On a vagrant box precise64 (ubuntu 12.04)
While creating a user resource with Chef, the home directory is not created:
My recipe:
user "myuser" do
supports :manage_home => true
shell "/bin/bash"
home "/home/myuser"
comment "Created by Chef"
password "myencryptedpassword"
system true
provider Chef::Provider::User::Useradd
action :create
end
When I authenticate:
$ su - myuser
Password:
No directory, logging in with HOME=/
Update - The workaround for precise64 (Ubuntu 12.04 64bit)
directory "/home/myuser" do
owner "myuser"
group "myuser"
mode 00755
action :create
end
While system users usually don't have a home dir, chef will create the home dir even for system users if you specify home. I've tried it, and cannot reproduce the issue.
What is going on is a little bit hidden in the documentation. The chef documentations says:
system | Use to create a system user. This attribute may be used with useradd as the provider to create a system user which passes the -r flag to useradd.
If have a look at the man page of useradd:
-r, --system
Create a system account.
System users will be created with no aging information in /etc/shadow,
and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX
range, defined in >/etc/login.defs, instead of UID_MIN-UID_MAX
(and their GID counterparts for the creation of groups).
Note that useradd will not create a home directory for such an user,
regardless of the default setting in /etc/login.defs (CREATE_HOME).
You have to specify the -m options if you want a home directory for
a system account to be created.
However, it seems like chef is passing the -m option explicitly if you specify a home dir. I could not reproduce this issue therefore.
Did you add the home attribute to the recipe after the user was already created? When I was first hacking around with creating a system user, I didn't add the :manage_home and home bits to the recipe until after I had run the recipe and verified that the user was created. Subsequent runs of the recipe after adding home directory management and the home attribute didn't actually work until I deleted the user and run the recipe again.
I assume that useradd won't execute again if the user already exists, so adding -m via the recipe wouldn't happen unless and until the user is deleted and the recipe re-runs against a clean system and sends useradd -rm.
I was able to reproduce this problem and work around it.
The hint was in the chef docs for the user resource.
"[homedir] will be created unless CREATE_HOME in /etc/login.defs is set to no". On a fresh Ubuntu install that line did not exist. Perhaps it defaults to no if missing.
In /etc/login.defs I added:
CREATE_HOME yes
Once that was added my chef run would complete and create the homedir allowing my to then modify contents of the user homedir. This method may be simpler than manually creating homedirs for each user.
Related
I want to add a user who can only execute a few commands and nothing else, at the same time I have created a shared folder (group) where my files are present. I want the user to only execute the files in the shared folder and restrict him from reading it or opening it and so on.
These are the set of commands I am using to create a restricted user. After these commands I am changing the PATH in the .bash_profile file to $HOME/commands directory.
This is how it looked when I login from the user account
I have added the user to the group using this command: sudo usermod -a -G bbc testuser
Now when I change the home directory to the shared file group using usermod --home /path/to/new/directory testuser, it shows like this when I login through the new user
This has no restriction on the commands being used, although ls and cd commands wont run other commands like nano to see the file content works. I want to restrict this as well
So after this If I try to import a python file in the new user it says 'module not found', this same command works in the ec2-user or root user.
Please help me solve this issue.
Thank you
I would like to create some users on my ubuntu server. I only want to let the users have read/write access to their home directories, and not be able to read or write to any other user's home directory. Does anyone have a suggestion how to do this? Like is there a way to create a group that has these permissions and then add all the users to the group? Or do I need to create each user, and just grant them only read/write permission on their home directory? I'm new to ubuntu server and when I create a new user, it seems to have all the same permissions that my account does.
First, this question is better suited for Ask Ubuntu, the stack exchange site specifically for ubuntu questions.
To answer your question, I'd recommend reading the ubuntu article on user management, everything you need to know is there. Here are the relevant sections:
To add or delete a personalized group, use the following syntax,
respectively:
sudo addgroup groupname
sudo delgroup groupname
To add a user to a group, use the following syntax:
sudo adduser username groupname
When a new user is created, the adduser utility creates a brand new
home directory named /home/username. The default profile is modeled
after the contents found in the directory of /etc/skel, which includes
all profile basics.
If your server will be home to multiple users, you should pay close
attention to the user home directory permissions to ensure
confidentiality. By default, user home directories in Ubuntu are
created with world read/execute permissions. This means that all users
can browse and access the contents of other users home directories.
This may not be suitable for your environment.
