Linux binary permissions - linux

I am running Debian 6 - 64-bit and I am looking to put specific set of permissions on one of a executable binary file.
The file is originally owned by user/group root and holds 0111 set of permissions that only allows execute permissions.
I have set these permissions because I usually do installs for every user I create and this file is automatically copied to the user's home directory when the files are installed. The file is important so I do not want those created users to download or even view the file over FTP, the only thing they are allowed to do is execute.
But since I've set 0111 permissions on the file to achieve what I want, the file is no longer copied to the user's home directory because root cannot read/write the file. What should I do that would still allow root to read/write the file so it is copied over to user's home directory in the automated process but disallow the created user from accessing it. The file is owned by user/group root and after it is copied, it is owned by user/group new-user.

Set the permissions of the original to 511 or 711 (o+r), then before the copy, do umask 666 to remove these permissions from newly created files. The copy will then have permissions 0711 & ~0666 == 0111.

Related

Default group permission for RStudio Server

I am using RStudio server (Version 0.98.994) on Ubuntu 12.04.
Our group works on a external share drive together and would like to open the same project.
When I open a project file created by other colleagues, I got an error with permission denied (Sorry I cannot show the error message as I already changed the permission manually).
After checking the file permission, I found the default permission is "-rw-r--r-x" for *.Rproj and .Rhistory, "drwxr-sr-x" for ".Rproj.user". So no write permission for group.
In the external share drive (no sure about system, should be Linux), the default permission is rw for group.
How could I change the default permission for *.Rproj, .Rhistory and .Rprojt.user?
Thanks for any advice. Please let me know if my question is not clear.
EDIT:
I created new file and folder in the external share drive from command line. The default permission is -rw-rw-r-- for file and drwxrwsr-x for folder, as I expected. It seems RStudio server created these new files with their own default permission.
Could I change the default permission of these files *.Rproj, .Rhistory and .Rprojt.user when RStudio server creates them? i.e. Add write permission to group.
The default permissions for Directories are 777 which is read/write/execute and for Files it is 666 which is read/write. But then every system has a umask value, which is normally 022.
So when you create a directory it will have permissions 777 but it will take away the umask value of 022 and leave you with your default permissions of 755 which is rwxr-xr-x
You can change the value of umask by simply entering the command
umask=055
This will set the umask value to 055 and whenever you create a new file/directory, 055 will be taken away from the permissions.
Again look at a newly created directory with permissions of 777 and the umask value is taken away so the directories permission is 722 which is rwx-w--w-
Again look at a new directory with permissions

Copy site but preserve permissions

I wanted to copy my Drupal site to another location (VDS), I got full backup from my provider, (in tar.gz), untarred and ungzipped it, deleted some folders, zipped it again in 7zip format, then copied it with sftp to /var/www on VDS and unzipped, but all permissions now are read-only and so Drupal doesn't work at all cause it cannot acess files.
Can anyone tell when I lost my permissions, the right way to migrate to my VDS or (and) how can I manage with my corrupted-permission Drupal now (maybe I just can change them?)
Read only permission is generally fine for a Drupal site, except for the upload folder (it's nomally called files and in can be in sites/default or in sites/YOUR_SITE_CONFIGURATION_FOLDER or wherever you set it to be in admin/config/media/file-system). The files folder, and every subfolder it contains must be writable from the web server, so if your web server is running as the www-data user (the standard user for Apache in Ubuntu, other systems may differ) you can for example do
chmod -R o+w sites/default/files
chown -R www-data sites/default/files

What permissions need to be on files in org-mobile directories?

I am trying to keep the permissions consistent in my org-directory and staging directory for org-mobile. Both directories are owned by another user (used for syncing on the phone) that shares the same group as my standard user on my local machine. All files and directories are readable and writable by user/group: e.g. mobileuser.mobileorg owns all files. However, when I call org-mobile-push, I get the error Doing chmod: Operation not permitted, /home/mobileuser/staging/file.org.
This was working before I messed with it, but I don't know what the original permissions were, and the Org-mode manual is not enlightening on the subject. I tried 770, 775, and 774 with no luck. Even 777 did not satisfy org-mode.
If I change the owner to the emacs user, chmod succeeds, but the permissions aren't actually changed. If the emacs user owns the files, MobileOrg can't sync the files through SSH.
This is a problem in emacs.
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16133
fixed in
http://bzr.savannah.gnu.org/lh/emacs/trunk/revision/115805
on 2013-12-29.

