I am root on my own webserver and I did write a perl-script for maintaining my website. Called from a browser this script displayes a user-interface for maintainance. To be able to start this script from my browser, I must enter a username and a password, so nobody but me can run this script.
I want that this script renames some files on the server when I click on the according button. From the perl-script I call the shell-command `mv oldFilename newFilename`, but nothing happens. Apache's error log displays this message:
[timestring] [error] [client n.n.n.n] mv: cannot move oldFilename to newFilename: Permission denied, referer: referrer
filename's owner is root, permissions are set to 0644 (everybody can read, only root can write)
What is the best solution for this problem? Is there a better way than changing the files permissions to 0666? I want to refrain from changing the permissions. I would prefere a solution where the perl-script sayes to the shell something like: "Dear shell, here is the password for root. Now please rename file X to Y!"
Isn't this the exact problem that Unix groups were meant to solve? Set file permission to 0664, directory permissions to 0775, and assign the files and directories to a group that the webserver user belongs to.
Don't ignore security. Use sudo.
I maintain a Perl web site with html pages and Java script. All the program files are protected with root ownership.
Even if you limit access to this program through a username and password on the web site, then root should own the program chown root:root <full-path-to-your-program-name>, and the program file should be protected chmod 755 <full-path-to-your-program-name>.
Related
If I set PGPASSFILE to an explicit path like /home/user/.pgpass then it works fine and when logged in as the user that owns that file I can use psql for the entries in .pgpass.conf.
The problem I have is that I need to have multiple accounts use psql. If I change PGPASSFILE to user directory like ~/.pgpass.conf then it doesn't work and doesn't read the file so it gives a password error.
Because I can only specify one file it means only the owner of that file can run the commands I need to run.
I am running on Ubuntu 18.04 and I need root & www-data to have a .pgpass.conf file.
How do I do this?
If you have system users corresponding to your db users (root and www-data in your case), each has its own, separate .pgpass file in its respective home directory. Set each accordingly.
And simply do not set PGPASSFILE at all. The manual:
PGPASSFILE behaves the same as the passfile connection parameter.
And:
passfile
Specifies the name of the file used to store passwords (see Section 33.15). Defaults to ~/.pgpass, or
%APPDATA%\postgresql\pgpass.conf on Microsoft Windows. (No error is
reported if this file does not exist.)
Related:
Run batch file with psql command without password
I configured my Total Commander so I can open a file *.txt i.e. within emacs.
Therefore I setup my Editor
D:\Tools\emacs\bin\emacsclientw.exe "%1"
When I now open my file everything is ok. But when I edit it and save it emacs tells me the following:
Saving file c:/log.txt...
basic-save-buffer-2: Opening output file: permission denied, c:/log.txt
How do I make it run so it can actually edit files?
By Default you should not be saving anything to root C:\
It is just bad practice and by default a normal user does not have permission to it.
Instead, create a working DIR in your Documents folder and a log directory in that, then you will have something like:
C:\Users\Frank\Documents\Working\logs\log.txt
This should not create any permission errrors.
On CentOS I would like to give the apache user permissions to "ant release" on a home dir it does not own how do I do that? the ant release I am using is as part of the android SDK - I have a dir /home/myuser/android_project/ and ant relase runs fine from there but I would like to give apache the permissions it needs to run it so I can run as as
<?php shell_exec('/home/myuser/android_project/ant release') ?>.
The gotcha
Also there is an issue since I sign the ant release I would like to have the password handled perhaps in a file that php can somehow magically "sign" the ant release.
Now.
Note: to Mr Tinker: Hold the horses - I know that this is might fall foul of the forum topic police, but in my considered opinion it is a unix issue. i.e. I know how PHP does shell_exec I need no programming help. I know how to run ant release manually so I need no installation help: I would like to sew together these two disparate manual "things" within linux (the CentOS server) so I believe 100% this is a unix issue
As you've already stated, you need to give the apache user permission to execute the /home/myuser/android_project/ant file.
tl;dr : run the following command (be warned, it might not be the most secure thing in the world):
chmod 777 /home/myuser/android_project/ant
If you're interested in why this might fix your problem, continue to read below.
First, you need to get some more information.
Run the following command:
ls -l /home/myuser/android_project/ant
The ls -l command will give you the read, write, and execute permissions for the specified file, along with the ownership information. The first column contains the permission information. The 3rd column indicates the owning user, and the 4th column indicates the owning group.
