I have a linux box:
Linux vuappserver 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux
I use SMB + windbind to join to and Active Directory
But right now I try to add a local user:
useradd test
but when I try to change the password I receive this error:
root#server:/home/vu# passwd test
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
I checked the permissions of this files:
-rw-r--r-- 1 0 0 1350 Apr 5 23:17 /etc/passwd
-rw-r----- 1 0 42 941 Apr 5 23:17 /etc/shadow
Any ideas?
Thanks
by default pam_krb5.so set the "minimun_uid" to 1000 in /etc/pam.d/common-*
e.g.:
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
my user had uid=1001 and according to the default setup, kerberos took control (bad thing). In the other hand, the mapping for my AD users was in a higher range (/etc/samba/smb.conf):
idmap config * : range = 10000-40000
So, I adjusted the "minimun_uid" in /etc/pam.d/common-* to 10000, and now I'm happy :-)
If you're in a Windows domain, your authentication configuration (most probably /etc/pam.d/common-auth and /etc/pam.d/passwd) is pointing that to change a password, it must be synchronized with the domain (via Kerberos/LDAP).
You can instruct the passwd command to change a local account by specifying which accounts repository/authentication realm you would like to change:
passwd -r files account_name
Check the man page for passwd on the -r option.
Related
We used to get directory content listed with the owner name from HP-UX system using FTP client , recently the system was migrated to Suse-Linux. Now when we FTP to this machine, directory list does not show the owner name of the files.
How would one enable listing directory with owner name in Linux ?
Well in ftp (and most shells anyway), you have the ls command. This prints the list of files.
**Example session** (cutted out some messages):
$ ftp ftp.ed.ac.uk
Connected to luther.is.ed.ac.uk.
220-
Login using the username 'anonymous' and use your email address as password.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
lrwxrwxrwx 1 root root 8 Feb 26 2014 INSTRUCTIONS-FOR-USING-THIS-SERVICE -> .message
drwx-wx-wx 3 root root 4096 Feb 17 14:57 edupload
drwx-wx-wx 3 root root 131072 Feb 17 20:20 incoming
drwxr-xr-x 45 root root 4096 Feb 19 2014 pub
226 Transfer complete
ftp>
The table shows:
drwxdrwxdrwx: d stands for directory, and then rwx for read-write-execute for (in sequential order), the owner, the group and all people with login access;
the name of the owner (root);
the name of the group of the owner (root);
file size;
modification date; and
filename.
First, what I'm trying to do is to jail (chroot) the user in a specfic directory for sftp access. I found a great tutorial that made the job, you can find it here : http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/. You should read it first (it's very short) to understand the rest.
With the example in the link, I've no problem to create sftpusers group, guestuser user and lock it to the /sftp/guestuser/incoming directory. Here is how it's done :
groupadd sftpusers
useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
passwd guestuser
chown guestuser:sftpusers /sftp/guestuser/incoming
service ssh restart
What I've tried to do after is to lock another user (we call it "test") from the same group in /sftp/test. So I've created user like this :
useradd -g sftpusers -d / -s /sbin/nologin test
You see, instead /incoming as directory, I've just put "/", then I've changed rights to /sftp/test and restart ssh. But connection fails and give me this error : Write failed: Broken pipe
I thought it was due to the wrong path "/", so I decided to delete user and re-create it with an /incoming directory :
userdel test
useradd -g sftpusers -d /incoming -s /sbin/nologin test
passwd test
chown test:sftpusers /sftp/test/incoming
service ssh restart
But even after, the test user seems to be compromise for ever, because I have the same error when I try to connect through sftp : Write failed: Broken pipe Couldn't read packet: Connection reset by peer
EDIT :
Here is the log file for sshd :
Jan 24 12:46:20 ns sshd[13786]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jan 24 12:46:23 ns sshd[13786]: Accepted password for test from xxx.xxx.xxx.xxx port 37838 ssh2
Jan 24 12:46:23 ns sshd[13786]: pam_unix(sshd:session): session opened for user test by (uid=0)
Jan 24 12:46:24 ns sshd[13949]: fatal: bad ownership or modes for chroot directory "/sftp/test"
Jan 24 12:46:24 ns sshd[13786]: pam_unix(sshd:session): session closed for user test
Jan 24 12:48:17 ns sshd[14103]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jan 24 12:48:19 ns sshd[14103]: Invalid user brad from xxx.xxx.xxx.xxx
Jan 24 12:48:19 ns sshd[14103]: input_userauth_request: invalid user brad [preauth]
Jan 24 12:48:19 ns sshd[14103]: pam_unix(sshd:auth): check pass; user unknown
Jan 24 12:48:19 ns sshd[14103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
Jan 24 12:48:22 ns sshd[14103]: Failed password for invalid user brad from xxx.xxx.xxx.xxx port 42756 ssh2
Jan 24 12:48:22 ns sshd[14103]: Received disconnect from xxx.xxx.xxx.xxx: 11: Bye Bye [preauth]
Check the debug log for sshd. You'll likely find it complain about the home directory for user test not being secure.
