On ubuntu 10.04.4 server, I did this:
sudo mkdir -p /data/somedir
sudo chown -R www-data.www-data /data/somedir
sudo chmod -R g+w /data/somedir
sudo usermod -a -G www-data john ##john is current login user.
. With these operations done, I suppose to have write permission in /data/somedir. But when I did this:
echo "123" > /data/somedir/123
, I got:
-bash: /data/somedir/123: Permission denied
The ls -l output:
$ ls -l /data/
total 4
drwxrwxr-x 2 www-data www-data 4096 2012-04-24 22:30 somedir
Question is: why? Is there something I still need to do after that?
Changes made with usermod only take effect on following logins; your existing login session does not yet have the www-data group, as you can verify with id. It is not easy to alter the identity of running processes (newgrp might work); the easiest way to deal is to log out and back in.
Related
My application is hosted on ubuntu in public_html folder. When I run the command git add . it gives me the error:
warning: could not open directory 'public_html/': Permission denied
Entire code is in public_html folder
How can I solve it?
You should make sure so that your user has access or is the owner of the folder and it content. You can check the current owner and permissions by running:
ls -l public_html
Here I list all non-hidden files in a test folder:
who:test who$ ls -l
total 0
-rwxrwxrwx 1 root admin 0 Oct 3 18:04 test1
-rwxrwxrwx 1 root admin 0 Oct 3 18:04 test2
The output shows that both files are owned by the root user and belongs to a group named admin. The first column also shows the access permission, which in this case is set to read and write access to everyone.
If you would like to change the owner you can do:
sudo chown -R <user>:<group> public_html
The above will set the owner of the folder and all its content to the specified user and group; you might need sudo privileges to do this.
There is possible to only change the owner or group with the same command:
sudo chown -R <user> public_html
sudo chown -R :<group> public_html
To change the permission you would use:
sudo chmod -R <mode> public_html
Where mode is the permission, for instance 0777 for full read and write access to everyone. You can also use letters instead of an octal number when setting permissions, for instance:
sudo chmod -R a+rwx public_html
gives the same result as the first chmod command.
References
The chown command: https://ss64.com/bash/chown.html
The chmod command: https://ss64.com/bash/chmod.html
I can't understand how exactly this works in Linux.
For example, I want only users in some group have access to execute some file (I hope this is possible without visudo).
I create a system user and system group like:
useradd -K UID_MIN=100 -K UID_MAX=499 -K GID_MIN=100 -K GID_MAX=499 -p \* -s /sbin/nologin -c "testusr daemon,,," -d "/var/testusr" testusr
I add my current user user to the group testusr (may be not cross platform):
adduser user testusr
I create some test shell file and set permissions:
touch test.sh
chmod ug+x test.sh
sudo chown testusr:testusr test.sh
But I still can't start test.sh as user:
./test.sh
-> Error
Now I look for some system groups like cdrom to check how they work. My user is in cdrom group and can use the cd rom on my computer:
$ ls -al /dev/cdrom
lrwxrwxrwx 1 root root 3 апр. 17 12:55 /dev/cdrom -> sr0
$ ls -al /dev/sr0
brw-rw----+ 1 root cdrom 11, 0 апр. 17 12:55 /dev/sr0
Addition:
./test.sh command starts to work as I want after system reboot. Strange...
I'm on Ubuntu Studio 15.10
The group changes are reflected only upon re-login.
In my machine sudo command is not working and it is giving following message.
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set
When I tried
ls -l /usr/bin/sudo it is giving
-rwxr-xr-x 1 'whoami' root 155008 Aug 28 2015 /usr/bin/sudo
It looks like, at some point, someone tried to take over ownership of the sudo executable but used single quotes rather than backticks:
chown 'whoami' /usr/bin/sudo # The wrong way
chown `whoami` /usr/bin/sudo # The right way
chown $(whoami) /usr/bin/sudo # Another right way
Note that I say "right way" but it's probably not something anyone should be doing anyway.
You're going to have to figure out some other way of getting into the root account (such as booting in single user mode) and changing the ownership and permissions back to what they should be:
chown root /usr/bin/sudo
chmod u+s /usr/bin/sudo
After that, it should be back at the correct:
-rwsr-xr-x 1 root root 155008 Aug 28 2015 /usr/bin/sudo
If I do:
ls -al /usr/local/bin/kill-all-sales-apps
I see:
-r-xr-xr-- 1 jenkins root 68 Aug 4 12:10 kill-all-sales-apps
If I sudo to root and then su to jenkins, I should be able to delete this, yes?
