Question 1:
Thru buildroot usertable.txt I created a user called deviceuser which belongs to group operator and nogroup:
$cat usertable.txt
deviceuser -1 deviceuser -1 =SERIAL_NO /mnt /bin/sh operator Device user for non-trivial maintanence work
After image is loaded into target what I get in /etc/group is :
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
kmem:x:9:
wheel:x:10:root
cdrom:x:11:
dialout:x:18:
floppy:x:19:
video:x:28:
audio:x:29:
tape:x:32:
www-data:x:33:
utmp:x:43:
plugdev:x:46:
staff:x:50:
lock:x:54:
netdev:x:82:
users:x:100:
admin:x:1002:deviceuser <====== not sure where its coming from
nogroup:x:65534:deviceuser
deviceuser:x:1000:
sshd:x:1001:
operator:x:37:deviceuser
$ cat /etc/shadow
root:$1$blahblahblah.:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
bin:*:10933:0:99999:7:::
sys:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
mail:*:10933:0:99999:7:::
www-data:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::
deviceuser:$1$blahblahblah:::::::
sshd:*:::::::
As noted above, deviceuser gets admin priviledge and I need to eliminate that and make deviceuser part of operator and nogroup only.
Question 2:
I want to take the access rights (read/right/execute) away from this deviceuser or operator group for /etc/ folder, while keeping everybody else's permissions intact, there are a number of users and groups in the system including www-data. What's the simplest way to do this without affecting any kind of permission issue for www-data and others?
If I do "chmod -R o-wrx /etc " then I believe www-data will have issues running some init scripts.
Thanks
Ratin
Related
I have a project that will require reading a local repo and collecting the diff from the most recent commit and the one before it. I then need to do additional work with those diffs (add to an existing log file, make available for tech writers to edit existing API docs with the changes - might Slack them or API into Jira and build a ticket (like that option as it leaves a trail).
I can do the yeoman level work in an AppleScript, calling shell scripts when needed then parsing the data, and passing the cleaned data to the various applications/sites I need to. But other, less technical people will also be using this app and it would be nice to give them a simple UI to work with.
Anyway, after much digging through the Google, SO and other sources I was able to get a MacOS app working that can call an AppleScript and now I've run into a wall...
I can run this AppleScript from Script Editor and it works fine:
set strGitLog to do shell script "cd ~/Desktop/xxxxxx/Projects/UnifiedSDK/Repo/xxxxxx && git log -p -- file1.html"
"commit c39c6bb004d2e104b3f8e15a6125e3d68a5323ef
Author: Steve <xxxxxx#xxxxxx.com>
Date: Tue Oct 22 15:42:13 2019 -0400
Added deprecation warning to file1
diff --git a/file1.html b/file1.html
index b7af22b..9fdc781 100644
--- a/file1.html
+++ b/file1.html
## -51,6 +51,8 ##
<h2>Class Description</h2>
<p style=\"margin-bottom:10px;\">This is the description of the class</p>
+ <p style=\"margin-bottom:10px;\">Warning: This class is scheduled to be deprecated.</p>
+
<h3>Arguments:</h3>
<p style=\"margin-bottom:10px;\">These are the arguments that the class accepts</p>
...
but, if I place this script within a MacOS application:
script gitMessenger
property parent : class "NSObject"
to readMessage()
set strGitLog to do shell script "cd ~/Desktop/xxxxxx/Projects/UnifiedSDK/Repo/xxxxxx && git log -p -- file1.html"
log strGitLog
end readMessage
end script
I get this error message in the log:
fatal: Unable to read current working directory: Operation not permitted (error 128)
Which after checking seems to be a Git permissions error. If I pwd I am pointing to the right directory:
/Users/xxxxxx/Library/Containers/xxxxxx.GitMessenger/Data/Desktop/xxxxxx/Projects/UnifiedSDK/Repo/xxxxxx
and that directory has git initiated on it:
and it has permission for read/write to everyone. So I am a little at a loss right now how to get this to work. Any help or suggestions would be appreciated.
I am using an rShiny app in RCloud. When I use write.csv the file is saved as nobody nobody and then I am unable to read it back in using read.csv. Is the solution to specify user and file permissions as options in the write.csv function or is there a different way?
I plan to run construct multiple results, append each to a file and then let the user email that file to themselves.
write.csv(lob_comp,'Rcopy.csv')
lob_comp<-read.csv('Rcopy.csv')
-rw-r----- 1 nobody nobody 399 Aug 25 00:51 Rcopy.csv
$ cat Rcopy.csv
cat: Rcopy.csv: Permission denied
an rShiny app user that doesn't have an account is actually logged in as 'nobody' if that is how you have configured RCloud. Since 'nobody' wrote the file then 'nobody' can chmod it. Put this line in your Shiny code.
system("chmod 644 Rcopy.csv")
Once you've chmod'd the file you should be able to read it.
I have installed ssmtp on my Linux server. Apache server works under www-data user, and send mail from ssmtp. In recieved emails I see www-data in sender name. How can I change it?
Here`s my configs:
/etc/ssmtp/ssmtp.conf
mailhub=smtp.gmx.com:587
hostname=mysite.com
FromLineOverride=YES
AuthUser=username#gmx.us
AuthPass=password
UseTLS=YES
UseSTARTTLS=YES
/etc/ssmtp/revaliases
root:username#gmx.us
user:username#gmx.us
www-data:username#gmx.us
You could change the user finger information for user 'www-data', namelly the 'Full Name" finger parameter.
