I have a directory cyanspring with a nohup.out file.
drwxr-xr-x 12 usr1 usr1 4096 Aug 20 13:59 cyanspring
Owner of the file is able to read it:
[root#lw414 usr1]# sudo -u usr1 ls -l cyanspring/nohup.out
-rw-r--r-- 1 usr1 usr1 30617 Aug 20 14:00 cyanspring/nohup.out
When I try to read it with another user, I get Permission denied.
[root#lw414 usr1]# sudo -u zabbix ls -l cyanspring/nohup.out
ls: cannot access cyanspring/nohup.out: Permission denied
If i go inside the directory, I am able to read the file with the same user who had "Permission Denied".
[root#lw414 usr1]# cd cyanspring
[root#lw414 cyanspring]# sudo -u zabbix ls -l nohup.out
-rw-r--r-- 1 usr1 usr1 30617 Aug 20 14:00 nohup.out
Absolute path doesn`t work as well.
I thought it doesn`t matter where you try to access the file from as long as you have the link and permissions. Can anybody give me a hint where I am wrong? Could it be because of outer folders permissions?
You got "Permission denied" because user zabbix does not have search permission to lachesis directory.
This can be fixed by starting this command from lachesis directory:
sudo chmod go+x .
Permissions are calculated for each directory beginning from current directory if you give relative path, or beginning from root, if you give absolute path.
Related
We are getting the error "permission denied" when trying to write to a file that is owned by a service user and a shared group. In particular that is www-data:www-data and the user trying to write to it is in the group www-data.
There is no acl on none of the parent folders and the permissions to the file and folders are correct.
Here some details:
$ sudo -u deploy id -Gn
www-data
$ ls -lah /tmp
drwxrwxrwt 17 root root 4.0K Jul 11 11:22 .
drwxr-xr-x 23 root root 4.0K Jul 8 10:08 ..
...
-rw-rw-r-- 1 www-data www-data 0 Jul 11 10:50 test
...
$ echo 'hello world' | sudo -u deploy tee -a /tmp/test
tee: /tmp/test: Permission denied
hello world
we tried that on different folders and made sure there is no acl on any of the folders or parents or files...
Unfortunately that is not described in the link stark posted in the comment. And also not in any other page I found until I found an answer here on stackoverflow that clarified it.
2018 two new filesystem configurations got added to sysctl that should prevent regular files and fifos from beeing opened with the O_CREAT flag (as append mode is doing) in directories with the sticky bit set unless the user is the owner of the file. This commit added the settings: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5
To change that behaviour you have to set fs.protected_regular to 0:
sudo sysctl fs.protected_regular=0
Or to persist the change add fs.protected_regular=0 to your sysctl.conf.
side node: since O_CREAT is not deleting or renaming the file I'm wondered why it is connected to the sticky bit. It really is possible to create a file in directories with the stick bit set.
In my open vpn server, i am ensuring cron file permission to be only accessable from root user.
I have removed the at.deny and cron.deny files and have created at.allow and cron.allow and 0600 permissions are applied for files, both files are empty and file permissions are as below, which clearly says root has read and write access.
-rw------- 1 root root 0 Jul 21 08:40 cron.allow
-rw------- 1 root root 0 Jul 21 08:40 at.allow
however this change allows my openvpnas user to still list the crontab and even allows to edit cron.
openvpnas#openvpnas2:~$ crontab -l
no crontab for openvpnas
Where as when the file permissions are as below,
-rw-r--r-- 1 root root 0 Jul 21 08:41 cron.allow
-rw-r--r-- 1 root root 0 Jul 21 08:41 at.allow
It restricts my non root users to access or edit cron files! This issue is only with one of my server, where as other server permissions and behaviours are as expected,
openvpnas#openvpnas2:~$ crontab -l
You (openvpnas) are not allowed to use this program (crontab)
See crontab(1) for more information
Please provide your inputs on this, this has kept me blocked from continuing my work.
This issue i faced was in Ubuntu 18.04 instance,
Current /usr/bin/crontab permission was as below,
-rwxr-sr-x 1 root crontab 39352 Nov 16 2017 /usr/bin/crontab
Had to change the group user from crontab to root and file permission to as below,
sudo chmod 4755 /usr/bin/crontab
sudo chown root:root /usr/bin/crontab
-rwsr-xr-x 1 root root 39352 Nov 16 2017 /usr/bin/crontab
This permission restricts the non-root user to schedule cronjobs. The access can be allowed to non-root users by adding the user names in cron.allow file.
openvpnas#openvpnas2:~$ crontab -l
You (openvpnas) are not allowed to use this program (crontab)
See crontab(1) for more information
So my home dir is set as:
drwxr--r-- 16 me users 4096 Jan 15 09:17 me
I want to copy my files from using admin user which belongs to the same group(users):
drwxr-xr-x 2 otickadm users 4096 Jan 15 08:59 common
However I can't:
$ cd /jhome/jyun1
-bash: cd: /jhome/jyun1: Permission denied
$ cp /jhome/jyun1/gitworkspace/taq_scripts/sanity_check.py .
cp: cannot stat ‘/jhome/jyun1/gitworkspace/taq_scripts/sanity_check.py’: Permission denied
Wondering if anything else is taking control of this permission.
cd (and read files) requires execute (x) perms on the directory; try 75x to allow others in your group to cd to your directory and/or read your files
I have this old Perl script. This script is working from cron on CentOS 6.4. It creates a temporary directory and is trying to unzip files there.
