When a setuid program is run, are the permission bits for the owner technically rwx?
I was thinking that the first three permission bits were for the owner but thinking on it more if they were ---, this wouldn't make sense as a setUID program.
My understanding is the first three bits are for the user (i.e. the one currently logged in). Is this correct?
When a setuid program is run, are the permission bits for the owner technically rwx?
No.
When a setuid program is run, then (from chmod):
Executable files with this bit set will run with effective uid set to the uid of the file owner.
Nothing more, nothing less. The first three permission bits are for the owner, as you say. And yes, if the user did not have execute permission, that wouldn't make sense (and it wouldn't be an "executable file").
Is there a specific case you have in mind that you're having trouble testing?
You can do this, it will run the program with the effective uid of the owner.
However, it just won't work as you expect for setuid root binaries invoked by root. This is because root doesn't honor permission bits on executables in the way that other users do. When root runs a program it will execute if any of user, group or other executable permissions are present. Given it can execute the file, it will honor the user-setuid bit (but root defaults to effective uid of 0 so its redundant):
Here are two examples:
setuid root (which shows you can't prevent root from executing the program):
$ cp /usr/bin/id .
$ sudo chown root ./id
$ sudo chmod u-rwx ./id
$ sudo ./id
uid=0(root) gid=0(root) groups=0(root)
$ sudo chmod u+s ./id
$ ls -l ./id
---Sr-xr-x 1 2 root tinkerer Dec 5 07:25 ./id
$ ./id -u
0
$ sudo ./id -u
0
setuid bin (which shows it works exactly as you expect):
$ cp /usr/bin/id .
$ sudo chown bin ./id
$ sudo chmod u-rwx ./id
$ sudo -u bin ./id
sudo: unable to execute ./id: Permission denied
$ sudo chmod u+s ./id
$ ls -l ./id
---Sr-xr-x 1 2 bin tinkerer Dec 5 07:30 ./id
$ ./id -u
2
$ sudo ./id -u
2
$ sudo -u bin ./id
sudo: unable to execute ./id: Permission denied
Related
On, Unix system, I do the following:
sudo su
mkdir test
touch test/x.txt
chmod -R 700 test
exit
Right now, the whole test folder is protected for only root user usage.
Now, I do
sudo su
chmod 777 test/x.txt
exit
Then, in a "normal" user, I do
cat test/x.txt
But I get permission denied, although file test/x.txt is open to world.
why?
Issue was the "normal" user cannot cd into test - because missing x permissions.
So instead of doing chmod -R 700 test, replace with something like chmod -R 711 test
The stream or file "/home/nick/projects/Symfony/app/logs/dev.log" could not
be opened: failed to open stream: Permission denied
I get it in symfony.
I know that I can go to app/logs and delete dev.log but this is happening to often and is annoying to delete it again and againand again.
Is there any way to make it just disapear?
LE: I guess, that I got the reply.
I run the comands prefixed with sudo.
Eg: sudo php app/console generate:bundle --namespace=Acme/StoreBundle will work like a charm.
nick#ptb:~/projects/Symfony$ ls -al app/logs
total 76
drwxrwxrwx+ 2 nick nick 4096 nov 24 15:16 .
drwxr-xr-x 6 nick nick 4096 nov 24 15:28 ..
-rw-rw-r--+ 1 www-data www-data 59583 nov 24 16:25 dev.log
-rw-rw-r--+ 1 nick nick 0 oct 6 15:55 .gitkeep
I think that you create directory app/logs as sudo (root), so symfony doesn't have permissions to write into the file dev.log. Manually remove directory app/logs (and all contents), create it as normal user and setup up permissions, like they are described in the official documentation http://symfony.com/doc/current/book/installation.html.
Something like:
$ sudo rm -rf app/logs
$ mkdir app/logs
$ HTTPDUSER=`ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\ -f1`
$ sudo setfacl -R -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX app/cache app/logs
$ sudo setfacl -dR -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX app/cache app/logs
Or use any other option which is described in official documentation.
If this not works then please paste us result of command:
$ ls -al app/logs
In my case, I used CentOS 7 and I solved it by set SELINUX=disabled as follow.
- sudo nano /etc/selinux/config
- Edit the file by set SELINUX=disabled
- Restart again then it worked !
I tested and tried many method included chmod, chwon, setfacl, etc but it cannot solve the problem until I tried above solution and it worked!
You should have a look at this http://symfony.com/doc/current/book/installation.html#configuration-and-setup.
UPD
Sometimes the solutions using ACL won't work, in this case try the forth option 4. Use the same user for the CLI and the web server
Use commands prefixed with sudo. I also got this error when I tried to run the server. Then I used 'sudo' and the error disappeared.
$ sudo php bin/console server:run
I am having trouble getting a few plugins to play nicely in wordpress. On top of that I can't even deactivate or delete several of them, they appear to be locked. I apologize I am somewhat of a linux newb, I have learned a lot but am baffled. I think it has to do with one of two things I did when I setup my VPS, which was guided by a tutorial. One was to install this script which would make commands wpupgrade for installing / deleting plugins and wpsafe for reverting to safe ownership.
