When logging into my virtual server as a non-root user, I suddenly get the following error:
"Could not chdir to home directory
/var/www/vhosts/prosodylab.org/web_users/username: Permission denied
-bash: /var/www/vhosts/prosodylab.org/web_users/username/.bash_profile:
Permission denied"
I checked the permissions in the user directory (they're set to 700, and I also changed to 777 to check, with now effect).
This affects all users (including if I create a new user), but as root user I can still change into the relevant directories without problem.
echo $HOME returns the right directory.
Here is the directory entry of the home directory of the user (when set to 700):
drwx------ 20 username psaserv 4096 Jun 5 16:56 username
grep username /etc/passwd returns the following output, so the directory seems to be set correctly:
username:x: [...] ::/var/www/vhosts/prosodylab.org/web_users/username:/bin/bash
The server is a 1&1 dedicated virtual linux server, and it's worked fine for many years. I might have inadvertently changed something, but if so the I don't know what.
Does anyone know what might be the problem?
Gain more access login as root and check the permissions on the parent folder
Related
I would like to create some users on my ubuntu server. I only want to let the users have read/write access to their home directories, and not be able to read or write to any other user's home directory. Does anyone have a suggestion how to do this? Like is there a way to create a group that has these permissions and then add all the users to the group? Or do I need to create each user, and just grant them only read/write permission on their home directory? I'm new to ubuntu server and when I create a new user, it seems to have all the same permissions that my account does.
First, this question is better suited for Ask Ubuntu, the stack exchange site specifically for ubuntu questions.
To answer your question, I'd recommend reading the ubuntu article on user management, everything you need to know is there. Here are the relevant sections:
To add or delete a personalized group, use the following syntax,
respectively:
sudo addgroup groupname
sudo delgroup groupname
To add a user to a group, use the following syntax:
sudo adduser username groupname
When a new user is created, the adduser utility creates a brand new
home directory named /home/username. The default profile is modeled
after the contents found in the directory of /etc/skel, which includes
all profile basics.
If your server will be home to multiple users, you should pay close
attention to the user home directory permissions to ensure
confidentiality. By default, user home directories in Ubuntu are
created with world read/execute permissions. This means that all users
can browse and access the contents of other users home directories.
This may not be suitable for your environment.
To verify your current user home directory permissions, use the
following syntax:
ls -ld /home/username
The following output shows that the directory /home/username has
world-readable permissions:
drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username
You can remove the world readable-permissions using the following
syntax:
sudo chmod 0750 /home/username
A much more efficient approach to the matter would be to modify the
adduser global default permissions when creating user home folders.
Simply edit the file /etc/adduser.conf and modify the DIR_MODE
variable to something appropriate, so that all new home directories
will receive the correct permissions.
DIR_MODE=0750
After correcting the directory permissions using any of the previously
mentioned techniques, verify the results using the following syntax:
ls -ld /home/username
The results below show that world-readable permissions have been
removed:
drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
I believe this will assist more in debugging; I have a script in python that's supposed to delete a file, if I run it I get permission denied error
os.remove('/home/sammy/revamp/revamp/media/new_colour/' + image_name)
the result of ll on said image
-rwxr-xr-x 1 www-data www-data 130404 Jul 19 06:49 f6bf0e0ffbe86c2c67421c5aaa695b8e.jpg*
and the username while logged in is sammy
In order to remove a file, you need write access on the directory which contains it. Check that your user id has that.
You mention that you are not allowed to download the file, that also looks like a problem with the directory permissions, the current file permissions should not block you from reading it.
I am using RStudio server (Version 0.98.994) on Ubuntu 12.04.
Our group works on a external share drive together and would like to open the same project.
When I open a project file created by other colleagues, I got an error with permission denied (Sorry I cannot show the error message as I already changed the permission manually).
After checking the file permission, I found the default permission is "-rw-r--r-x" for *.Rproj and .Rhistory, "drwxr-sr-x" for ".Rproj.user". So no write permission for group.
In the external share drive (no sure about system, should be Linux), the default permission is rw for group.
How could I change the default permission for *.Rproj, .Rhistory and .Rprojt.user?
