If I do:
ls -al /usr/local/bin/kill-all-sales-apps
I see:
-r-xr-xr-- 1 jenkins root 68 Aug 4 12:10 kill-all-sales-apps
If I sudo to root and then su to jenkins, I should be able to delete this, yes?
Other relevant information about the directory and its parent:
drwxr-xr-x 2 root root 4096 Aug 4 12:11 .
drwxr-xr-x 10 root root 4096 May 7 17:20 ..
If I do:
groups jenkins
then I see than the user "jenkins" has been added to the "root" group:
jenkins : jenkins root run-server-software
But if I:
rm /usr/local/bin/kill-all-sales-apps
I get:
rm: remove write-protected regular file ‘/usr/local/bin/kill-all-sales-apps’? y
rm: cannot remove ‘/usr/local/bin/kill-all-sales-apps’: Permission denied
Why is permission denied?
As to why the jenkins user can't delete, the jenkins user needs write permissions on the parent folder of the file you're looking to delete. This is because you're actually removing directory entries from the parent folder.
Usually, on most filesystems, deleting a file requires write
permission on the parent directory (and execute permission, in order
to enter the directory in the first place). (Note that, confusingly
for beginners, permissions on the file itself are irrelevant. However,
GNU rm asks for confirmation if a write-protected file is to be
deleted, unless the -f option is used.)
Source: Wikipedia - Rm_(Unix)
So try running...
ls -ld /usr/local/bin
And make sure the jenkins user has write permissions on /usr/local/bin
Another way to do it is to modify sudoers to give jenkins user sudo permissions to rm only that file via sudo. Here's an example giving the user joe the explicit permission to sudo rm the file /usr/local/src/noperms/hi.txt from a directory he does not have write permissions to. But limiting him from deleting anything else in that directory.
For example:
[root#joeyoung.io ~]# mkdir -p /usr/local/src/noperms
[root#joeyoung.io ~]# chmod -R 455 /usr/local/src/noperms
[root#joeyoung.io ~]# touch /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# echo "hi" >> /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# chmod 455 /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# su - joe
[joe#joeyoung.io ~]$ cat /usr/local/src/noperms/hi.txt
hi
[joe#joeyoung.io ~]$ rm /usr/local/src/noperms/hi.txt
rm: remove write-protected regular file `/usr/local/src/noperms/hi.txt'? y
rm: cannot remove `/usr/local/src/noperms/hi.txt': Permission denied
[joe#joeyoung.io ~]$ exit
[root#joeyoung.io ~]# visudo
[root#joeyoung.io ~]# diff -Nur /tmp/sudoers.orig /etc/sudoers
--- /tmp/sudoers.orig 2015-08-04 17:17:24.020781442 +0200
+++ /etc/sudoers 2015-08-04 17:24:21.258274163 +0200
## -101,6 +101,7 ##
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
+joe ALL=(root) NOPASSWD: /bin/rm /usr/local/src/noperms/hi.txt
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
[root#joeyoung.io ~]# su - joe
[joe#joeyoung.io ~]$ sudo /bin/rm /usr/local/src/noperms/hi.txt
[joe#joeyoung.io ~]$ exit
[root#joeyoung.io ~]# ls -al /usr/local/src/noperms/hi.txt
ls: cannot access /usr/local/src/noperms/hi.txt: No such file or directory
[root#joeyoung.io ~]# ls -al /usr/local/src/noperms/
Related
i want to ask for a specific user to use certain root commands in redhat?
my server run redhat OS 7.6. i dont have any idea how to set a user that can run certain commands from root.
let say i have one user id name MY_CIT, so MY_CIT can run certain commands for example to create print queue #lpadmin -p printer -v socket://printer:9100 -E
so MY_CIT no need root access to trigger the command.
Anyone experience on this? kindly help. thanks
You'll be able to use file ACLs. As a test I removed execute permissions from the nano command, just to show how this will work.
You won't need to do this, however, you will need root permissions to the machine. Instead of nano, use 'lpadmin' as per your requirements
[root#server bin]# chmod o-x /bin/nano
[root#server bin]# ls -lah /bin/nano
-rwxr-xr-- 1 root root 202K Jun 10 2014 nano
To test, we change to user1 and try use nano to edit a file:
[user1#server ~]$ nano file1
-bash: /bin/nano: Permission denied
Now, as root again, we add an ACL to the nano program. This allows only user1 to execute the program.
[root#server bin]# setfacl -m u:user1:x /bin/nano
Display ACL with getfacl:
[root#server bin]# getfacl /bin/nano
getfacl: Removing leading '/' from absolute path names
# file: bin/nano
# owner: root
# group: root
user::rwx
user:user1:--x <<-- Note this
group::r-x
mask::r-x
other::r--
As user1, we are able to use the nano program, but not as user2:
[user1#server ~]$ nano file1
[user1#server ~]$ ls
file1
[user1#server ~]$ exit
logout
[root#server bin]# su - user2
[user2#server ~]$ nano file1
-bash: /bin/nano: Permission denied
ACLs allow admins to extend permissions past just user/group/other. You're able to set permissions for specific users on the system.
Run command with a root privilege:
sudo visudo
It opens file /etc/sudoers for edit.
Add this line at the end of the file (and after keep one blank line):
MY_CIT ALL = NOPASSWD: /usr/sbin/lpadmin
where:
MY_CIT - name of your user
/usr/sbin/lpadmin - path to executible file. Note please that in your distro path can be different. You can check this with command whereis lpadmin.