Perforce Client permissions

I had downloaded the perforce client in my ubuntu 11 system a while ago. The p4v in my system is found under:
-r-xr-xr-x 1 root root 1578 2011-08-29 12:46 /usr/bin/p4v
After I read the documentation of p4v I realize it should not be owned by root.
How do I change the ownership of this and also allow my "user" all the access rights without reinstalling the p4v again?
Thanks
If you "chown" P4V without changing the permissions, your user will still be able to use it.
For example:
chown user:group /usr/bin/p4v
The permissions granted to the file allow read and execute to the owner, anyone in the group and everyone else with access to the system. Changing the user and group will not change the permissions, so your user should still be able to execute the binary.
In general, the ownership of a binary that is executable by all shouldn't matter. The danger comes if the owner of the process is root (or any other privileged user). For example, "mount" will be owned by root, and can be run by any user to show the mounted file-systems. Only when it is run by root can it change your file-system structure.

How can I setup the permissions in Linux so that two users can update the same SVN working copy on the server?

My server has both Subversion and Apache installed, and the Apache web directory is also a Subversion working copy. The reason for this is that the simple command svn update /server/staging will deploy the latest source to the staging server.
Apache public web directory: /server/staging — (This is an SVN working copy.)
I have two users on my server, 'richard' and 'austin'. They both are members of the 'developers' group. I recursively set permissions on the /server directory to richard:developers, using "sudo chown -R richard:developers /server".
I then set the permissions to read, write and execute for both 'richard' and the 'developers' group.
So surely, 'austin' should now be able to use the svn update /server/staging command? However, when he tries, he gets the error:
svn: Can't open file '/server/staging/.svn/lock': Permission denied
If I recursively change the owner of /server to austin:developers, he can run the command just fine, but then 'richard' can't.
How do I fix the problem? I want to create a post-commit hook with to automatically deploy the staging site when files are committed, but I can't see a way for that to work for both users. The hook would be:
/usr/bin/svn update /server/staging
Using the same user account for both of them wouldn't really be an acceptable solution, and I'm not aware of any way to run the command inside the hook as 'root'.
Any help is appreciated!
Directory Set Group ID
If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.
This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called spcprj and add the users Kathy and Mark to the group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy and Mark although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.
The following command will set the GID bit on a directory:
chmod g+s spcprjdir
The directory listing of the directory "spcprjdir":
drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir
The "s'' in place of the execute bit in the group permissions causes all files written to the directory "spcprjdir" to belong to the group "spcprj" .
edit: source = Linux Files and File Permissions
I would set up svnserve which is a simple Subversion server using the svn:// protocol. You can set this up so it runs under its own user account, then the repository would only be accessed by that one user. This user could then have the correct privileges to run svn update /server/staging on a post-commit hook.
in your svn repo, you can find a 'conf' directory where you set permissions. you have 3 files there:
authz
passwd
svnserve.conf
you set in the authz file which users have which kind of acces, per user or per group. you set groups there, SVN groups not linux user groups (hashed lines are comments):
[groups]
# harry_and_sally = harry,sally
projectgroup = richard,austin
# [/foo/bar]
# harry = rw -- user harry has read/write access
# * = -- everybody have no access
# [repository:/baz/fuz]
# #harry_and_sally = rw -- harry_and_sally group members have read/write access
# * = r -- everyone has read access
[/server/staging]
#projectgroup = rw
* = r
work around this example and set your config. in the 'passwd' file you set up users passwords. execute
cat passwd
you'll get commented file with explanation how to set it up.
I use WebDAV - all SVN updates and commits are handled via apache and I never have such problems.

Resources