Linux, Why can't I write even though I have group permissions? - linux

I want to create a file in a directory owned by the staff group which I am a member of. Why can I not do this?
bmccann#bmccann-htpc:~$ ls -l /usr/local/lib/R/
total 4
drwxrwsr-x 2 root staff 4096 2010-07-31 16:21 site-library
bmccann#bmccann-htpc:~$ id -nG bmccann
bmccann adm dialout cdrom plugdev staff lpadmin admin sambashare
bmccann#bmccann-htpc:~$ touch /usr/local/lib/R/site-library/tmp
touch: cannot touch `/usr/local/lib/R/site-library/tmp': Permission denied

Did you logout and log back in after making the group changes? See:
Super User answer involving touch permissions failure

I had the same issue, check if the folder has any more ACL rules or not!
If you can see + (plus sign) when you list folder, that means it has special access rules. For example:
[user_in_apache_group#web02 html]$ ls -l
total 16
drwxrwxr-x 16 apache apache 4096 Sep 4 13:46 ilias
drwxrwxr-x+ 15 apache apache 4096 Sep 4 13:46 ilias5
View the permission:
[user_in_apache_group#web02 html] getfacl ilias5
# file: ilias5
# owner: apache
# group: apache
user::rwx
user:user_in_apache_group:r-x
group::rwx
mask::rwx
other::r-x
So that means my user (user_in_apache_group) has no write permission for that folder.
The solution is what #techtonik said, add write permission for user:
[user_in_apache_group#web02 html]$ sudo setfacl -m u:user_in_apache_group:rwx ./ilias5
Check permission again:
[user_in_apache_group#web02 html] getfacl ilias5
...
user:user_in_apache_group:rwx
...
Hope it helps. ;)

Why can't Linux user edit files in group he is a part of?
I am using Ubuntu 12.04 and had the same problem where a user cannot write to a file to whom he is allowed group access to. For example:
whoami //I am user el
el
touch /foobar/test_file //make a new file
sudo chown root:www-data /foobar/test_file //User=root group=www-data
sudo chmod 474 /foobar/test_file //owner and others get only read,
//group gets rwx
sudo groupadd www-data //create group called www-data
groups //take a look at the groups and see
www-data //www-data exists.
groups el //see that el is part of www-data
el : www-data
Restart the terminal now to ensure the users
and groups have taken effect. Login as el.
vi /foobar/test_file //try to edit the file.
Produces the Warning:
Warning: W10: Warning: Changing a readonly file"
What? I've done everything right why doesn't it work?
Answer:
Do a full reboot of the computer. Stopping the terminal isn't enough to fix these problems.
I think what happens is apache2 also uses the www-data group, so the task was somehow preventing the users and groups from being enforced correctly. Not only do you have to logout, but you have to stop and restart any services that use your group. If a reboot doesn't get it, you've got bigger problems.

Use Linux ACL (access control lists) - it is more fine-grained version of permission system,
setfacl -R -m 'group:staff:rwx' -m 'd:group:staff:rwx' /usr/local/lib/R/
This sets both active rights for directory and default rights for anything created within.
This fails to work without relogin if you've just added yourself to the staff group, but you may set the permission only for yourself for the current session.

I had an issue when a user could not access the /foo/bar/baz directory even when he had permissions because he did not have an access to the bar directory.

Maybe your hard disk is full. use this command to check out the "/dev/..." rows.
df -h

Check if your parent directory have permission before you add content to that file
sudo chmod -R 777 /yourDir/file.log

Related

user permissions in Amazon Linux: root vs ec2-user

In an Amazon Linux instance, after deployment using ElasticBeanstalk, all the files are owned by root user:
drwxr-xr-x 25 root root 4096 jan 01 00:00 var
But the current user is ec2-user so I don't have permissions to create/modify inside /var folder anything. What is the best approach to make it work? chown and modify owner to ec2-user? add user to a user group if exists which I don't know... any other idea?
I don't have permissions to create/modify inside /var folder anything.
you can use following ways to achieve this.
Try sudo [your command]
sudo chown user directory
sudo bash //this will make your root directly
But beware for 2 and 3 way, it can break your system if you do something wrong.There is a famous saying hope you know what you will do

