Linux permissions issue on sftp server - linux

Good day!
I have a linux sftp server located in VM. This VM has access to a GlusterFS storage, where sftp directories are located. Sftp works via OpenSSH server and chroots sftpusers group to sftp directories on GlusterFS storage. All worked well... After one moment I had got an issue...
Trying to create user:
# useradd -d /mnt/cluster-data/repositories/masters/test-user -G masters,sftpusers -m -s /bin/nologin test-user
Checking:
# cat /etc/passwd | grep test-user
test-user:x:1029:1032::/mnt/cluster-data/repositories/masters/test-user:/bin/nologin
# cat /etc/group | grep test-user
masters:x:1000:test-user
sftpusers:x:1005:test-user
test-user:x:1032:
Doing chown and chmod for home dir by hand:
# chown -R test-user:test-user /mnt/cluster-data/repositories/masters/test-user
# chmod -R 770 /mnt/cluster-data/repositories/masters/test-user
Checking:
# ls -la /mnt/cluster-data/repositories/masters/test-user
итого 16
drwxrwx--- 2 test-user test-user 4096 Окт 27 2013 .
drwxr-xr-x 13 root masters 4096 Окт 27 2013 ..
Adding another user to test-user's group:
# usermod -G test-user -a tarasov-af
# cat /etc/passwd | grep tarasov-af
tarasov-af:x:1028:1006::/mnt/cluster-data/repositories/lecturers/tarasov-af/:/bin/nologin
# cat /etc/group | grep tarasov-af
masters:x:1000:tarasov-af,test-user
sftpusers:x:1005:tarasov-af,test-user
lecturers:x:1006:tarasov-af
specialists:x:1008:tarasov-af
test-user:x:1032:tarasov-af
Login as tarasov-af:
sftp> cd masters/test-user
sftp> ls
remote readdir("/masters/test-user"): Permission denied
sftp> ls -la ..
drwxr-xr-x 13 0 1000 4096 Oct 26 21:30 .
drwxr-xr-x 6 0 0 4096 Oct 2 15:53 ..
drwxrwx--- 2 1029 1032 4096 Oct 26 21:53 test-user
I tried to login as tarasov-af into bash (usermod -s /bin/bash tarasov-af):
$ id
uid=1028 gid=1006
groups=1000,1005,1006,1008,1032
p.s. I guess this issue began after VM disk failed and I've got /etc/passwd and /etc/group broken, I've restored them from backups and all previous accounts works well, I have this issue only with new accounts.

I've found the reason of this issue: user tarasov-af has more than 16 secondary groups, first 15 groups work good, other -- don't work. I've set kernel.ngroups_max = 65535 in sysctl.conf on every computer in cluster (GlusterFS) and on sftp VM but nothing changed.

This issue goes to glusterfs client, it can't manipulate with more than 15 secondary groups.
# glusterfs --version
glusterfs 3.2.7 built on Sep 29 2013 03:28:05

Related

Can't Read Files using External Tables or Write Files using UTL_FILE using PL/SQL