Thanks for any advice. Please let me know if my question is not clear.
EDIT:
I created new file and folder in the external share drive from command line. The default permission is -rw-rw-r-- for file and drwxrwsr-x for folder, as I expected. It seems RStudio server created these new files with their own default permission.
Could I change the default permission of these files *.Rproj, .Rhistory and .Rprojt.user when RStudio server creates them? i.e. Add write permission to group.
The default permissions for Directories are 777 which is read/write/execute and for Files it is 666 which is read/write. But then every system has a umask value, which is normally 022.
So when you create a directory it will have permissions 777 but it will take away the umask value of 022 and leave you with your default permissions of 755 which is rwxr-xr-x
You can change the value of umask by simply entering the command
umask=055
This will set the umask value to 055 and whenever you create a new file/directory, 055 will be taken away from the permissions.
Again look at a newly created directory with permissions of 777 and the umask value is taken away so the directories permission is 722 which is rwx-w--w-
Again look at a new directory with permissions
I had downloaded the perforce client in my ubuntu 11 system a while ago. The p4v in my system is found under:
-r-xr-xr-x 1 root root 1578 2011-08-29 12:46 /usr/bin/p4v
After I read the documentation of p4v I realize it should not be owned by root.
How do I change the ownership of this and also allow my "user" all the access rights without reinstalling the p4v again?
Thanks
If you "chown" P4V without changing the permissions, your user will still be able to use it.
For example:
chown user:group /usr/bin/p4v
The permissions granted to the file allow read and execute to the owner, anyone in the group and everyone else with access to the system. Changing the user and group will not change the permissions, so your user should still be able to execute the binary.
In general, the ownership of a binary that is executable by all shouldn't matter. The danger comes if the owner of the process is root (or any other privileged user). For example, "mount" will be owned by root, and can be run by any user to show the mounted file-systems. Only when it is run by root can it change your file-system structure.
Hope you are good. I have Xammp on fedora and changed owner of opp/lampp/htdoc to root. Why I did so because whenever someone creates new folder through sharing, they don't have permission to dynamically create folder or files or to write images. Then I run command
chmod -R 777 /opt/lampp/htdocs
But when system goes to restart then I again need to run this command. So avoid again and again run this command I changed the owner on "opt/lampp/htdocs" and run
chmod -R 777 /opt/lampp/htdocs
Now, whenever server restarts, assigned permissions don't need to be set again and again. That is resolved.
I have an issue, that old directories can be used to write something. But if any network user creates new directory under htdocs, that new directory needs to be changed the permission for it.
previously created, and can use this one directory to run script to create files
drwxrwxrwx 2 root root 4096 2011-06-15 14:09 aaa
Newly created, cannot be used to run a script to create image or to write anything
drwxr-xr-x 2 root root 4096 2011-06-17 15:17 aaaa
drwxr-xr-x this one is really annoying to me for each newly created folder in htdocs :(
Just to let you know that my htdocs user and rights are:
drwxrwxrwx 101 root root 4096 2011-06-17 15:17 htdocs
Why is it so? Can anybody please help me to figure this problem out? I am waiting for quick response anxiously.
First off, you should investigate what permissions you really need - chmodding everything to 777 is a security risk as it will allow any user to write inside of your web root.
However, to address your actual question of the default permissions when a new folder is created by a user, you want to adjust the default "umask" which determines such things.
This question has some information for changing it for the Apache user (if a "network user" is a user creating new files and directories through the httpd process):
Setting the umask of the Apache user
If you need to adjust it for other users or processes, the solution will be similar.
Good luck!
Edit
Since you're on Fedora, try this: (from the question I linked above)
[root ~]$ echo "umask 002" >> /etc/sysconfig/httpd
[root ~]$ service httpd restart
The first command will add that line to the /etc/sysconfig/httpd which is a permanent configuration file, and the second command will make it active.
You are tackling the problem from the wrong side. Restore your apache configuration to use apache.apache as default user/group, and set your samba server to use those credentials when someone write to your document root.
If you are using nfs or another posix compatible filesystem, use chmod g+s to keep all files readable from your apache server.
Try it:
#umask 000
have a good time!!