I want to make 002 the system-wide umask for all users (in Ubuntu). I managed to do so for all regular users using the instructions provided by #ephemient (From this post, thanks for that!). However I got 2 more problems.
Firstly, when sudoing, the root user seems to follow it's own settings, making files with the permissions 644 (instead of 664).
Secondly, the apache user (www-data) also seems to follow it's own settings (the same used by root?), making files with the permissions 644 (instead of 664). I don't like to put umask 002 in /etc/apache2/envvars, I'd rather change the setting assigning the 002 umask to apache in the first place.
How can I tackle those last 2 issues?
I solved my own problems.
For the sudo permissions, I executed sudo visudo and added the line Defaults umask = 0002 to the end.
For the Apache user, I added the line umask 0002 to the end of the /etc/apache2/envvars (I couldn't find any better solution).
Related
I just set up a apache server on my Raspberry pi. To make the development easier I shared the /var/www/html folder with samba.
I'm able to create new files from my computer in the Pi folder, but they have the following permission :
-rwxrw---- 1 pi pi 52 juin 10 17:54 test.php
With those permissions Apache is not able to read the file.
So each time I need to send the following command to make the file readable by Apache :
chmod a+rwx test.php
Then my permission are :
-rwxrwxrwx 1 pi pi 52 juin 10 17:54 test.php
So ok, after sending this command, it's works... But I am trying to find the command to set up the default file permissions to "-rwxrwxrwx "
I'm new with linux so maybe it's easy to fix.... Do you have any ideas ?
Thanks a lot,
Maxime
Thanks for your answers.
the solution was to change the "create mask" value to 0775 in the smb.conf file.
Maxime
For changing default permissions of the file created, you can use umask command. umask is user mask which is used whenever a new file is created.
umask is a three digit number with octal base. First digit decides the user permissions, second is for group while third determines the permissions for others.
umask value is used in inverted/complemented form though. That means to determine the required umask value for the permissions you want, subtract the permissions (in octal form) from 666. The result should be used as your umask value. e.g. if you want to set default permissions to rw-r--r-- (which is 644 in octal) subtract 644 from 666. The result (022) is your umask value.
To set value for umask you can simply use:
umask 022
command.
For your case here, I think you can use
umask 000
The default umask value is 0022, which decides the default permission for a new file or directory. The default permission for a directory is 0777, for files the permissions are 0666 from which the default umask value 0022 is deducted to get the newly created files or directory permission.
I use fuse to mount some directories on Ubuntu. The user should have rwx on directories and rw- on files.
Now doing this with setfacl is quite easy. Doing setfacl -R -d -m u::rwX,g::rwX,o::--- dir/ does the job perfectly fine.
But how to do this with umask?
What you should know about umask first is that umask is a mask; it is not a number to be subtracted.
It turns off permissions that would normally be granted.
Masking is not the same as subtracting, e.g. 666 masked with 001 is still 666 and 666 masked with 003 is 664.
The mask turns off permission bits. If they are already off, the umask makes no change.
Make sure you are in the directory you wanna assign permissions to and do the following:
this link answers exactly what you're looking for!
https://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html
hope this helps.
I followed this link to change group/user permission to add my self to www-data group
but I am still unable to edit contents in /var/www , specially with uploaded content.
This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.
While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE
My login account user and group name is debianaut:
groups www-data
www-data : www-data debianaut
groups debianaut
debianaut : debianaut www-data
I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .
please help resolve this issue
I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.
While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:
Change the group used while running in a shell
Change the user's default logon group
Use ACLs
New Group in a Shell
In order to operate as a different user after starting a shell, use newgrp.
Change default Group
In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).
ACLs
You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:
setfacl -R -m u:debianaut:rwx /var/www
By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.
Inheriting ACLs
Following the post here lead to the answer for inheriting ACLs.
The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:
setfacl -R -d -m u:debianaut:rwx /var/www
I think you should change your umask to 0002:
umask 0002
This could also be useful.
For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584
There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.
1) Just take ownershop of /var/www for your userid that will edit the files.
2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.
I am using Cygwin and trying to change the group access permission with chmod, e.g.
$ls -l id_rsa
-rwxrwxr-- 1 None 1679 Jun 13 10:16 id_rsa
$ chmod g= id_rsa
$ ls -l id_rsa
-rwxrwxr-- 1 None 1679 Jun 13 10:16 id_rsa
But this does not work. I can change permission for user and others. Seems that the permission level for group somehow keeps the same as that of user?
I was having a similar problem to you, and I was using the NTFS filesystem, so Keith Thompson's answer didn't solve it for me.
I changed the file's group owner to the Users group:
chown :Users filename
After doing that I was able to change the group permissions to my will using chmod. In my case, since it was an RSA key for OpenSSH, I did:
chmod 700 filename
And it worked. In Cygwin you get two groups by default, the Root group and the Users group. I wanted to add another group, but I wasn't able to do it with the tools I'm used to use on Linux. For that reason I just used the Users group.
Cygwin doesn't like files to be owned by groups that it doesn't know.
Unfortunately, that happens quite often in Cygwin, especially if your PC is in a Windows domain where things keep changing.
I also synchronise my files between two PCs, via an external drive, and the uids/gids are different between the different PCs, so this is a source of problems.