I have an issue wherein I can't Read a simple File using an External Table, nor can I write files using UTL_FILE. I think this has something to do with the permissions but I can't figure it out.
I confirmed that APPS and PUBLIC have the sufficient privileges:
select GRANTEE, privilege from all_tab_privs
where table_name = 'EXT_TAB_DATA';
GRANTEE PRIVILEGE
------- --------
APPS WRITE
APPS READ
APPS EXECUTE
PUBLIC WRITE
PUBLIC READ
PUBLIC EXECUTE
And I also confirmed that the actual Directory is defined:
select * from all_directories
where directory_name = 'EXT_TAB_DATA';
OWNER DIRECTORY_NAME DIRECTORY_PATH ORIGIN_CON_ID
------ -------------- -------------------------- -----------------
SYS EXT_TAB_DATA /u01/app/oracle/DEV/SAMPLE 0
Below is the privileges of the directory /u01/app/oracle/DEV/SAMPLE
[appldev-run ~]$ ls -l /u01/app/oracle/DEV
total 24
-rw-r--r-- 1 appldev appldev 6473 Jun 19 15:10 EBSapps.env
drwxr-xr-x 5 appldev appldev 4096 Jun 4 10:13 fs1
drwxr-xr-x 5 appldev appldev 4096 Jun 7 16:26 fs2
drwxr-xr-x 4 appldev appldev 4096 May 22 12:32 fs_ne
-rw------- 1 root root 0 Sep 18 2018 nohup.out
drwxrwxrwx 2 oracle appldev 4096 Jun 25 02:31 SAMPLE
When I try to write a simple UTL_FILE command below:
declare
fHandle UTL_FILE.FILE_TYPE;
begin
fHandle := UTL_FILE.FOPEN('EXT_TAB_DATA', 'test_file', 'w');
UTL_FILE.PUT(fHandle, 'This is the first line');
UTL_FILE.PUT(fHandle, 'This is the second line');
UTL_FILE.PUT_LINE(fHandle, 'This is the third line');
UTL_FILE.FCLOSE(fHandle);
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE('Exception: SQLCODE=' || SQLCODE || ' SQLERRM=' || SQLERRM);
RAISE;
end;
/
it results into an error like below:
ORA-29283: invalid file operation
ORA-06512: at "SYS.UTL_FILE", line 536
ORA-29283: invalid file operation
ORA-06512: at line 14
29283. 00000 - "invalid file operation"
*Cause: An attempt was made to read from a file or directory that does
not exist, or file or directory access was denied by the
operating system.
*Action: Verify file and directory access privileges on the file system,
and if reading, verify that the file exists.
And I even tried reading from an External Table:
CREATE TABLE sample_ext
( sample1 varchar(10) )
organization external (
default directory EXT_TAB_DATA
location ('test.txt')
);
/
select *
from sample_ext;
/
It results into an error below:
ORA-29913: error in executing ODCIEXTTABLEOPEN callout
ORA-29400: data cartridge error
KUP-04001: error opening file /u01/app/oracle/DEV/SAMPLE/SAMPLE_EXT_62883.log
29913. 00000 - "error in executing %s callout"
*Cause: The execution of the specified callout caused an error.
*Action: Examine the error messages take appropriate action.
I confirmed that the file is there and has data:
[appldev-run#hamlfinappdev ~]$ cd /u01/app/oracle/DEV/SAMPLE
[appldev-run#hamlfinappdev ~]$ cat test.txt
1
1
1
1
[appldev-run#hamlfinappdev ~]$
What do I need to do to read and write to this directory?
Database Version is as Follows:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
PL/SQL Release 12.1.0.2.0 - Production
CORE 12.1.0.2.0 Production
TNS for Linux: Version 12.1.0.2.0 - Production
NLSRTL Version 12.1.0.2.0 - Production
You need to give all the rights to the directory chmod 755 DEV or change the owner of the directory chown oracle:appdev DEV.
I repeated the situation and got the same error.
I created a test environment.
user root
esmd:/opt/oracle # ls -l |grep DEV
drwxrwx--- 3 appdev appdev 4096 2019-06-25 07:17 DEV
esmd:/opt/oracle/DEV # ls -l
total 4
drwxrwxrwx 2 oracle dba 4096 2019-06-25 07:22 SAMPLE
esmd:/opt/oracle # cd DEV/SAMPLE/
esmd:/opt/oracle/DEV/SAMPLE # ls -l
total 4
-rw-r--r-- 1 oracle dba 8 2019-06-25 07:14 test.txt
user oracle
oracle#esmd:~> more /opt/oracle/DEV/SAMPLE/test.txt
/opt/oracle/DEV/SAMPLE/test.txt: Permission denied
user appdev
oracle#esmd:~> su appdev
Password:
appdev#esmd:/opt/oracle> ls -l /opt/oracle/DEV/SAMPLE/test.txt
-rw-r--r-- 1 oracle dba 8 2019-06-25 07:14 /opt/oracle/DEV/SAMPLE/test.txt
DB user system
CREATE OR REPLACE DIRECTORY EXT_TAB_DATA AS '/opt/oracle/DEV/SAMPLE';
CREATE TABLE sample_ext
( sample1 varchar(10) )
organization external (
default directory EXT_TAB_DATA
location ('test.txt')
);
select *
from sample_ext;
07:34:14 line 1: ORA-29913: error in executing ODCIEXTTABLEOPEN callout
07:34:14 ORA-29400: data cartridge error
07:34:14 error opening file /opt/oracle/DEV/SAMPLE/SAMPLE_EXT_4977.log
I changed dir DEV chmod 757 DEV and All works!
appdev#esmd:/opt/oracle> ls -l /opt/oracle |grep DEV
drwxrwx--- 3 appdev appdev 4096 2019-06-25 07:17 DEV
appdev#esmd:/opt/oracle> chmod 775 DEV
appdev#esmd:/opt/oracle> ls -l /opt/oracle |grep DEV
drwxrwxr-x 3 appdev appdev 4096 2019-06-25 07:17 DEV
select *
from sample_ext;
SAMPLE1
----------------
1
1
1
1
I changed dir DEV chmod 775 DEV or chown oracle:appdev DEV and All works!
oracle#esmd:~> su
Password:
esmd:/opt/oracle # ls -l |grep DEV
drwxrwxr-x 3 appdev appdev 4096 2019-06-25 07:17 DEV
esmd:/opt/oracle # chown oracle:appdev DEV
esmd:/opt/oracle # ls -l |grep DEV
drwxrwxr-x 3 oracle appdev 4096 2019-06-25 07:17 DEV
esmd:/opt/oracle # chmod 770 DEV
esmd:/opt/oracle # ls -l |grep DEV
drwxrwx--- 3 oracle appdev 4096 2019-06-25 07:17 DEV
esmd:/opt/oracle #
select *
from sample_ext;
SAMPLE1
----------------
1
1
1
1