For example:
$ ls -l /etc/passwd
-rw-r--r--. 1 root root 2177 Aug 26 21:23 /etc/passwd
^^^
|----------- All Users & Groups
^^^
|-------------- Specified Group Owner
^^^
|------------------ Specified User Owner
This can be interpreted as user root and group root owning the /etc/passwd file.
The permissions are read as groups of 3 rwx characters. The first group is for owning user, the 2nd for owning group, and the 3rd for everyone else on the system. The permissions in this example mean that the root user can read and write to the file, the root group can read, and everyone else can read.
Now, each group of permissions can be represented as an octal digit:
--- == 0
--x == 1
-w- == 2
-wx == 3
r-- == 4
r-x == 5
rw- == 6
rwx == 7
You now have enough information to understand why the chmod 777 command above worked. Basically you will have given everyone on the system permission to read, write, and execute that ant file.
Ideally, you would only give the minimum permissions required to allow apache to execute the file, I'll leave that much as an exercise to the reader.
Since I'm running my rails app as root, it creates files that are owned by root in the tmp directory. Because of this
cap production deploy:cleanup
can't remove old releases because it is not run as root.
I've looked at the capistrano v3 code, but I don't see a way to run the cleanup command as root. Is this option missing or is this problem occurring because I'm doing something wrong in another place of the deployment flow.
I start the app as root because I need to bind to port 80.
What you can also do is triggering a task just before cleaning up the old release :
namespace :deploy do
before :cleanup, :cleanup_permissions
desc 'Set permissions on old releases before cleanup'
task :cleanup_permissions do
on release_roles :all do |host|
releases = capture(:ls, '-x', releases_path).split
if releases.count >= fetch(:keep_releases)
info "Cleaning permissions on old releases"
directories = (releases - releases.last(1))
if directories.any?
directories.each do |release|
within releases_path.join(release) do
execute :sudo, :chown, '-R', 'deployuser', 'path/to/your/files/writtend/by/root'
end
end
else
info t(:no_old_releases, host: host.to_s, keep_releases: fetch(:keep_releases))
end
end
end
end
end
Note that you'll need to give your deployment user the right to execute this specific sudo command (with a sudoers definition file.
I've looked at the capistrano v3 code, but I don't see a way to run the cleanup command as root. Is this option missing or is this problem occurring because I'm doing something wrong in another place of the deployment flow.
There is no secret sauce in Capistrano, we rely on you having correctly set up the permissions for your deploy user as documented at http://www.capistranorb.com/
Removing directories requires write permissions on the parent directory, that is to say, given the following directory structure:
/var/www/releases/
\- 20131015180000
\- 20131015181500
\- 20131015183000
You need write permission on the /var/www/releases/ directory, as the list of files and directory in that directory, is stored in the directory.
From a similar StackSverflow question:
In UNIX and Linux, the ability to remove a file is not determined by the access bits of that file. It is determined by the access bits of the directory which contains the file.
From the Wikipedia article on Unix File Permissions:
The write permission grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.
One of the things you may want to do is to create a group called app or web on your linux box and add root and the deploy user to the same group. Then, as part of your deployment, chmod the release_path permissions to g+s which will ensure that any new files created by root user are group writable.
You should then be able to remove the old folders as deploy user.
I was running into similar issues, so, to confirm, logged into my Web server via SSH, and tried rm -rf [directory], which also failed due to the same permissions issues, even logged in as admin. Running chmod -R 755 [directory]/, then rm -rf [directory]/ did work, though.
To fix it, in the project's silverstripe.rake file, I changed the command being run from:
execute :chown, "-R [user]:[group] /path/to/project"
to:
execute :chmod, "-R 755 /path/to/project"
So far, no more issues with deleting the oldest release when running cap [release name] deploy
this ones a weird one. For some reason, out of the blue, everytime I create a new project and upload to my server, it wont allow me to edit the paths.php file through FTP.
I accessed the server through command line earlier on today to install a bundle and noticed the paths.php file was green and has a star next to it. Does any one know what this means and is it affecting me from opening this file?
regards
The permission of the file is 755 which mean:
755 = rwx r-x r-x
Owner has Read, Write and Execute
Group has Read and Execute only
Other has Read and Execute only
Viewing the picture, qsradmin is the owner of the file, so he is the only one who can write or edit the file.
In order to change the owner of the file, use chown command like this:
chown NameOfTheUser path.php
For more information checkout Unix File permission