Linux, execute operations that needs superuser privilege with Electronjs - Nodejs

Sorry but I don't know much about linux and i always developped in other environments, I made a cross-platform application with electronJS and i need to create a directory with that code
let staticPath = "/opt/pcapp/resources/monitor";
if (!fs.existsSync(staticPath)) {
fs.mkdirSync(staticPath);
}
In Windows and Mac it works like a charm but on Linux - Ubuntu I installed the app and i get this error due to the required superuser rights.
The users who are going to deal with the application will not have superuser privilege
Now i would like to know if there is a way to grant permission to create, update and delete some files and directory in the Application working directory /opt/pcapp/resources/monitor without SUDO or other stuff.
You have two options I can think of.
1) ACLs which will take a bit of a learning curve.
2) Simple permissions and groups which can be done quite easily.
I created a group mygroup and added a couple of users to it.
# groupadd mygroup
# usermod -G mygroup user1
# usermod -G mygroup user2
I then change the permissions and group on the folder you want the users to have access to:
# chmod 02770 /opt/pcapp/resourcees/monitor
# chgrp mygroup /opt/pcapp/resourcees/monitor
You should now see the following:
# ls -ld /opt/pcapp/resourcees/monitor
drwxrws---. 4 root mygroup 4096 Dec 6 17:23 /opt/pcapp/resourcees/monitor
Now any new file created in the folder will have a group mygroup. You will have to change existing files and folders.
As user2
$ touch /opt/pcapp/resourcees/monitor/testfile1
$ ls -ld /opt/pcapp/resourcees/monitor/testfile1
-rw-rw-r--. 1 user2 mygroup 0 Dec 6 17:29 /opt/pcapp/resourcees/monitor/testfile1
As user1
$ rm -v /opt/pcapp/resourcees/monitor/testfile1
removed ‘/opt/pcapp/resourcees/monitor/testfile1’
If this isn't granular enough, read about Linux ACLs.
Hope this helps.

Permission of the webpage folder /var/www on a Linux server

I have moved my website from Godaddy to a VPS server. I'm new to Linux so I followed some tutorials online but still confused about some problems.
I use SSH to log on my server as user adam. In order to run the PHP properly, I have to set 755 permission to /var/www and change the owner of this folder to www-data. But that means I don't have permission to write files in this folder even if add user adam to the group www-data. And I cannot upload webpages onto this folder using FTP which is very annoying. (Currently I have to type su to switch to root and then modify these files with nano)
I know setting 777 is a solution but it may cause some safety concerns so I'm looking for a better solution.
drwxr-xr-x 8 www-data www-data 4096 Jul 24 21:36 www
Every number of permisson is composed as follows
4: read
2: write
1: execute
So if you add them you get the permission. By example 7 means all the permisons and 6 means read and write.
The first number of 755 is for the owner, the second for the group's users and the third for other users.
Then 755 means rwxr-xr-x it is the owner can read wirte and execute, but the group member can't write.
If you want to solve this you can change the privileges to 775 then it will be change to rwxrwr-x
Or you can add www-data as a secondary group to adam and set a setgroupid www-data fro /var/www

