Linux: share permissions between users for SVN folders - linux

On a Ubuntu machine I've setup a SVN repository, served with Apache.
All the SVN repository folders and subfolders (located under /var/svn/repos/) belongs to www-data user and group:
drwxr-xr-x 7 www-data www-data 4096 gen 21 10:38 software_repository
www-data is the Apache user.
Next I've a cron job that makes a nightly svnadmin dump of the repository, using my home user, let's say john_doe (joining the www-data group too). svnadmin dump command (and more...) are contained in a sh file called by the crond.
During cron job or launching it manually using user john_doe I get:
svnadmin: E160052: Revprop caching for '/var/svn/repos/sw/software_repository/db' disabled because SHM infrastructure for revprop caching failed to initialize.
svnadmin: E000013: Can't open file '/var/svn/repos/sw/software_repository/db/rev-prop-atomics.mutex': Permission denied
Because of Permission denied error, I've run the same sh script prepending sudo command, and everything works fine.
So, we have 2 possibilities:
Understand where the SVN error come from.
Change permissions in a correct way for the john_doe user, used by cron.
For point #1 I've done some Google search but I've found nothing...
For point #2, I think the correct way is not to set all permissions (recursively) of the group www-data to all SVN folders and subfolders. What it could be done is to share permissions on SVN folders between www-data user and john_doe. Or give to the www-data group the same permissions (recursively) of the www-data user. Or something else, but for both solutions I've no idea of the correct command or configuration setting.

Solved running command:
chmod -R g=u software_repository
This fix is for solution 2. By the way I've no clue where the SVN errors come from...

Related

Redirected files are generated with NO permission

I have a shell script prepared and tested successfully in testbed (linux) server, and I have moved this to my production server (under same user, group which I have used in testbed) with read/write/execute permissions. when I execute script in production it gives error, because redirect files get generated in by script (in same folder) with no permission (--------), hence my scripting gets failed.
I had not faced this problem in testbed server, I have tested my script successfully under user level only.(not root user level)
I already tried giving user/group permission for my script folder/files, and user/group are same one's that I have successfully tested in testbed Linux server.
how I moved my script to production:
unzip -K script.zip
chmod 777 script.zip
cd scriptfolder
./execute.sh
generated redirect file (gmon.out) in same script folder
ls -lrt
---------- 1 user group 42023 May 15 10:00 gmon.out
expected redirected file
-rw-r----- 1 user group 42023 May 15 10:00 gmon.out
Please help
This is probably because of the umask, as noted by Socowi in the command.
Umask dictactes the permission of any new file you create.
You can check the current value of umask with the umask command.
You can change the umask in your profile file (like your .bashrc if you use bash) with the umask 0027 command, for instance.
For more information about umask :
https://fr.wikipedia.org/wiki/Umask
http://man7.org/linux/man-pages/man1/umask.1p.html

cp/rsync command with destination as symlink to a directory

I am working on a cPanel backup solution at the moment. We are now informed about this exploit.
Exploit : Full ROOT ACCESS to server
1.) create malicious file from, normal user account:
mkdir root
echo "hello" > root/.accesshash
2.) Wait for backup to run
3.) Replace root with a symlink:
ln -s /root root
4.) Restore root/.accesshash ( I am running this command as root for this: "cp -rf /backup/.accesshash /home/username/root/")
5.) User now have root access because We overwrote /root/.accesshash. An attacker will be able to login to WHM as root by placing a access hash into this file.
root#cpanel [/home/master]# cat /root/.accesshash
hello
root#cpanel [/home/master]# ls -l /root/.accesshash
-rw-r--r-- 1 master master 3 Nov 20 21:41 /root/.accesshash
root#cpanel [/home/master]#
Can somebody advise me on this for a workaround? Thanks in advance.
The key problem here is running the restore command as root. When doing it for a specific restricted user (who might have malicious intents), you must run it as that user (or maybe as an even more restricted one, restoring files in a sandbox and copying them back later).

Permission of the webpage folder /var/www on a Linux server

I have moved my website from Godaddy to a VPS server. I'm new to Linux so I followed some tutorials online but still confused about some problems.
I use SSH to log on my server as user adam. In order to run the PHP properly, I have to set 755 permission to /var/www and change the owner of this folder to www-data. But that means I don't have permission to write files in this folder even if add user adam to the group www-data. And I cannot upload webpages onto this folder using FTP which is very annoying. (Currently I have to type su to switch to root and then modify these files with nano)
I know setting 777 is a solution but it may cause some safety concerns so I'm looking for a better solution.
drwxr-xr-x 8 www-data www-data 4096 Jul 24 21:36 www
Every number of permisson is composed as follows
4: read
2: write
1: execute
So if you add them you get the permission. By example 7 means all the permisons and 6 means read and write.
The first number of 755 is for the owner, the second for the group's users and the third for other users.
Then 755 means rwxr-xr-x it is the owner can read wirte and execute, but the group member can't write.
If you want to solve this you can change the privileges to 775 then it will be change to rwxrwr-x
Or you can add www-data as a secondary group to adam and set a setgroupid www-data fro /var/www

rsync sets wrong group

I have a bash script to sync a Zendframework site between two servers, but for some reason one file doesn't get the correct owner/group. Since the file then becomes unreadable by apache the site goes down on that server.
On the first server I have the following file:
-rwxrwx--- 1 monit www-data 4184 2012-03-14 05:39 application.ini
This should be exactly the same on the second server since both the user monit and the group www-data exists there to, but this is not the case as seen below.
-rwxrwx--- 1 monit monit 4184 2012-03-14 05:39 application.ini
This file is the only one affected. All other files gets the correct permissions, owners and groups. The rsync command is as follows
rsync -az --delete --stats --include="document_root/.*" --exclude=".*" SERVER1 SERVER2
rsync is version 3.0.3, Server 1 is a Ubuntu 9.04 and Server2 is Debian 5.0
At the moment the problem is circumvented by setting the permission on the original file to -rwxrwxr--. The synced file will still have the wrong group, but is at least readable.
Check that monit user is in www-data group on the target server.
Try rsyncing the problematic file only, while running rsync on the target server and add one or more -v options, then look at the output:
$ groups monit |grep www-data
$ rsync -avv source_host:path/to/application.ini ./application.ini

problem with ftp pushing files and me not having access as regular user

I've run visudo and added my username to the list to be able to do whatever I need to rather than logging in as root user.
I have my svn push out file's through ftp as user www-data, and therefore when I try to cd into those directories, I get permission denied.
Any thoughts? Can I add my username to some config file somewhere to have access to all files?
When you use sudo, you are running as the root user, but only for that particular command. I think the easiest thing to do would be to ensure that you and www-data are in the same group, and set the group permissions accordingly. (e.g., chmod 775 yourdir)

Resources