Using Capistrano to deploy files to directory not owned by user - capistrano

I'm using a user call "sam" that has sudo rights on remote servers. How can I deploy templates to say the "/etc/httpd" folder on the remote servers?
template = ERB.new(File.read('templates/UI/httpd.conf.erb'))
result = template.result(binding)
put(result, "/etc/httpd/httpd.conf")

put() command can't be used with sudo, as it uses SFTP. It will have to be a 2-step process, upload the file to a location you can write to as a user "sam", and then sudo mv it to /etc/httpd.

Related

Permission issue while executing an ssh task in azure pipeline

What I am trying to do is to run a few lines of shell script in a remote machine via an azure pipeline. I used the ssh Deployment Task to accomplish this. I have used the script path argument to point the .sh file that contains the script that should be ran. The ssh task was able to connect to the remote host, but the following permission error pops up.
Can someone tell me what's going wrong here. The .sh file that i am using was created in the Linux box itself and has got the permission level set to 777 before moving to the repo.
There is an another CopyFilesOverSSH#0 task in the pipeline in the same stage which works perfectly without any permission issues for the same user.
2021-12-31T12:41:42.1763039Z ##[section]Starting: SSH
2021-12-31T12:41:42.1894277Z ==============================================================================
2021-12-31T12:41:42.1894676Z Task : SSH
2021-12-31T12:41:42.1895010Z Description : Run shell commands or a script on a remote machine using SSH
2021-12-31T12:41:42.1895347Z Version : 0.189.0
2021-12-31T12:41:42.1895637Z Author : Microsoft Corporation
2021-12-31T12:41:42.1896023Z Help : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/ssh
2021-12-31T12:41:42.1896437Z ==============================================================================
2021-12-31T12:41:42.8200834Z Trying to establish an SSH connection to ***#80.xxx.xxx.xxx:22
2021-12-31T12:41:43.1333018Z Successfully connected.
2021-12-31T12:41:43.5698433Z ##[error]Failed to copy script to remote machine. Error: Error: put: Permission denied //checkFileAvailability.sh.
2021-12-31T12:41:43.6050230Z ##[section]Finishing: SSH
Firstly, if you want to copy files to the remote machine, then it's recommend to use Copy Files Over SSH task. This task allows you to connect to a remote machine using SSH and copy files matching a set of minimatch patterns from specified source folder to target folder on the remote machine. Supported protocols for file transfer are SFTP and SCP via SFTP.
For the SSH Deployment task. This task enables you to connect to a remote machine using SSH and run commands or a script.
According to your error message, the SSH is successfully connected, but failed to copy script to the remote machine. It appears that the service account doesn't have the permission to copy the specified file to the specific path on the remote machine. Please check your source file path permission settings. Please also try to using inline script instead of the Script File to check if it works.
I had the same issue when run SSH script task under a user which was not a root. So for inline script to run under different user, that user should have:
Read/Write/Execute access to root folder, as TFS put all commands into generated bash script file and copy it to target machine root folder (below is another command, which is executed on already copied script file)
tr -d '\015' <./sshscript_099d4e8c-44ac-482d-b1bf-84a52c7ab810> ./sshscript_099d4e8c-44ac-482d-b1bf-84a52c7ab810._unix
User should have home directory as TFS switch to it
So to fix this issue I have granted rwx permissions to everyone for the root folder
chmod 777 /
ls -ld /
drwxrwxrwx 20 root root 4096 Feb 10 14:54 /
And make sure that home folder for my user exists

Does chef overwrite file owners when deploying? Can it be avoided?

I have a chef cookbook for deploying our webapp, there are some folders and files that need to be created and owned by www-data:www-data. When deploying the application I'm doing it by using the chef's deploy command like this in my deploy.rb recipe:
deploy "#{app_dir}" do
repository tmp_dir
user "root"
group "root"
environment app[:environment]
symlink_before_migrate({})
end
And then the creation and permission set for those files and folders are done in the before_symlink.rb script like this:
execute "ensure correct owner of storage folder" do
command "chown -R www-data:www-data #{release_path}/storage"
end
I've been debugging and I've checked this:
chown is executed, and the user exists, I can see it in the chef logs.
If I execute a sleep command right at the end of the before_symlink and then ssh into the machine I can see in the storage folder that the folder is owned by www-data as I wish.
If I execute a sleep command right after the deploy command on deploy.rb and then ssh to the machine, now the release folder will be linked to the current folder, and every file and folder will be owned by root:root causing permission errors.
So it seems that at the end of the deploy chef seems to overwrite the owner for every deployed file to the user making the deploy. Is this true? Is there any way to keep files and folders with the owner set on before_symlink.rb?
Really really don't use the deploy resource. What you want is probably a git resource, and its user property.

