gitlab repository to /var/www/site
All these actions are performed only after pushing to repository new changes.
I have a problem. Files that copied to /var/www/site owned by gitlab-runner.
After uploading file from post form, files owned by www-data (nginx user).
After next push, gitlab cant deploy because it's failed on first step. user gitlab-runner hasn't right to delete www-data files.
I cant change nginx user to gitlab-runner for a reason, and i don't know how to change gitlab-runner to another user.
Anyone can help me?

You can use the command chown to change the owner of a file.
chmod uu:gg will set the owner of the file to uu and the group to gg.
You can change permissions of a file with chmod command.
chmod g+w will give write access to file to users of the group of
With this commands you should be able to set the group of the files to a group compatible with git-lab (check initial group of files with ls -l command)

Related

Linux AWS EC2 Permissions with rsync

I am running a default t2.nano ec2 linux ami. Nothing is changed on it. I am trying to rsync my local changes to the server. There is a permissions issue that I don't know enough about to fix.
My structure is as follows. I'm trying to push my work to the technology directory. The technology directory is mapped to a staging domain. i.e. technology.staging.com
:/var/www/html/technology
this is from the root, and it does work fine, it's the rsync that is failing.
when I push locally to that directory I get a "failed: Permission denied (13)" error.
I'm running an nginx server and assigned permissions to the www directory as follows:
sudo chown -R nginx:nginx /var/www
My user is ec2-user which is the normal default. Here is where I am tripped up. You can see the var directory is given root access.
You can see that the www directory then has permissions set to nginx so our server can access the files. I believe I need to add the ec2-user to this directory as well as the nginx user so that I can rsync my files there and the server will still have access I'm just unsure of how to do that.
As a test, I created a test directory at this location and it worked successfully.
:/home/ec2-user/test
you can see the permission here are set for the ec2-user which is why it works i'm sure.
Here's the command I'm running on my local machine to rsync my files which fails.
rsync -azP -e "ssh -i /Users/username/devwork/company/comp.pem" company_technology/ ec2-user#1.2.3.4:/var/www/html/technology
Here's the command that was working.
rsync -azP -e "ssh -i /Users/username/devwork/company/comp.pem" company_technology/ ec2-user#1.2.3.4:/home/ec2-user/test
I have done enough research and testing to know that it's a permissions error, I just can't figure out the right way to solve it. Do I need to create a group and assign both the nginx and ec2-user to the group and then give that group the same permissions level on the :/var directory.
Side note, what permissions level do I set for the chown to make these permissions that are currently set?
I have server config files in the :/etc/nginx/conf.d/ directory that map to the directories I create inside of :/var/www/html directory so I can have multiple sites hosted on the server.
So in this example, I have a config file at :/etc/nginx/conf.d/technology.conf which maps to the directory at :/var/www/html/technology
Thank you in advance, again, I do feel like I have put forth the research and effort to show that I've gone as far as I know how to do.
The answer made sense after I spent roughly a day playing around. You have to give access to both the ec2-user and the nginx group. I believe you never want to put a user in a group that involves the server itself, I think things would go south.
After changing the owner to both the ec2-user and nginx group, it still didn't work exactly the way I wanted it to. The reason was, I needed the nginx permissions to be updated to what they had when they were assigned the user role.
Basically, theec2-user had write permissions and the server did not. we wanted the user to have write permissions so they could rsync my local files to the directory on the server, and the nginx group needed the same level of permissions to display the pages. Now that I think about it, the nginx group may have only needed read permissions to display things, but this at least solved the problem for now.
Here is the command I ran on the server to update the ownership and the permissions, as well as the output.
modify ownership
sudo chown -R ec2-user:nginx :/var/www/html/technology
modify permissions
sudo chmod -R o=rwx,g+rwx,o-w technology
The end result looks like this
You can see the permissions match, and the ownership is as we expected. The only thing I have to figure out is after I rsync new files to the server, I need to run the previous code to update the permissions again. I'm sure that will come to me later, but I hope this helps anyone in the same situation.

Jenkins installation on Linux, executing shell command gives permission denied.

I have installed jenkins on linux machine and configured it.
As part of automation of build process, I want to copy my war form one directory to another. I tried doing so using the PRE BUILD ACTION and executing shell command.
cp /from directory /to directory
Build fails giving permission denied. I have tried several ways by providing root level permission to the user I log into the jenkins.
Nothing works.
I am not if I am giving permission to the right user or not.
Any help would be highly appreciated.
Please note I am new to LINUX/UNIX.
To find out the user that is starting Jenkins, use whoami in a pre build action and look at the build log to see what user is carrying out the build scripts. It will probably be different than the user that owns the folder you are trying to get jenkins to copy the war into.
Rather than make the user that jenkins is running a root user (a security risk since now your jenkins scripts can perform privileged actions), you can add that user to the same group that the user that owns the folder is in.
Lets say I ran whoami in a jenkins script and the user turned out to be user1, and the user that owns the folder you are trying to copy the war into, user2. You would want to add user1 to the same group that user2 is in, and modify the folder permissions to allow modifications of people in the same group.
To add user1 to the same group as user2:
usermod -a -G user2 user1
Then modify the permission of the folder you want to copy into:
chmod g+w /path/to/directory