Slackware creating directory when adding new user

I'm using slackware 14.2, and i want to create directory public_html in /home/*/ when i create user. I saw there's a file useradd in /etc/default/, but i don't know, if this file should be editing.
Like that:
# mkdir /etc/skel/public_html
# useradd -s /bin/bash -m -d /home/user1 user1
# ls -Al ~user1
total 4
drwxr-xr-x 2 user1 user1 4096 Dec 9 11:43 public_html

Apache user can't create files in 777 directory

I'm not using SELinux, and still I can't get the apache user to create files in my cache storage directory. Can this work without using chown to change the user to the actual apache user?
[root#server live_storage]# getenforce
Disabled
[root#server live_storage]# su -s /bin/bash -c 'touch /home/admin/live_storage/c50d02d942c0a3d.cache' apache
touch: cannot touch ‘/home/admin/live_storage/c50d02d942c0a3d.cache’:
Permission denied
[root#server admin]# ls -lsa
total 84
4 drwx------. 10 admin admin 4096 24 mei 10:32 .
4 drwxr-xr-x. 3 root root 4096 9 mei 11:12 ..
4 drwxrwxrwx 3 admin admin 4096 24 mei 10:33 live_storage
[admin#server live_storage]$ touch '/home/admin/live_storage/c50d02d942c0a3d.cache'
[admin#server live_storage]$ ls '/home/admin/live_storage/c50d02d942c0a3d.cache'
/home/admin/live_storage/c50d02d942c0a3d.cache
Figured it out. Apache didn't have execute rights on the /home/admin directory. chmod +x /home/admin fixed the problem

Can not add new user in docker container with mounted /etc/passwd and /etc/shadow