MailKit dotnet core on Ubuntu 16.04

Running a Kestrel server managed by systemd using www-data user. When trying to send an email using MailKit with TLS enabled I get the following error message:
System.UnauthorizedAccessException: Access to the path '/var/www/.dotnet/corefx/cryptography/crls' is denied. ---> System.IO.IOException: Permission denied
One solution possibly is to set a home directory for www-data, but that seems counter intuitive.
The call stack indicates that the code (MailKit or one of its dependencies) is trying to build and access a certificate cache.
You can manually create the directory and grant the necessary permissions.
Don't modify /var top directory as that's crazy.
First, you need to recursively create the directory:
mkdir -p /var/www/.dotnet/corefx/cryptography/crls
and give rights to www-data group
(if this is the group that runs your service)
sudo chgrp www-data /var/www/.dotnet/corefx/cryptography/crls

How to share my remote samba connection for all local users?

Several guys in our office have accounts on local linux(ubuntu) workstation (named local-server). But Just I have the account to access the remote samba server (named remote-server).
For security, I can not tell other guys my account and password information. But I want to share my mount point for them.
For example, I mount remote samba server on this path: /home/samba/. I want everyone on local-server can read/write '/home/samba' directory and its sub-directory. (However, I don't want to modify the remote file's permission mode)
How can I configure it? Thank you very much!
You can set the uid/gid to be different and therefore allow other users to read/write to your share. First create a local group, e.g. shareaccess and assign it to your users:
sudo addgroup shareaccess
sudo usermod -a -G shareaccess user1
Then mount the share:
mount.cifs -ouid=youruser,forceuid,gid=shareaccess,forcegid,file_mode=770,dir_mode=770,credentials=/etc/secret-cred //server/share /home/samba
Files and directory will appear to be owned by youruser:shareaccess locally with permissions ug=rwx.
If the server is a Samba (not Windows) server too and has Unix extensions enabled, file and directory permissions are set according to the server. This might or might not be desirable. You can disable Unix extensions for the mount by adding the nounix option, which will force the modes to be the ones specified at mount-time. Be aware that this will disable all Unix extensions, e.g. symlink support.
References:
mount.cifs man page
if you want to re-attach your mounted samba network shares, you can use the following:
sudo mount -a

Php Setting File permissions for OrangeHrm in Ubuntu system

I am trying to deploy OrangeHrm in Ubuntu Server but getting the following errors..
Component Status
PHP version OK (ver 5.3.3)
MySQL Client OK (ver 5.1.52)
MySQL Server OK (ver 5.1.52)
MySQL InnoDB Support Enabled
Write Permissions for "lib/confs" Not Writeable*
Write Permissions for "lib/logs" Not Writeable*
Write Permissions for "symfony/config" Not Writeable*
Write Permissions for "symfony/apps/orangehrm/config" Not Writeable*
Write Permissions for "symfony/cache" Not Writeable*
Write Permissions for "symfony/log" Not Writeable*
Maximum Session Idle Time before Timeout OK
Register Globals turned-off OK
Memory allocated for PHP script OK
Web server allows .htaccess files OK
* Web server requires write privilege to the following directory
I have changed the file accessing permission as
"sudo chmod 777 orangehrm" and the folder is in 777 mode, still the errors exist.
Thanks..
For me it helped to change the the owner of the corresponding directory to www-data:
Go to the directory your web page data is in (usually /var/www/YOUR_SITE_NAME): cd /var/www/YOUR_SITE_NAME
Change the owner to www-data: sudo chown -R www-data . Alternatively, you can change the group, too e.g. to you username's group, in order to be able to access the files from you account: sudo chown -R www-data:YOUR_USERNAME . Note that in both cases the dot at the end of the command is part of the command!
You shouldn't be setting all folders to 777 for a web facing site. Run something like the following from your orangehrm folder;
sudo chmod 760 lib/confs lib/logs symfony/config symfony/apps/orangehrm/config symfony/cache symfony/log
That will give you read/write/execute for the owner and then read/write for the group and then no permissions for all others.
Then make sure the owner of the orangehrm folder is your web user ie, www-data
I would suggest confirming the permissions for those folders with the orangehrm forum.
ie, http://forum.orangehrm.com/viewtopic.php?f=14&t=2531&p=3452&hilit=chmod&sid=e53a96e31a32ce4cbfa7998f43fdfc95#p3452
you should include -R in your command, like :
sudo chmod -R 777 orangehrm