Linux permissions issue

I'm trying to use Jenkins to deploy to a custom workspace but am having permissions issues. The custom workspace folder is /var/www/workspace which is owned by www-data and in the www-data group as normal. I have added my jenkins user to the www-data group and the folder has writable permissions on user and group level. When I run the Jenkins build it fails because it doesn't have permission to clone into the folder. The only thing I can think of that may be stopping this from happening is the fact that the var folder is owned by root even though www and all folder below this are owned by www-data
Any advice appreciated.
Do one thing, go to /var/www/ and type the following command and paste output:
ll
Responding to your comment, to change the owner and group of /var/www/workspace and all files under it you can use:
chown -R jenkins:www-data /var/www/workspace
In the end I changed the user that Jenkins is running as from Jenkins to www-data. Probably not the ideal way to do things but as this is on a non public facing server it suits my purpose. Now when a build has completed I get Jenkins to run a couple of chmod commands to make sure file permissions are correct and the files are already in the www-data group so all works nicely.

Allowing jenkins to access contents of currently logged in user folder

I am using Jenkins to build my project in a Linux machine. During build operation files are read from a source location and files are to be copied to a new destination location.The source and destination locations are input by the user from Jenkins UI. I want the user to be able to select any folder located within his/her home folder as source or destination. For example: /home/jdoe/folder.
Currently, any folder inside /var/lib/jenkins, with jenkins:nogroup user-group, can be selected. However, a folder inside /home/jdoe/folder with same (jenkins:nogroup) user-group, and with the same permissions as the folders within /var/lib/jenkins, cannot be selected. I get a permission denied error on trying to read or write inside /home/jdoe/folder.
What can I do to enable reading and writing to a folder within the home folder of the currently logged in user? Can I set up Jenkins in a certain way to be able to do that, or do I have to change group settings for the home folder?Could you suggest a good configuration for me to be able to make this work?
Would there be any difference in using Jenkins on an Windows platform?
First make sure that the folder is having read-write access for jenkins user group.
sudo chmod -R 77 /home/jdoe
Also as in comment by Daniel, grant execute permission on the /home/jdoe folder.
sudo chmod a+x /home/jdoe

How can I setup the permissions in Linux so that two users can update the same SVN working copy on the server?

My server has both Subversion and Apache installed, and the Apache web directory is also a Subversion working copy. The reason for this is that the simple command svn update /server/staging will deploy the latest source to the staging server.
Apache public web directory: /server/staging — (This is an SVN working copy.)
I have two users on my server, 'richard' and 'austin'. They both are members of the 'developers' group. I recursively set permissions on the /server directory to richard:developers, using "sudo chown -R richard:developers /server".
I then set the permissions to read, write and execute for both 'richard' and the 'developers' group.
So surely, 'austin' should now be able to use the svn update /server/staging command? However, when he tries, he gets the error:
svn: Can't open file '/server/staging/.svn/lock': Permission denied
If I recursively change the owner of /server to austin:developers, he can run the command just fine, but then 'richard' can't.
How do I fix the problem? I want to create a post-commit hook with to automatically deploy the staging site when files are committed, but I can't see a way for that to work for both users. The hook would be:
/usr/bin/svn update /server/staging
Using the same user account for both of them wouldn't really be an acceptable solution, and I'm not aware of any way to run the command inside the hook as 'root'.
Any help is appreciated!
Directory Set Group ID
If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.
This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called spcprj and add the users Kathy and Mark to the group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy and Mark although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.
The following command will set the GID bit on a directory:
chmod g+s spcprjdir
The directory listing of the directory "spcprjdir":
drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir
The "s'' in place of the execute bit in the group permissions causes all files written to the directory "spcprjdir" to belong to the group "spcprj" .
edit: source = Linux Files and File Permissions
I would set up svnserve which is a simple Subversion server using the svn:// protocol. You can set this up so it runs under its own user account, then the repository would only be accessed by that one user. This user could then have the correct privileges to run svn update /server/staging on a post-commit hook.
in your svn repo, you can find a 'conf' directory where you set permissions. you have 3 files there:
authz
passwd
svnserve.conf
you set in the authz file which users have which kind of acces, per user or per group. you set groups there, SVN groups not linux user groups (hashed lines are comments):
[groups]
# harry_and_sally = harry,sally
projectgroup = richard,austin
# [/foo/bar]
# harry = rw -- user harry has read/write access
# * = -- everybody have no access
# [repository:/baz/fuz]
# #harry_and_sally = rw -- harry_and_sally group members have read/write access
# * = r -- everyone has read access
[/server/staging]
#projectgroup = rw
* = r
work around this example and set your config. in the 'passwd' file you set up users passwords. execute
cat passwd
you'll get commented file with explanation how to set it up.
I use WebDAV - all SVN updates and commits are handled via apache and I never have such problems.

Resources