You may do so using Linux 'chfn' command:
chfn -f "Email Sender Name" www-data
What this does is setting/changing the real name for that user in the finger information (stored in the /etc/passwd file -cf chfn man page-).
Alternatively you could use the Linux 'usermod' command as follow (though Linux manual states this is normally modified using the chfn utility - cf user mod man page - ):
usermod -c "Email Sender Name" www-data
This worked for me.
I'm initializing spot instances running a derivative of the standard Ubuntu 13.04 AMI by pasting a shell script into the user-data field.
This works. The script runs. But it's difficult to debug because I can't figure out where the output of the script is being logged, if anywhere.
I've looked in /var/log/cloud-init.log, which seems to contain a bunch of stuff that would be relevant to debugging cloud-init, itself, but nothing about my script. I grepped in /var/log and found nothing.
Is there something special I have to do to turn logging on?
The default location for cloud init user data is already /var/log/cloud-init-output.log, in AWS, DigitalOcean and most other cloud providers. You don't need to set up any additional logging to see the output.
You could create a cloud-config file (with "#cloud-config" at the top) for your userdata, use runcmd to call the script, and then enable output logging like this:
output: {all: '| tee -a /var/log/cloud-init-output.log'}
so I tried to replicate your problem. Usually I work in Cloud Config and therefore I just created a simple test user-data script like this:
#!/bin/sh
echo "Hello World. The time is now $(date -R)!" | tee /root/output.txt
echo "I am out of the output file...somewhere?"
yum search git # just for fun
ls
exit 0
Notice that, with CloudInit shell scripts, the user-data "will be executed at rc.local-like level during first boot. rc.local-like means 'very late in the boot sequence'"
After logging in into my instance (a Scientific Linux machine) I first went to /var/log/boot.log and there I found:
Hello World. The time is now Wed, 11 Sep 2013 10:21:37 +0200! I am
out of the file. Log file somewhere? Loaded plugins: changelog,
kernel-module, priorities, protectbase, security,
: tsflags, versionlock 126 packages excluded due to repository priority protections 9 packages excluded due to repository
protections ^Mepel/pkgtags
| 581 kB 00:00
=============================== N/S Matched: git =============================== ^[[1mGit^[[0;10mPython.noarch : Python ^[[1mGit^[[0;10m Library c^[[1mgit^[[0;10m.x86_64 : A fast web
interface for ^[[1mgit^[[0;10m
...
... (more yum search output)
...
bin etc lib lost+found mnt proc sbin srv tmp var
boot dev home lib64 media opt root selinux sys usr
(other unrelated stuff)
So, as you can see, my script ran and was rightly logged.
Also, as expected, I had my forced log 'output.txt' in /root/output.txt with the content:
Hello World. The time is now Wed, 11 Sep 2013 10:21:37 +0200!
So...I am not really sure what is happening in you script.
Make sure you're exiting the script with
exit 0 #or some other code
If it still doesn't work, you should provide more info, like your script, your boot.log, your /etc/rc.local, and your cloudinit.log.
btw: what is your cloudinit version?
I am using Chef, invoked by Capistrano.
There is a directive to clone a repository using git.
git node['rails']['rails_root'] do
repository "git#myrepo.com:/myproj.git"
reference "master"
action :sync
user node['rails']['rails_user']
group node['rails']['rails_group']
end
When it gets to this point, I get:
** [out :: 10.1.1.1] STDERR: Host key verification failed.
So, I need to add a "known_hosts" entry. No problem. But to which user? The core of my problem is that I have no idea which user is executing what commands, and if they are invoking sudo, etc.
I've run keyscan to populate the known_hosts of root, and the user I ssh in as, to no avail.
Note, this git repo is read-protected, and requires ssh key access.
Another way to solve https://github.com/opscode-cookbooks/ssh_known_hosts
this worked for me
You can use an ssh wrapper approach. Look here for details.
Briefly do the following steps
First, create a file in the cookbooks/COOKBOOK_NAME/files/default directory that is named wrap-ssh4git.sh and which contains the following:
#!/usr/bin/env bash
/usr/bin/env ssh -o "StrictHostKeyChecking=no" $1 $2
Then, use the following block for your deployment:
directory "/tmp/private_code/.ssh" do
owner "ubuntu"
recursive true
end
cookbook_file "/tmp/private_code/wrap-ssh4git.sh" do
source "wrap-ssh4git.sh"
owner "ubuntu"
mode 00700
end
deploy "private_repo" do
repo "git#github.com:acctname/private-repo.git"
user "ubuntu"
deploy_to "/tmp/private_code"
action :deploy
ssh_wrapper "/tmp/private_code/wrap-ssh4git.sh"
end
The git repository will be cloned as user node['rails']['rails_user'] (via https://docs.chef.io/resource_git.html) - I assume that users known_hosts file is the one you have to modify.
I have resolved this issue as below
_home_dir = nil
node['etc']['passwd'].each do |user, data|
if user.eql? node['jenkins']['username']
_home_dir = data['dir']
end
end
key_config ="Host *\n\tStrictHostKeyChecking no\n"
file "#{_home_dir}/.ssh/config" do
owner node['jenkins']['username']
group node['jenkins']['username']
mode "0600"
content key_config
end