Symfony2 cache recreation - write permission fail

Here is the problem.
Cache stores in app/cache folder. I'm currently work under dev environment and my cache stores in app/cache/dev folder. Problem appears when I use symfony console comand for cache clearing:
php app/console cache:clear
when I try to load my project localhost/symfony/dev_app.php I receive an error:
RuntimeException: Failed to write cache file
I've installed setfacl extension, because Debian does not support chmod a+ and here is what I've done:
At first, I checked which user used when http requests performed:
ps aux | grep http
ahmed 7219 0.0 0.0 7552 884 pts/0 S+ 19:51 0:00 grep http
Then I cleared app/cache folder by performing
rm -rf app/cache/*
Next step was:
setfacl -R -m d:u:ahmed:rwx,ahmed:rwx app/cache
As I understand, this command sets default permissions for user ahmed on app/cache folder and it current and new subfolders and files.
In my console I work under ahmed user.
After all this steps I loaded localhost/symfony/dev_app.php and cache was created. Then
php app/console cache:clear
And once again **ocalhost/symfony/dev_app.php* to create new cache. But I still receive this error
RuntimeException: Failed to write cache file "/var/www/local/symfony/app/cache/dev/classes.php".
So what am I doing wrong?
Here is the listing of getfacl for app/cache/dev
ahmed#ahmed:/var/www/local/symfony$ getfacl app/cache/dev
# file: app/cache/dev
# owner: root
# group: ahmed
# flags: -s-
user::rwx
user:ahmed:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ahmed:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
The web server group (probably www-data) needs to be able to write to the cache and so does your user. Your user (ahmed) should be a member of the www-data group (note that you will have to re-login for group membership to take effect). Setting the setgid bit (+s) on app/cache and app/logs will ensure that files and directories your user creates within those will maintain group ownership by www-data. Uncomment the umask(0002) line within app_dev.php so that files created by www-data will maintain group ownership, make sure YOUR user has a umask of 0002 (type umask at prompt to see, or umask 0002 to set, and google for help on setting this at login) and ensure that your permissions look something like:
drwxrwsr-x 13 user www-data 4096 2013-05-10 11:05 dev
When your user ahmed creates files/directories within the directory owned by ahmed.www-data with +s, you should find that they are also owned by ahmed.www-data.

Debian/Linux Group permissions are not working as they are supposed to

I'm working on BOINC project.
I have two users: boincadm and www-data (for apache).
Both belong to group boinc
www-data : boinc www-data boincadm
boincadm : boinc adm dialout fax cdrom floppy tape audio dip www-data video plugdev netdev bluetooth lpadmin fuse scanner sambashare subversion
I have a boinc project created in /home/boincadm/projects/myproject/
All files and folders there are owned by boincadm : boinc and have rwxrwx--- permissions.
The problem is that www-data user can not access to files, which causes multiple errors like:
Warning: require_once(../inc/db.inc): failed to open stream: Permission denied in /home/boincadm/projects/myproject/html/user/index.php
Fatal error: require_once(): Failed opening required '../inc/db.inc' (include_path='.:/usr/share/php:/usr/share/pear') in /home/boincadm/projects/myproject/html/user/index.php
or just
Can't access the file XXX
in logs..
IF I change grant rwx to "others" (777) it works..
My question is, why don't the group permissions work as I expect? Any ideas?
I'm not an expert in linux, thus I could miss something.
Here is a possibility:
www-data has primary group www-data; the rest are supplementary groups.
The server process has the right user (by setresuid or similar) and primary group (by setresgid or similar), but lacks the other supplementary groups (without initgroups or similar).
If this is the case, you have a few options: change the file ownership to the primary group, change the group the server runs as, or fix the server to include all supplementary groups.
Here is how I solved it:
First of all I read this:
link
At some point this article mentioned file /etc/group whe information about groups is stored.
I opened this file and mentioned that inspite of my previous actions there is no www-data in group boinc. And no www-data in group boincadm and the opposite. That is strange!
Strange because I've added these users to group boinc using usermod command and made sure this group is primary for both.
Moreover command groups <username> showed that they are in group boinc.
So now the question is: Why this happened?
The problem was solved by modifying 3 lines:
boinc:x:1111:boincadm, www-data
boincadm:x:1112:boincadm, www-data
www-data:x:1113:www-data, boincadm
I needed all 3 lines to make it work. Hope it helps somebody. And I still would like to understand why the file /etc/group was not modified automatically when using usermod. And why grops shows correct result if so.

Resources