Other relevant information about the directory and its parent:
drwxr-xr-x 2 root root 4096 Aug 4 12:11 .
drwxr-xr-x 10 root root 4096 May 7 17:20 ..
If I do:
groups jenkins
then I see than the user "jenkins" has been added to the "root" group:
jenkins : jenkins root run-server-software
But if I:
rm /usr/local/bin/kill-all-sales-apps
I get:
rm: remove write-protected regular file ‘/usr/local/bin/kill-all-sales-apps’? y
rm: cannot remove ‘/usr/local/bin/kill-all-sales-apps’: Permission denied
Why is permission denied?
As to why the jenkins user can't delete, the jenkins user needs write permissions on the parent folder of the file you're looking to delete. This is because you're actually removing directory entries from the parent folder.
Usually, on most filesystems, deleting a file requires write
permission on the parent directory (and execute permission, in order
to enter the directory in the first place). (Note that, confusingly
for beginners, permissions on the file itself are irrelevant. However,
GNU rm asks for confirmation if a write-protected file is to be
deleted, unless the -f option is used.)
Source: Wikipedia - Rm_(Unix)
So try running...
ls -ld /usr/local/bin
And make sure the jenkins user has write permissions on /usr/local/bin
Another way to do it is to modify sudoers to give jenkins user sudo permissions to rm only that file via sudo. Here's an example giving the user joe the explicit permission to sudo rm the file /usr/local/src/noperms/hi.txt from a directory he does not have write permissions to. But limiting him from deleting anything else in that directory.
For example:
[root#joeyoung.io ~]# mkdir -p /usr/local/src/noperms
[root#joeyoung.io ~]# chmod -R 455 /usr/local/src/noperms
[root#joeyoung.io ~]# touch /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# echo "hi" >> /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# chmod 455 /usr/local/src/noperms/hi.txt
[root#joeyoung.io ~]# su - joe
[joe#joeyoung.io ~]$ cat /usr/local/src/noperms/hi.txt
hi
[joe#joeyoung.io ~]$ rm /usr/local/src/noperms/hi.txt
rm: remove write-protected regular file `/usr/local/src/noperms/hi.txt'? y
rm: cannot remove `/usr/local/src/noperms/hi.txt': Permission denied
[joe#joeyoung.io ~]$ exit
[root#joeyoung.io ~]# visudo
[root#joeyoung.io ~]# diff -Nur /tmp/sudoers.orig /etc/sudoers
--- /tmp/sudoers.orig 2015-08-04 17:17:24.020781442 +0200
+++ /etc/sudoers 2015-08-04 17:24:21.258274163 +0200
## -101,6 +101,7 ##
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
+joe ALL=(root) NOPASSWD: /bin/rm /usr/local/src/noperms/hi.txt
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
[root#joeyoung.io ~]# su - joe
[joe#joeyoung.io ~]$ sudo /bin/rm /usr/local/src/noperms/hi.txt
[joe#joeyoung.io ~]$ exit
[root#joeyoung.io ~]# ls -al /usr/local/src/noperms/hi.txt
ls: cannot access /usr/local/src/noperms/hi.txt: No such file or directory
[root#joeyoung.io ~]# ls -al /usr/local/src/noperms/
I have created group (lets call this user admin):
sudo groupadd mygroup
switched to user test (from admin user):
sudo su - test
cd /home/test/
mkdir external
exit
cd /home/test/
sudo chgrp -R mygroup external
sudo usermod -a -G mygroup admin
sudo usermod -a -G mygroup test
sudo chmod -R g=rwx external
Now I do this:
cd external
mkdir something
mkdir: cannot create directory ‘something’: Permission denied
So how can I make that everyone that has mygroup would have all access like the owner does? So I could create inside external directory any other directory or file, delete it and so on (without using sudo).
P.S.
ls -l:
drwxrwxr-x 2 test mygroup 4096 Spa 15 16:24 external
getent group mygroup:
ambulance:x:1002:admin,test
sudo groupadd mygroup
mkdir external
sudo chown -R root:mygroup external
sudo chmod -R 'g+w' external
sudo chmod -R 'g+s' external