I log in as root and I issue the following command:
ls -l /home/osr/public_html/include/connect.php
and I receive
-rwxrwxr-x 1 osr epanagio 578 Jul 10 2012 /home/osr/public_html/cti/include/connect_to_md5.php
This tells me that "osr" and "epanagio" can access the file for read-write-execute.
Now I log in as "epanagio" and I issue the same command:
ls -l /home/osr/public_html/include/connect.php
and I receive
/bin/ls: cannot access /home/osr/public_html/include/connect.php: Permission denied
WHAT?! I am "epanagio" and according to the permissions I have rwx to this file.
I am using CentOS and I am obvioulsy lost.
Can someone PLEASE explain this to me?
Just because you have the rights to read a file doesn't mean you can actually REACH that file. You need permissions to access all of the parent directories of wherever that file is.
Consider it the equivalent of giving you permissions take a $1 bill from me, but that $1 bill is inside a safety deposit box in a bank's vault. You have the rights to the money, but no rights to walk into the vault and open the box.
Related
Scenario:
bob owns directory x
bob has set permissions on x to 777
jim can't write to x. Why?
Actual output:
ls -la .pip/
total 12
drwxrwxrwx 2 user1 user1 4096 May 5 12:03 .
drwx------ 5 user1 user1 4096 May 6 11:34 ..
-rw-rw-rw- 1 user1 user1 2054 May 5 12:48 pip.log
sudo -S -p 'sudo password:' -u "apache" /bin/bash -l -c "mkdir .pip/monkey"
/bin/bash: /home/user1/.bash_profile: Permission denied
mkdir: cannot create directory `.pip/monkey': Permission denied
Ultimately I'm trying to pip install as apache user and that user is not allowed to write the install log, so the process fails. I need to write the log as apache user, but it lives in my user space. I could change the owner, but this process is supposed to work for any user, even new ones, so it's somewhat confusing what I'm supposed to do to achieve this.
UPDATE:
I understand from http://linux.die.net/man/2/path_resolution that it is the fact that apache does not own user1's home directory, so the directory search won't work. Is this the case?
Disclaimer: At the time this answer was composed, the question did not clearly identify working directories. If assumptions documented in the answer are incorrect, the folders mentioned in the answer may need to be adapted accordingly.
It appears that the question asks why user apache cannot operate under:
/home/user1/
It also appears that /home/user1 may have permissions set to drwx------ as these permissions are typically used to help secure private data that can accumulate in the root of the user's home directory.
If the above is true, then it is normal for apache to not be able to work under /home/user1/ because it does not have traversal rights to /home/user. Such rights can be added in various ways. The simplest, but not particularly safe way to do it is something like:
sudo chmod o+x /home/user1
It would then be possible for /home/user1 sub-folder permissions to be tightened and loosened to fit the need. It would be better to use group permissions than world permissions, but you should probably create a special group for this purpose rather than making apache a member of the user1 group. An even better solution would be to use an ACL that grants apache traversal rights to /home/user1 without opening the user's home directory up to a wider audience.
Be careful. Loosening permissions with the aforementioned command can give all users on the box access to sub-directories of the user's home directory if their permissions are not suitably tight.
Note: Security mechanisms on some systems might get annoyed by loosening of user home directory permissions and interfere with manual overrides. This could happen, for example, on a distribution that has msec configured to a relatively high security level. Without more detail given about the system configuration, it is somewhat difficult to anticipate potential problems. For example, unless an exception has been made for particular file system areas, on an msec managed system with high security set, msec will periodically rewrite directory permissions that it monitors if it does not consider the permissions compatible with the configured security level.
I have a directory:
drw-rwxrw-+ 1 username Domain Users 0 Feb 11 09:32 webapp
But when I try to enter this one I get
-bash: cd: /cygdrive/c/dp-project/.../web-app Permission denied
What's wrong? I setted all permissions to all users.
No you didn't "setted all permissions to all users". Execution permission is only set for group. try to chmod a+x webapp.
One othe thing first line webapp second line web-app that is not the same.
The plus (+) sign a the end of the permissions indicates that the file or directory has access control lists set. use:
getfacl /path/to/dir
to read all those acls. Most probably your user or groups access is prevented.
I'm trying to give read permissions to lighttpd access logfiles to normal users which are on the same system.
The permissions are currently:
-rw-r--r-- 1 www-data www-data 211K Feb 28 11:27 /var/log/lighttpd/access.log
So, if I understood correctly others have read permissions. Unfortunately this doesn't seem to work. If I try to read this file with an user account I get:
/var/log/lighttpd/access.log: Permission denied
I already tried to add the user to the group www-data which didn't work as well.
Any hints what I'm doing wrong here?
To access a file, the system needs the execute permission on all the directories containing the file.
In this case it was necessary to issue the chmod o+x /var/log/lighthttps command (after making sure that the user belongs to the "other" part of the permission set).
The "execute" permission for a directory allows you to enter it. The "read" permission for the directory allows you to see the names of the files inside. The interesting thing is that you can give the x permission alone, what means that anyone can access the files inside, but he needs to know its names.
You might not have execute permission for the lighthttpd so the directory does not give the permission to access its containing file.
Use the command to set the execute permission to that directory.
chmod +x /var/log/lighthttpd
Running Linux 2.6 kernel, is there any way to create a file with write permission for all but with read for only owner and group. We need to update a log file but only allow the owner (usually root) and group to read the data in it (security).
This is allowable in the base unix permissions model. You can have a file you can write too but not read back from it. For the file itself the following permissions allow all users to write to the file.
touch logfile.log
chmod 662 logfile.log
ls -al
-rw-rw--w- 1 mmcgarrah mmcgarrah 0 Aug 19 17:15 logfile.log
Permissions to enter the directory containing the file are your other concern. Make sure that non-owners can traverse to the file or they will not be able to see the file to write to it.
Write permission however also grants delete access to the file so beware malicious users removing the file.
I have moved my website from Godaddy to a VPS server. I'm new to Linux so I followed some tutorials online but still confused about some problems.
I use SSH to log on my server as user adam. In order to run the PHP properly, I have to set 755 permission to /var/www and change the owner of this folder to www-data. But that means I don't have permission to write files in this folder even if add user adam to the group www-data. And I cannot upload webpages onto this folder using FTP which is very annoying. (Currently I have to type su to switch to root and then modify these files with nano)
I know setting 777 is a solution but it may cause some safety concerns so I'm looking for a better solution.
drwxr-xr-x 8 www-data www-data 4096 Jul 24 21:36 www
Every number of permisson is composed as follows
4: read
2: write
1: execute
So if you add them you get the permission. By example 7 means all the permisons and 6 means read and write.
The first number of 755 is for the owner, the second for the group's users and the third for other users.
Then 755 means rwxr-xr-x it is the owner can read wirte and execute, but the group member can't write.
If you want to solve this you can change the privileges to 775 then it will be change to rwxrwr-x
Or you can add www-data as a secondary group to adam and set a setgroupid www-data fro /var/www