This is a piece of code:
$lg->li("Creating Directory... \n\t$unzip_dir");
mkdir ($unzip_dir, 0777) or my_die("mkdir $unzip_dir failed") unless (-e $unzip_dir && -d $unzip_dir);
However after execution the directory has weird permissions:
drwxrwsr-x 42 buser agroup 12K Dec 30 09:18 .
drwxrwsr-x 4 buser agroup 4.0K Apr 6 2012 ..
drw-rwSr-- 2 auser agroup 4.0K Dec 28 11:51 tm_unpack_dir_1388412502.20184
The umask for user auser is a 0002.
Why the new directory has no execution permission? Any idea, how this can happen?
The weird permissions are caused by the setgid bit on the parent directory in combination with an unusual umask:
Look at the permissions of the parent directory, the first line:
drwxrwsr-x 42 buser agroup 12K Dec 30 09:18 .
drw-rwSr-- 2 auser agroup 4.0K Dec 28 11:51 tm_unpack_dir_1388412502.20184
Notice it has rwxrwsr-x which means that the setgid bit is set. The setgid bit on a directory causes new files in the directory to be created with the same group as the directory. New directories inherit the setgid bit from their parent.
A umask of 0113 will cause the strange permissions you're seeing. That is an unusual umask, the default is 0022. The umask is set in the environment executing the script, or directly in the script itself.
Don't worry about 0777 after mkdir in your script: mkdir $dir, 0777 means "create $dir without interfering with the present umask". 0777 is the default and can be safely omitted.
Try setting the umask directly in your script:
umask 0022;
$lg->li("Creating Directory... \n\t$unzip_dir");
mkdir ($unzip_dir) or my_die("mkdir $unzip_dir failed") unless (-e $unzip_dir && -d $unzip_dir);
should cause:
drwxrwsr-x 42 buser agroup 12K Dec 30 09:18 .
drwxr-sr-x 2 auser agroup 4.0K Dec 28 11:51 tm_unpack_dir_1388412502.20184
New directory permissions are rwxr-sr-x which is more normal. Notice that the setgid bit is still set because of the parent directory.
Oh, you might wonder why the setgid bit is sometimes lowercase 's' and sometimes uppercase 'S'. That depends on the executable bit. Lowercase s means the executable bit is set, uppercase means it's not set:
$ mkdir foo
$ ls -l
drwxr-xr-x 2 johan johan 4096 Dec 30 17:22 foo
$ chmod g+s foo
$ ls -l
drwxr-sr-x 2 johan johan 4096 Dec 30 17:22 foo
$ chmod g-x foo
$ ls -l
drwxr-Sr-x 2 johan johan 4096 Dec 30 17:22 foo
Your code looks correct to me.
Confirming on my system:
perl -e 'mkdir("foo", 0777);'
drwxr-xr-x 2 user user 512 Dec 30 10:48 foo
mkdir is affected by your umask. A funky umask can do funky things.
What does this yield for you?
perl -e 'printf("%04o\n", umask());'
I get this:
0022
Which is why my folder is created 0755 when I ask for 0777.
I've debugged script and found source of the problem.
The problem caused by tar.gz archive sent to us by one of our submitters. These tar files having directory without execution permission set. I have no idea how they achieve such result.
One more problem - the Gnu Tar have no key to prevent restoring files and directories permissions.
So after extracting archive with wrong permissions I have to recursively set right permissions on the all files and directories in the archive.
Thank you everybody.
It means that the setuid and setgid bits have been set.
The setuid (set user id) is a permission bit, that allows the users to exec a program with the permissions of its owner.
The setgid (set group id) is a bit that allows the user to exec a program with the permissions of the group owner.
http://linuxg.net/how-to-set-the-setuid-and-setgid-bit-for-files-in-linux-and-unix/
I am currently messing around on my linux system and now I have the following situation.
The directory /srv/http has the following permissions set:
drwxrwxr-x 2 root httpdev 80 Jun 13 11:48 ./
drwxr-xr-x 6 root root 152 Mar 26 13:56 ../
-rwxrwxr-x 1 root httpdev 8 Jun 13 11:48 index.html*
I have created the group httpdev before with the command:
groupadd httpdev
and added my user sighter with:
gpasswd -a sighter httpdev
Then I have set the permissions as above using the chown and chmod commands.
But now I am not allowed to modify the index.html file or create a new file, as user sighter ,with touch like that:
<sighter [bassment] ~http> touch hallo.php
touch: cannot touch `hallo.php': Permission denied
What do I understand wrong. I was expecting that I can do what I want there then the group has all the rights.
The following Output is for your information.
<sighter [bassment] ~http> cat /etc/group | grep sighter
...
httpdev:x:1000:sighter
...
The used linux-distro is archlinux.
Adding a user to a group does not affect currently running sessions. So you have to logout and login again or use su - sighter to login.
After this you should be able to do what you want to do.
You're not in the right group. You need to log out and back in again. Also, superuser.