If you do ls -l and see a numeric group id instead of a group name, it means Cygwin doesn't know the gid - i.e. it's not in /etc/group, and Cygwin can't query it from Windows either. You can confirm this by running getent group <gid>, where <gid> is the numeric group id.
To fix it, you can either use chgrp to change the group for all affected files/directories, as described in the accepted answer above, or create an entry for the unknown gid in /etc/group, with any unused group name (e.g. Users2).
After doing this, it may be necessary to close all of your Cygwin windows and then re-open them.
An experiment shows that chmod does work correctly to change group permissions under Cygwin.
The experiment used a file on an NTFS partition. Cygwin implements a POSIX layer on top of Windows, but it still ultimately uses the features of Windows itself, and of the particular filesystem implementation.
On modern versions of Windows, most hard drives are formatted to use NTFS, which provides enough support for chmod. But external USB drives typically use FAT32, which doesn't have the same abilities to represent permissions. The Cygwin layer fakes POSIX semantics as well as it can, but there's only so much it can do.
Try
$ df -T .
If it indicates that you're using a FAT32 filesystem, that's probably the problem. The solution would be to store the file on an NTFS filesystem instead. A file named id_dsa is probably an SSH private key, and it needs to be stored in $HOME/.ssh anyway.
Is your home directory on a FAT32 partition? As I recall, recent versions of Windows ("recent" meaning the last 10 or more years) are able to convert FAT32 filesystems to NTFS.
The remainder of this answer was in response to the original version of the question, which had a typo in the chmod command.
Cygwin uses the GNU Coreutils version of chmod. This,
chmod g=0 fileName
is not the correct syntax. I get:
$ chmod g=0 fileName
chmod: invalid mode: `g=0'
Try `chmod --help' for more information.
(This is on Linux, not Cygwin, but it should be the same.)
To turn off all group permissions, this should work:
$ chmod g= fileName
$ ls -l fileName
-rw----r-- 1 kst kst 0 Jun 13 10:31 fileName
To see the chmod documentation:
$ info coreutils chmod
To see the documentation on symbolic file mode:
$ info coreutils Symbolic
The format of symbolic modes is:
[ugoa...][+-=]PERMS...[,...]
where PERMS is either zero or more letters from the set 'rwxXst', or a
single letter from the set 'ugo'.
Like previous answers, not recognized groups cause such issues. It mostly happens in Windows Domains.
The easiest way to fix it is regenerate your /etc/passwd and /etc/group files (parameter -d is needed for domain users):
mkpasswd -l -d > /etc/passwd
mkgroup -l -d > /etc/group
Close and launch Cygwin again.
This is a very annoying issue for me. In my case user135348's solution worked best. The biggest issue with the chown :Users -R approach is that every time a new file is created, it will be assigned to the unknown gid 1049120. It's very frustrating to keep changing file gid.
I tried mkgroup too, but in my case it didn't work: My gid is 1049120.
Based on the rules explained in Mapping Windows SIDs to POSIX uid/gid values : : 0x100000 offset is used for account from the machine's primary domain.
Trying to remove the same offset from 1049120, you get 544, which is built-in Administrators group's RID.
This account is not a member of the local Administrators group; we use SuRun to grant administrator rights without giving out credentials. In this case, mkgroup failed to generate all the possible gids.
Editing the group file and adding a customized group name seems always to fix the issue easily.
I had this issue when working remotely from the Domain and using cygserver.
Running ls -l showed a numeric group id instead of a group name.
I stopped cygserver, net stop "CYGWIN cygserver, and other Cygwin processes, then ran the ls -l again, and group names were then displayed correctly.
I guess cygserver was holding incomplete domain group information.
After restarting cygserver the system continued to work correctly.
#!/bin/bash
find . |while read obj; do
if [[ -d "$obj" ]]; then
setfacl --set "user::rwx,group::r-x,other::r-x" "${obj}"
elif [[ -f "$obj" ]]; then
setfacl --set "user::rw-,group::r--,other::r--" "${obj}"
fi
done
You must specify the group name on the Windows system which your user belongs to.
So I just did this:
chown -R ONEX:Users ~/*
You can find your user name and group here:
I am not sure whether this is a Sphinx question or a Linux question.
Anyway, I am running Sphinx on my CentOS server box.
I successfully managed to change the ownership of some Sphinx-related files and directories as I want only root and the Apache group to be able to read those information:
chown root.apache /etc/sphinx/sphinx.conf
chmod 640 /etc/sphinx/sphinx.conf
chown -R root.apache /var/lib/sphinx
chmod -R 750 /var/lib/sphinx
My problem is when Sphinx generates the files containing the index in the directory /var/lib/sphinx, they have ownership
root:root
How can I make them have permission
root:apache
?
The Sphinx documentation doesn't mention about that.
Thanks.
Set SETGID for directory /var/lib/sphinx/:
root#centos:~# chmod g+s /var/lib/sphinx/
This way, all created file in directory /var/lib/sphinx/ will inherit group from parent.
If sphinx is not messing with ownership by it self (I guess it't not) then this will work.
You can read more here about SETGID on directories.
Or you can run the cron job as the user sphinx rather than as root, either by adding sudo -u sphinx in the existing crontab entry, or by removing it from root's crontab and adding it to the appropriate user's crontab. (Perhaps you should report this as a bug against the package, if you are using a packaged version.)