I am using tmux 3.3a on an Ubuntu 22.10 system with two users, bob and alice.
Both users are members of the multiplexer group.
Bob has created a tmux session on an custom socket like so:
tmux -S /tmp/our_socket new -s our_session
and then changed the group of the socket file to multiplexer and added read/write permissions for that group:
chgrp multiplexer /tmp/our_socket
chmod g+rw /tmp/our_socket
Now alice, who is also a member of the multiplexer group, is trying to connect to this session using:
tmux -S /tmp/our_socket attach -t our_session
which throws an access not allowed error.
However when alice uses sudo-privileges, she is able to connect to the tmux session.
I do not understand why access is denied without elevated privileges, as the socket file has read/write permissions for the multiplexer group and both bob and alice are members of that group. My guess is, that it's connected to the sticky bit enabled for the /tmp directory, but I'm not sure.
I had a similar problem. It seems that the later versions of tmux have its own access check as well. So, in addition to making the socket accessible to the user you want to share the session with, you also need to tell tmux that this user is allowed.
tmux server-access -a {user_to_share_with}
For more info, see the description of tmux "server-access" command.
P.S. As a bonus, the user can be allowed read-only access only now!
Related
Hello everyone i tried to activate tableau server but it said
tsm command not found
i tried to activate it with using command
tsm licenses activate -k myproductkey
Before i tried to run this command
sudo ./initialize-tsm --accepteula
and got this 'warning', i do't really get the 'warning' meaning of it maybe because my lack of english(?)
User 'root' has been selected as the user to add to the TSM authorized group, but
TSM does not allow root as a TSM-authorized user. You must either re-run this
script using 'sudo' while logged in as a normal user instead of root (most common
case), rerun this script with the '-a username' option to select a user other than
root to add to the group, or the '-g' flag to disable group addition completely
and add appropriate users to the group yourself. Canceling.
Why do i get this error and how to resolve it?
Use the -a flag to specify a user to be added to the tsmadmin and tableau groups instead of the user running this script. If you are installing with the root account, the you must specify the -a flag
i have perl script inside my cgi-bin folder, what i want is grep syslog using sudo grep (because it is root), but i got this message
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
so, any solution to solve this problem ??
You should add the apache/nginx user to sudoers with NOPASSWD in order to work (Not very recommendable)
Even after changing the group and ownership of tcpdump to user mode, I still get the following error:
tcpdump -i eth0
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)
ls -la /usr/sbin/tcpdump
-rwxr-x--- 1 user1 user1 830920 Apr 24 21:28 /usr/sbin/tcpdump
I know it is not good to drop the permission of tcpdump from root to user but for ease of use in my case, I would like to be able to use it from user level.
I took the hint from:
"tcpdump -w 1.pcap" works, but "tcpdump -C 100 -w 1.pcap" - permission denied
and installed AppArmor as I am using Ubuntu 12.04 LTS.
And did:
sudo aa-complain /usr/sbin/tcpdump
Still I get the same error msg. If I use "-Z" with the tcpdump command, I can drop the privileges and run tcpdump but not otherwise.
Is there a way out?
Thanks
libpcap (which tcpdump is based on) require admin privilege to set your interface into promiscuous mode. There is nothing you can do about it, the kernel won't let you/tcpdump/libpcap do that, period.
What you can do is use tcpdump without promiscuous mode, but that will severely limit its functionality: you will only see traffic directed explicitly to/from your machine, as opposed to everything that's seen on the wire, which is usually what you want to to (and is why using promisc mode is the default). In order to do that, use this tcpdump option:
--no-promiscuous-mode
Don't put the interface into promiscuous mode. Note that the
interface might be in promiscuous mode for some other reason;
hence, `-p' cannot be used as an abbreviation for `ether host
{local-hw-addr} or ether broadcast'.
For more info on promiscuous mode:
http://en.wikipedia.org/wiki/Promiscuous_mode
I quote:
Many operating systems require superuser privileges to enable
promiscuous mode.
In Linux, at the low level, this is done by setting the IFF_PROMISC flag on the netdevice via a SIOCSIFFLAGS ("set flag") ioctl. And as you can see here:
http://man7.org/linux/man-pages/man7/netdevice.7.html
... "Setting the active flag word is a privileged operation", and "using it requires an effective user ID of 0 or the CAP_NET_ADMIN capability. If this is not the case, EPERM will be returned."
So another direction may be to give your "userjoe" account the CAP_NET_ADMIN rights, but I would advice against this. Security wise it's not better, if not worst, than to be part of the sudo'ers and explictly sudo when you need to.
Several guys in our office have accounts on local linux(ubuntu) workstation (named local-server). But Just I have the account to access the remote samba server (named remote-server).
For security, I can not tell other guys my account and password information. But I want to share my mount point for them.
For example, I mount remote samba server on this path: /home/samba/. I want everyone on local-server can read/write '/home/samba' directory and its sub-directory. (However, I don't want to modify the remote file's permission mode)
How can I configure it? Thank you very much!
You can set the uid/gid to be different and therefore allow other users to read/write to your share. First create a local group, e.g. shareaccess and assign it to your users:
sudo addgroup shareaccess
sudo usermod -a -G shareaccess user1
Then mount the share:
mount.cifs -ouid=youruser,forceuid,gid=shareaccess,forcegid,file_mode=770,dir_mode=770,credentials=/etc/secret-cred //server/share /home/samba
Files and directory will appear to be owned by youruser:shareaccess locally with permissions ug=rwx.
If the server is a Samba (not Windows) server too and has Unix extensions enabled, file and directory permissions are set according to the server. This might or might not be desirable. You can disable Unix extensions for the mount by adding the nounix option, which will force the modes to be the ones specified at mount-time. Be aware that this will disable all Unix extensions, e.g. symlink support.
References:
mount.cifs man page
if you want to re-attach your mounted samba network shares, you can use the following:
sudo mount -a
I have only one user (say "goodk") that can accept SSH connections. So, I am not able to use Tramp to edit files which are accessible to other users than the one that accepts SSH connection. How can I achieve this?
How I do this currently:
I use terminal. From terminal I login to user "goodk". Then I switch user using su or sudo.
Have you checked:
How can I use Emacs Tramp to double hop ssh?
or
http://jeremy.zawodny.com/blog/archives/000983.html
or
http://codesnippets.joyent.com/posts/show/366
To the remote server the files are being read/written by the user that connects via ssh. If the files to be modified are owned by a different user then they will need to be readable/writable by the ssh user.