The sshd is very strict about access to the user's credentials in $HOME/.ssh and will disconnect when it cannot access the directory, or when it detects permissions that would allow any other account to access it.
sshd[13949]: fatal: bad ownership or modes for chroot directory "/sftp/test"
Make sure that the owner of the directory is the only account that can modify any file in $HOME and below. Pay attention specifically to the group settings
I am configuring hadoop on Ubuntu os. I need to create RSA key pair to allow hadoop to interact with its nodes, so i running this command:
hadoop#ubuntu:~$ ssh-keygen -t rsa -P ""
then I get this:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hadoop/.ssh/id_rsa):
Could not create directory '/home/hadoop/.ssh': permission denied.
Enter passphrase (empty for no passphrase ):
Enter same passphrase again:
open /home/hadoop/.ssh/id_rsa failed: No such file or directory.
Saving the key failed: /home/hadoop/.ssh/id_rsa.
Forgot to create .ssh dir in your home?
Try that:
mkdir -p ~/.ssh
then re-run ssh-keygen.
Also possibly you doing ssh-keys creation from wrong user.. You started that shell using sudo?
Try to set HOME dir manually or enter right path in prompt.
check your home directory name and permissions
echo $HOME
cd ~ ; ls -l
ls -l .ssh
ls -lR .ssh
if above output is OK and you have correct permissions, perhaps your quota is full
try with "sudo" and see what happens...
Seems like current user doesn't own the contents under home directory.
Gain the ownership as shown as below:
admin#mydb22-02:~$ sudo chown admin.admin /home/admin/
admin#mydb22-02:~$ ls -la
total 32
drwxr-xr-x 2 admin admin 4096 Nov 3 23:29 .
drwxr-xr-x 3 admin admin 4096 Dec 23 2012 ..
-rw------- 1 admin admin 191 Feb 13 2013 .bash_history
-rw-r--r-- 1 admin admin 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 admin admin 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 admin admin 675 Apr 3 2012 .profile
-rw-r--r-- 1 admin admin 0 Nov 3 23:29 .sudo_as_admin_successful
-rw------- 1 admin admin 4221 Nov 3 20:31 .viminfo
generating keys would work now as .ssh directory will now be created and owned by current user after generating the assymetric keys
I have spent arround 1 hr on this and finally got the solution. It is due to permission problem. You have to use chown for your 'hadoop user'.
1. First make hadoop directory.
cd /home
mkdir hadoop
then check 'ls -l'. it gives result like :
drwxr-xr-x 2 hadoop hadoop 4096 Aug 22 22:17 hadoop
2. sudo chown hadoop.hadoop /home/hadoop/
3. Then run remaining command for key generater.
I want to know how does a process in Linux decides what privileges it has?
Suppose there is a binary program Read_File that reads from file /home/myname/data.txt and displays the contents of it to the STD output; now, how does Read_File decides whether or not it has permission to read data.txt, what type of ids it checks to decide the privileges?
First, a bit of background:
The process is usually run by a specific user. So for example, if you log in yourself and run the program, it will run with the same privileges as yourself. You can check the permissions on the file with either stat or ls -l.
Using stat
malbert#dredg:/tmp$ stat foo
File: `foo'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fb00h/64256d Inode: 618 Links: 1
Access: (0644/-rw-r--r--) Uid: (11204/ malbert) Gid: (10513/domain users)
Access: 2011-06-10 13:03:27.181227226 +0200
Modify: 2011-06-10 13:03:27.181227226 +0200
Change: 2011-06-10 13:03:27.181227226 +0200
The important infos here are:
Access: (0644/-rw-r--r--) Uid: (11204/ malbert) Gid: (10513/domain users)
This tells you the permissions for the owner (rw-), group (r--) and everyone else (r--). It also shows you the current owner id (Uid) and the current group id (Gid).
The abbreviations stand for:
r = read access
w = write access
x = execute/traverse directory access
Using ls -l
ls -l gives you a quick summary:
malbert#dredg:/tmp$ ls -l /tmp
total 48
drwx------ 2 malbert domain users 4096 2011-06-10 08:51 akonadi-malbert.zOSngu
-rw-r--r-- 1 malbert domain users 0 2011-06-10 13:03 foo
drwx------ 2 kdm nogroup 4096 2011-06-10 08:51 kde-kdm
drwx------ 3 malbert domain users 4096 2011-06-10 08:51 kde-malbert
[snip]
Here you can see the same info as with stat, but as a summary. Also, the uid's and gid's are resolved into names (in this case malbert and domain users). You can use ls -u to see these as numeric values.
