How can I make a chgrp command optional in my install script? - linux

I'm creating an install script for a Linux game. As part of the installation, I change the suid permissions of the game executable to the "games" group so that the game can update the highscore file even when its run by regular users.
Right now my Makefile.am looks like this:
AUTOMAKE_OPTIONS = foreign
SUBDIRS = src man
install-exec-hook:
chgrp games #bindir#/xjump
chmod +s #bindir#/xjump
mkdir -p #localstatedir#/xjump
touch #localstatedir#/xjump/record
chmod 660 #localstatedir#/xjump/record
chgrp games #localstatedir#/xjump/record
The problem I am having is that the chgrp command requires administrative privileges. If I am installing the game globally using sudo make install then its all works fine but if I change the prefix to somewhere in my home directory and try to do a regular make install it fails due to the chgrp
chgrp: changing group of ‘/home/hugo/Desktop/aaa/bin/xjump’: Operation not permitted
Since the locally installed version of the game only has a single player, I don't really need to do the chgrp thing. Is there a way to detect if the makefile is being run without root privileges and skip the permission changing? Or should I add a configuration flag to my configure script instead of trying to fix this permission issue automatically?

When the commands fail, you did not run as root. It seems nothing goes wrong, you just do not want the error messages.
You can see who you are, but the easiest solution is redirecting the output
Finish with true, so your step doesn't fail:
chgrp games #localstatedir#/xjump/record 2>/dev/null || true

If you run "whoami", you would be able to find out who the current user is.
runner=`whoami` ;
if test $$runner == "root" ;
then
chgrp games #localstatedir#/xjump/record
fi

Related

How to give permissions for specific commands in linux

I am new to linux. I have a build.sh file which consists of a lot of mkdir commands and some rm commands. But as I have installed this new in my VB, each time I run the .sh file, it says "Permission Denied for creating directory" and fails.
So is there any way that I grant directory privileges to all users.
Can anyone help me with this
Add "sudo" in the beginning of the directory creation command i.e
sudo mkdir dir_name
The issue might be with the directory in which the mkdir command is being run.
Use the command ll or ls -l to check the directory permissions.
If your directory doesn't have write privilege for the current user, you can run
chmod -R u+w /path/to/directory
This might require you to use sudo if permission is denied.
If you want to enable it for all users, run
chmod -R ugo+w /path/to/directory
Alternatively, a quick fix would be to run the build.sh file as root
sudo /path/to/build.sh
However, this approach is not advised unless you always run it as root

How to give a directory back its sudo admissions/permissions?

I recently installed LAMP on my Ubuntu 14.04 laptop. But I didn't have full/root access to the files var/www and etc/apache2/sites-enabled/000-default.conf so I did some research to change permissions and admissions to the directory, using this command in the terminal:
sudo chown -R username:group directory
It worked perfectly. But now I can't do any sudo commands in the terminal. I wanted to restart the apache server but here is what it showed me:
sudo: /etc/sudoers is owned by uid 1000, should be 0
sudo: no valid sudoers sources found, quitting
sudo: impossible d'initialiser le greffon de règles
(my computer is in french btw).
What I want to know is how to set it back to sudo. I hope I explained myself good enough. If you need additional info that I didn't state please tell me. I will add it. Thnx.
Seems like you chown'd /etc/sudoers.
Try:
sudo chown root:root /etc/sudoers
Then if you want read/write privileges, see which group the folder /var/www belongs to (probably www-data)
To add yourself to the www-data group, try:
sudo useradd -a -G www-data yourUserName
Also, as a side note; be careful of recursive commands!!! If you're not sure what a command does, test it on a single file before making it recursive. For example:
DO NOT RUN THIS CODE, I DON'T INCLUDE SUDO ON PURPOSE SO YOU DONT HOSE EVERYTHING
rm -r /
Will delete everything inside / (a lot of stuff!)