Example of the problem:
docker run -ti -v my_passwd:/etc/passwd -v my_shadow:/etc/shadow --rm centos
[root#681a5489f3b0 /]# useradd test # does not work !?
useradd: failure while writing changes to /etc/passwd
[root#681a5489f3b0 /]# ll /etc/passwd /etc/shadow # permission check
-rw-r--r-- 1 root root 157 Oct 8 10:17 /etc/passwd
-rw-r----- 1 root root 100 Oct 7 18:02 /etc/shadow
The similar problem arises when using passwd:
[root#681a5489f3b0 /]# passwd test
Changing password for user test.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: Authentication token manipulation error
I have tried using the ubuntu image, but the same problem arises.
I can manually edit passwd file and shadow file from within container.
I am getting the same problem on following two machines:
Host OS: CentOS 7 - SELinux Disabled
Docker Version: 1.8.2, build 0a8c2e3
Host OS: CoreOS 766.4.0
Docker version: 1.7.1, build df2f73d-dirty
I've also opened issue on GitHub: https://github.com/docker/docker/issues/16857
It's failing because passwd manipulates a temporary file, and then attempts to rename it to /etc/shadow. This fails because /etc/shadow is a mountpoint -- which cannot be replaced -- which results in this error (captured using strace):
102 rename("/etc/nshadow", "/etc/shadow") = -1 EBUSY (Device or resource busy)
You can reproduce this trivially from the command line:
# cd /etc
# touch foo
# mv foo shadow
mv: cannot move 'foo' to 'shadow': Device or resource busy
You could work around this by mounting a directory containing my_shadow and my_passwd somewhere else, and then symlinking /etc/passwd and /etc/shadow in the container appropriately:
$ docker run -it --rm -v $PWD/my_etc:/my_etc centos
[root#afbc739f588c /]# ln -sf /my_etc/my_passwd /etc/passwd
[root#afbc739f588c /]# ln -sf /my_etc/my_shadow /etc/shadow
[root#afbc739f588c /]# ls -l /etc/{shadow,passwd}
lrwxrwxrwx. 1 root root 17 Oct 8 17:48 /etc/passwd -> /my_etc/my_passwd
lrwxrwxrwx. 1 root root 17 Oct 8 17:48 /etc/shadow -> /my_etc/my_shadow
[root#afbc739f588c /]# passwd root
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root#afbc739f588c /]#

could not create directory /home/hadoop/.ssh : permission denied?

I am configuring hadoop on Ubuntu os. I need to create RSA key pair to allow hadoop to interact with its nodes, so i running this command:
hadoop#ubuntu:~$ ssh-keygen -t rsa -P ""
then I get this:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hadoop/.ssh/id_rsa):
Could not create directory '/home/hadoop/.ssh': permission denied.
Enter passphrase (empty for no passphrase ):
Enter same passphrase again:
open /home/hadoop/.ssh/id_rsa failed: No such file or directory.
Saving the key failed: /home/hadoop/.ssh/id_rsa.
Forgot to create .ssh dir in your home?
Try that:
mkdir -p ~/.ssh
then re-run ssh-keygen.
Also possibly you doing ssh-keys creation from wrong user.. You started that shell using sudo?
Try to set HOME dir manually or enter right path in prompt.
check your home directory name and permissions
echo $HOME
cd ~ ; ls -l
ls -l .ssh
ls -lR .ssh
if above output is OK and you have correct permissions, perhaps your quota is full
try with "sudo" and see what happens...
Seems like current user doesn't own the contents under home directory.
Gain the ownership as shown as below:
admin#mydb22-02:~$ sudo chown admin.admin /home/admin/
admin#mydb22-02:~$ ls -la
total 32
drwxr-xr-x 2 admin admin 4096 Nov 3 23:29 .
drwxr-xr-x 3 admin admin 4096 Dec 23 2012 ..
-rw------- 1 admin admin 191 Feb 13 2013 .bash_history
-rw-r--r-- 1 admin admin 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 admin admin 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 admin admin 675 Apr 3 2012 .profile
-rw-r--r-- 1 admin admin 0 Nov 3 23:29 .sudo_as_admin_successful
-rw------- 1 admin admin 4221 Nov 3 20:31 .viminfo
generating keys would work now as .ssh directory will now be created and owned by current user after generating the assymetric keys
I have spent arround 1 hr on this and finally got the solution. It is due to permission problem. You have to use chown for your 'hadoop user'.
1. First make hadoop directory.
cd /home
mkdir hadoop
then check 'ls -l'. it gives result like :
drwxr-xr-x 2 hadoop hadoop 4096 Aug 22 22:17 hadoop
2. sudo chown hadoop.hadoop /home/hadoop/
3. Then run remaining command for key generater.

Resources