In case you want to run the application as a different user as yourself, you can either use su, sudo or your application itself can drop priviledges and change the user it is running as. This is usually the way system daemons do things.
ACLs / extended attributes
Be careful about extended attributes. When listing the files using ls -l these are visible with an appended + sign. For example:
malbert#dredg:/tmp$ ls -l
total 48
drwx------ 2 malbert domain users 4096 2011-06-10 08:51 akonadi-malbert.zOSngu
-rw-rwxr--+ 1 malbert domain users 0 2011-06-10 13:03 foo
drwx------ 2 kdm nogroup 4096 2011-06-10 08:51 kde-kdm
drwx------ 3 malbert domain users 4096 2011-06-10 08:51 kde-malbert
[snip]
Notice the following line:
-rwxr--+ 1 malbert domain users 0 2011-06-10 13:03 foo
The + sign in -rwxr--+ points to extended attributes. It is possible that these are ACLs. There is an excellent document on ACLs in the SuSE documentation. Go have a look at it if you need to. Explaining ACLs would certainly explode this article, so I won't discuss those.
Extended attributes could also be related to the file system. See the man page of chattr for more information on that.
Now, as a sidenote: this is StackOverflow. Questions should be development related. For questions like this one, there's http://www.serverfault.com. But As you were not aware, that this is not a development problem, but more related to the OS, I felt I should answer anyway ;)
Good luck, and have fun!
The process doesn't decide anything; whenever it tries an operation the operating system checks it's EUID and decides if has the required privileges.
For example when it tries to access a file, the owner and permissions of the file are checked. If the EUID of the process doesn't have enough privileges for an operation, that operation will fail (usually with EPERM).
I have set up an Amazon EC2 instance. By default my apache is running as user apache of the group apache.
I created new ftp user test and uploaded my files to /home/test/public_html. I then configured the virtual host DocumentRoot to point to my project, residing in /home/test/public_html.
When the directory is owned by user test, uploading in the project is denied: it gives a permission error. If I change the owner of the directory to apache, it works.
How can give the apache user superuser rights, to permit it to upload without changing the directory's owner?
It's always same problem. Upload with user ftp and no access for user apache.
I solved that problem using filesystems extended acls.
It's possible to put a 'default' user and/or group to new generated files.
What you have to do:
add 'acl' to your mount options for your desired filesystem. (Please check if your kernel is configured for posix acl before doing so!)
use command 'setfacl' to set permissions (you may need to install a package containing 'setfacl' before depending on your distribution.)
Example:
First own for user ftp so uploads can be made
# chown ftp:ftp /var/www/server/htdocs
# ls -la /var/www/server/htdocs/
insgesamt 0
drwxr-xr-x 2 ftp ftp 40 26. Nov 12:40 .
drwxrwxrwt 15 root root 360 26. Nov 12:40 ..
Next set default for user apache
# setfacl -d -m u:apache:rwx /var/www/server/htdocs
# setfacl -d -m g:apache:rwx /var/www/server/htdocs
# getfacl /var/www/server/htdocs
# file: /var/www/server/htdocs
# owner: ftp
# group: ftp
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:group:apache:rwx
default:mask::rwx
default:other::r-x
After putting files or directorys to this directory you will see that you have multiple accessrights to them. But keep in mind that those rights are only given to new files not to existing once.
# getfacl /var/www/server/htdocs/test.txt
# file: /var/www/server/htdocs/test.txt
# owner: ftp
# group: ftp
user::rw-
user:apache:rwx #effective:rw-
group::r-x #effective:r--
group:apache:rwx #effective:rw-
mask::rw-
other::r--
When using 'ls -l' you see a '+' after the permissions to inform about acl rights:
# ls -la /var/www/server/htdocs
insgesamt 0
drwxr-xr-x+ 3 ftp ftp 80 26. Nov 12:43 .
drwxrwxrwt 15 root root 360 26. Nov 12:40 ..
drwxrwxr-x+ 2 ftp ftp 40 26. Nov 12:43 test
-rw-rw-r--+ 1 ftp ftp 0 26. Nov 12:43 test.txt
I would at all cost avoid letting apache user have root privileges.
This would be quite a serious security issue: exactly because the server is potentially (more) vulnerable you normally make a specifc user for it (here the 'apache' user) where you can specify the privileges to only those that are really needed for the server run.
If there are problems with the Apache user not having all the right permissions you should solve them by changing the ownership of corresponding files to apache user,
chown apache:apache <filename>
or, by making them readable/writable/executable for more users, e.g. using
chmod 777 <filename>