Chown a specific folder without root privilleges

I need to chown a file to some other user, and make sure it is unreadable again. Sounds complicated but it will be mainly look like this:
cd /readonly
wget ...myfile
cd /workdir
chmod -R 444 /readonly
chown -R anotheruser /readonly
ls /readonly # OK
echo 123 > /readonly/newfile # Should not be allowed
cat /readonly/myfile # OK
chown 777 /readonly # Should not be allowed
In SunOS I saw something similar to this, I remember not being able to delete the disowned files by Apache, but I could not find something similar to this in Linux, as chmod requires root privilleges.
The reason I need this, I will fetch some files from web, make sure they will be unchangable by the rest of the script, only root can change it. The script can not definetely run as root.
On many *nixes (Linux, at the very least), this will be impossible.
chown is a privilege restricted to root, since otherwise you could pawn off your files on other users to avoid quota restrictions.
In a related case, it would also pose something of a semantic problem if arbitrary users could chown files to themselves to gain access.
More precisely, you can chown files that you own to change their group ownership information, but you can only change user ownership if you are root.
In any case, chown is the wrong hammer for this particular nail.
chmod, which you are already using, is the correct way to make a file read-only within a script.
The chmod 444 that you are already doing will protect against accidental modifications to the files.
You cannot "freeze" or otherwise render permissions static as a Unix/Linux user without elevating to root privileges (at which point, you can chown them to root:root and no one other than root can change permissions or ownership on them).
In terms of script design, you should not need to be more restrictive than this.
If your script is haphazardly chmoding or rm -fing files, then you have much more serious correctness problems to worry about than ensuring that the downloaded data is safe and sound.

how to only allow sudo on specify path?

in Linux:
I want to limited user only can do sudo on specify path.
sudo chmod works on /home/Krome/revA
but sudo chmod failed on /home/Krome
Thanks!
Restricting a user or process to a certain path can be done with chroot - the problem here is that after the chroot the commands in $PATH and dynamically loaded objects would no longer be accessible, so you'd need a statically linked shell which executes the chroot as well as the built-in commands that the user shall be able to issue.
I don't think it possible, and am pretty sure it's not reasonable.
chmod would work inside /home/Krome if it's the user's home folder.
I think you need a regular user (without sudo), and everything else can be managed by adding that user to groups and sharing some folders to those groups.
Add to /etc/sudoers something like the following line:
%users ALL = NOPASSWD: /bin/chmod [ugoa][-+=][rwxXst] /home/Krome/*
It basically says that all group users members can invoke sudo chmod in symbolic mode on anything under /home/Krome/ path.
See man sudo for more details.

How to set the user and group for a set of autogenerated files

I am not sure whether this is a Sphinx question or a Linux question.
Anyway, I am running Sphinx on my CentOS server box.
I successfully managed to change the ownership of some Sphinx-related files and directories as I want only root and the Apache group to be able to read those information:
chown root.apache /etc/sphinx/sphinx.conf
chmod 640 /etc/sphinx/sphinx.conf
chown -R root.apache /var/lib/sphinx
chmod -R 750 /var/lib/sphinx
My problem is when Sphinx generates the files containing the index in the directory /var/lib/sphinx, they have ownership
root:root
How can I make them have permission
root:apache
?
The Sphinx documentation doesn't mention about that.
Thanks.
Set SETGID for directory /var/lib/sphinx/:
root#centos:~# chmod g+s /var/lib/sphinx/
This way, all created file in directory /var/lib/sphinx/ will inherit group from parent.
If sphinx is not messing with ownership by it self (I guess it't not) then this will work.
You can read more here about SETGID on directories.
Or you can run the cron job as the user sphinx rather than as root, either by adding sudo -u sphinx in the existing crontab entry, or by removing it from root's crontab and adding it to the appropriate user's crontab. (Perhaps you should report this as a bug against the package, if you are using a packaged version.)

Resources