After user can run command lpadmin with arguments with sudo without password:
sudo lpadmin ...
My application is hosted on ubuntu in public_html folder. When I run the command git add . it gives me the error:
warning: could not open directory 'public_html/': Permission denied
Entire code is in public_html folder
How can I solve it?
You should make sure so that your user has access or is the owner of the folder and it content. You can check the current owner and permissions by running:
ls -l public_html
Here I list all non-hidden files in a test folder:
who:test who$ ls -l
total 0
-rwxrwxrwx 1 root admin 0 Oct 3 18:04 test1
-rwxrwxrwx 1 root admin 0 Oct 3 18:04 test2
The output shows that both files are owned by the root user and belongs to a group named admin. The first column also shows the access permission, which in this case is set to read and write access to everyone.
If you would like to change the owner you can do:
sudo chown -R <user>:<group> public_html
The above will set the owner of the folder and all its content to the specified user and group; you might need sudo privileges to do this.
There is possible to only change the owner or group with the same command:
sudo chown -R <user> public_html
sudo chown -R :<group> public_html
To change the permission you would use:
sudo chmod -R <mode> public_html
Where mode is the permission, for instance 0777 for full read and write access to everyone. You can also use letters instead of an octal number when setting permissions, for instance:
sudo chmod -R a+rwx public_html
gives the same result as the first chmod command.
References
The chown command: https://ss64.com/bash/chown.html
The chmod command: https://ss64.com/bash/chmod.html
I was changing user and group ownership using the following command:
sudo chown -R apache:www /var/www
However, I noticed that whenever I added a new file or folder to that directory, the owner would be my current username instead of the intended user, apache. How can I modify the above command so that all future folders and files will be owned by apache:www? Or do I need to use an extra command?
You can use ACLs to do this. For example:
$ ls -ld /var/www
drwxr-xr-x 2 apache www 4096 Aug 7 13:53 /var/www
$ sudo setfacl -dRm u:apache:rwX,g:www:rwX /var/www
$ ls -ld /var/www
drwxr-xr-x+ 2 apache www 4096 Aug 7 13:53 /var/www
$ getfacl /var/www
# file: var/www
# owner: apache
# group: www
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:group:www:rwx
default:mask::rwx
default:other::r-x
When new files are created there by they will still be owned by your user, but there will also be an ACL set on it granting privileges to the apache user:
$ touch donkey
$ ls -l donkey
-rw-rw-r--+ 1 gene gene 0 Aug 7 13:57 donkey
$ getfacl donkey
# file: donkey
# owner: gene
# group: gene
user::rw-
user:apache:rwx #effective:rw-
group::rwx #effective:rw-
group:www:rwx #effective:rw-
mask::rw-
other::r--
An overview of the command:
setfacl -dRm u:apache:rwX,g:www:rwX /var/www
The -d flag specifies the operations apply to the Default ACL.
The -R flag sets operations to apply recursively
The -m indicates it will be a modification operation
Then after that it's pretty straight forward
u:USERNAME:permissions
g:GROUPNAME:permissions
These entries must be separated by a comma.
The X permission (note: it's uppercase) means it will only be applied to directories and not files.
You can achieve that on the group level by using the SETGID (SET Group ID) flag of chmod:
chmod g+s <directory>
From the docs:
On most systems, if a directory’s set-group-ID bit is set, newly created subfiles inherit the same group as the directory, and newly created subdirectories inherit the set-group-ID bit of the parent directory.
Once you set that, newly created files and directories inside <directory> will be set to <group>. e.g.
chmod g+s /srv/www
will cause newly created files and directories inside /srv/www to have the group www.
You can verify that by executing ls -al which will show s for the group "execute" permission on the directory. e.g.
drwxr-sr-x. 5 apache www 4096 Mar 13 20:32 www
^
SETGID
My guess is you need to change user before executing the command - a script something like this:
$whoami
user1
$ su - apache
Password:
$ whoami
apache
[add file]
$ exit
I am unable to run scripts from a mounted partition. I have created a basic "Hello World" script that will execute from my home directory fine, but when I move it to the mounted partition, I am unable to execute the file.
$ ls -l
-rwxr-xr-x 1 user user 31 Mar 4 21:33 test.sh
$ ./test.sh
-bash: ./test.sh: Permission denied
$ sudo ./test.sh
[sudo] password for user:
sudo: unable to execute ./test.sh: Permission denied
$ cd ..
$ ls -l
drwxrwxrwx 6 user root 4096 Mar 4 21:34 sda5
I have no idea what to do.
ETA: I am able to use "bash test.sh" to execute the file, just not ./test.sh. I am able to do ./test.sh in the home directory.
The file system was mounted with noexec which prevented executing files.
On ubuntu 10.04.4 server, I did this:
sudo mkdir -p /data/somedir
sudo chown -R www-data.www-data /data/somedir
sudo chmod -R g+w /data/somedir
sudo usermod -a -G www-data john ##john is current login user.
. With these operations done, I suppose to have write permission in /data/somedir. But when I did this:
echo "123" > /data/somedir/123
, I got:
-bash: /data/somedir/123: Permission denied
The ls -l output:
$ ls -l /data/
total 4
drwxrwxr-x 2 www-data www-data 4096 2012-04-24 22:30 somedir
Question is: why? Is there something I still need to do after that?
Changes made with usermod only take effect on following logins; your existing login session does not yet have the www-data group, as you can verify with id. It is not easy to alter the identity of running processes (newgrp might work); the easiest way to deal is to log out and back in.