To verify your current user home directory permissions, use the
following syntax:
ls -ld /home/username
The following output shows that the directory /home/username has
world-readable permissions:
drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username
You can remove the world readable-permissions using the following
syntax:
sudo chmod 0750 /home/username
A much more efficient approach to the matter would be to modify the
adduser global default permissions when creating user home folders.
Simply edit the file /etc/adduser.conf and modify the DIR_MODE
variable to something appropriate, so that all new home directories
will receive the correct permissions.
DIR_MODE=0750
After correcting the directory permissions using any of the previously
mentioned techniques, verify the results using the following syntax:
ls -ld /home/username
The results below show that world-readable permissions have been
removed:
drwxr-x--- 2 username username 4096 2007-10-02 20:03 username
I have installed jenkins on linux machine and configured it.
As part of automation of build process, I want to copy my war form one directory to another. I tried doing so using the PRE BUILD ACTION and executing shell command.
cp /from directory /to directory
Build fails giving permission denied. I have tried several ways by providing root level permission to the user I log into the jenkins.
Nothing works.
I am not if I am giving permission to the right user or not.
Any help would be highly appreciated.
Please note I am new to LINUX/UNIX.
To find out the user that is starting Jenkins, use whoami in a pre build action and look at the build log to see what user is carrying out the build scripts. It will probably be different than the user that owns the folder you are trying to get jenkins to copy the war into.
Rather than make the user that jenkins is running a root user (a security risk since now your jenkins scripts can perform privileged actions), you can add that user to the same group that the user that owns the folder is in.
Lets say I ran whoami in a jenkins script and the user turned out to be user1, and the user that owns the folder you are trying to copy the war into, user2. You would want to add user1 to the same group that user2 is in, and modify the folder permissions to allow modifications of people in the same group.
To add user1 to the same group as user2:
usermod -a -G user2 user1
Then modify the permission of the folder you want to copy into:
chmod g+w /path/to/directory
My linux user account has the rights to run a particular sudo command without a password prompt. I am trying to implements jenkins to run this command. It is set up to ssh as my user account on the box with the Publish Over SSH plugin.
When I am in the box $USER shows the correct user, but when I try to run "sudo {command}" (which runs without password when I am using that box normally with my user) it requires password. What is causing this behavior?
Because it is configured to do so. There is file /etc/sudoers specifying these rules and there is respective manual page describing how does this file and the roles work. It is probably a good start to read.
I have a script (test.sh) on a local server, which works fine when executed in a terminal. The script removes a directory, and recreates a directory local. It then connects to a remote server using "ssh -i $private_key .." and copies a file there.
When I execute this script in jenkins with
sh test.sh
it doesnt work. I get the following errors:
rm: .. Permission denied
mkdir: .. Permission denied
Warning: Identity file /.ssh/private_key not accessible: Permission denied.
Jenkins is on the same server as the script.
I see that Jenkins is another user and cant do everything that I'm doing as root; how can I set the permissions without losing all security. Especially in case of the private_key, it would be silly to set the permissions to easy - it is currently set to 600 (read and write permission for the owner) and the owner is root.
The whole point of setting the private key's permissions to 600 is that no other user should be able to access it. If you have placed the keys in another user's home directory (/home/anotheruser/.ssh), then neither the Jenkins user, nor anyone else (except root) will be able to access it. This is as designed.
If you want your Jenkins user to be able to use the private key, copy it over to the jenkins users home directory as well (/home//.ssh).
Also, if you are trying to delete/create directories in some other user's directory as the Jenkins user without providing permissions, you will get a permissions error. This is because of security. The only way to allow this is the allow the Jenkins user to make changes to those directories.
One safe option is to add the Jenkins user to the same group as the other user. Once you do this, set the permissions on the directories you want to read from and write to, to allow anyone in the user's group to make changes.
rwxrwx---
The above permissions will allow the owner of the folder and any other users in the same group to make changes, but will not allow anyone else. This is safe, since you control who is part of the other user's group.
EDIT
It looks like your error has changed, though. You're not getting permission denied any more. Can you still do it through terminal? The reason (I think) it is saying that the host key verification has failed is because your key was originally created for the other user. I realise I said to do this in the answer above, but it is not the right way.
As the jenkins user, can you run the following commands:
ssh-keygen (say yes or agree if it asks if you want to replace your current keys)
ssh-copy-id -i ~/.ssh/id_rsa.pub remoteuser#remote_server
ssh remoteuser#remote_server
If this works, try your script through the terminal, and then through jenkins again...