### Edit the 2 values first, then post the whole lot.
#
export DOMAIN="mydomain.com"
export USER="myusername"
#
echo '
#########################
### WordPress 'chown' ###
#########################
## Allow WordPress Upgrades/Plugin Installs
alias wpupgrade="sudo find /home/USERNAME/public_html/DOMAIN/public/wp-admin -exec chown -R www-data:webmasters {} \; && sudo find /home/USERNAME/public_html/DOMAIN/public/wp-content -exec chown -R www-data:webmasters {} \;"
## Revert to Safe WordPress Ownership
alias wpsafe="sudo find /home/USERNAME/public_html/DOMAIN/public/wp-admin -exec chown -R USERNAME:webmasters {} \; && sudo find /home/USERNAME/public_html/DOMAIN/public/wp-content -exec chown -R USERNAME:webmasters {} \;"
' >> /home/$USER/.bashrc
sed -i "s/USERNAME/$USER/g" /home/$USER/.bashrc
sed -i "s/DOMAIN/$DOMAIN/g" /home/$USER/.bashrc
source /home/$USER/.bashrc
source /root/.bashrc
However, now all my wp-content and wp-includes are owned by www-data:webmasters and I cannot delete or modify them. I never created a www-data user. I try to use:
chown -R myusername:webmasters /home/myusername/public_html/mydomain.com/public/wp-content
and it tells me
chown: changing ownership of `/home/myusername/public_html/mydomain.com/public/wp-content': Operation not permitted
I have no idea what I'm doing wrong or what to do to fix this.. any help?
data is the user which executs apache. You must be running the script through apache user on you machine. To do a chown you must be the owner or a super user try sudo chown -R. Or log into super-user mod type su - in your terminal then enter the root password. Beware as root you can do anything you have all rights, think twice before executing a commande.
[edit]
I see that your script is in public_html -> this is tha apache folder for your user maybe that is why it has changed the script to www-data as owner.
try this sudo setfacl -R -m u:www-data:rwX -m u:myusername:rwX /home/myusername/public_html/mydomain.com/public/wp-content
to add you and www-data as uses
1) To change the ownership of a single file, run the command below.
$ sudo chown username:groupname filename
For Ex.
$ sudo chown richard:richard lockfile
Replace with the username of the account you wish to take ownership of the file. And is the group that will assume ownership of the file.
2) Now that you know how to change the ownership of a single file, the below commands show you how to change the ownership of a folder and all sub-folders within.
$ sudo chown -R username:groupname FolderName
For Ex.
$ sudo chown -R richard:richard Songs/
That’s it! And I hope you liked it.
I have had to use the
app/console cache:clear command
to solve a problem when generating an entity.
I am now unable to load my homepage on :
http://localhost/projet_etienne/web/app_dev.php
it says :
RuntimeException: Failed to write cache file "/var/www/projet_etienne/app/cache/dev/classes.php".
I don't understand much about this cache business!
In my app/cache folder, I got a dev, a dev_new, a dev_old folder. Is that normal?
the
app/console cache:clear
generates by the way a :
[ErrorException]
Warning: rename(/var/www/projet_etienne/app/cache/dev,/var/www/projet_etien
ne/app/cache/dev_old): Directory not empty in /var/www/projet_etienne/vendo
r/symfony/symfony/src/Symfony/Bundle/FrameworkBundle/Command/CacheClearComm
and.php line 77
please help!
For a GOOD and definite solution see the Setting up Permissions section in Installing and Configuring Symfony section :
Setting up Permissions
One common issue when installing Symfony is that the app/cache and
app/logs directories must be writable both by the web server and the
command line user. On a UNIX system, if your web server user is
different from your command line user, you can try one of the
following solutions.
Use the same user for the CLI and the web server
In development environments, it is a common practice to use the same
UNIX user for the CLI and the web server because it avoids any of
these permissions issues when setting up new projects. This can be
done by editing your web server configuration (e.g. commonly
httpd.conf or apache2.conf for Apache) and setting its user to be the
same as your CLI user (e.g. for Apache, update the User and Group
values).
Using ACL on a system that supports chmod +a
Many systems allow you to use the chmod +a command. Try this first,
and if you get an error - try the next method. This uses a command to
try to determine your web server user and set it as HTTPDUSER:
$ rm -rf app/cache/*
$ rm -rf app/logs/*
$ HTTPDUSER=`ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\ -f1`
$ sudo chmod +a "$HTTPDUSER allow delete,write,append,file_inherit,directory_inherit" app/cache app/logs
$ sudo chmod +a "`whoami` allow delete,write,append,file_inherit,directory_inherit" app/cache app/logs
Using ACL on a system that does not support chmod +a
Some systems don't support chmod +a, but do support another utility
called setfacl. You may need to enable ACL support on your partition
and install setfacl before using it (as is the case with Ubuntu). This
uses a command to try to determine your web server user and set it as
HTTPDUSER:
$ HTTPDUSER=`ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\ -f1`
$ sudo setfacl -R -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX app/cache app/logs
$ sudo setfacl -dR -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX app/cache app/logs
For Symfony 3 it would be:
$ HTTPDUSER=`ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\ -f1`
$ sudo setfacl -R -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX var/cache var/logs
$ sudo setfacl -dR -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX var/cache var/logs
If this
doesn't work, try adding -n option.
Without using ACL
If none of the previous methods work for you, change the umask so that
the cache and log directories will be group-writable or world-writable
(depending if the web server user and the command line user are in the
same group or not). To achieve this, put the following line at the
beginning of the app/console, web/app.php and web/app_dev.php files:
umask(0002); // This will let the permissions be 0775
// or
umask(0000); // This will let the permissions be 0777
Note that using the ACL is recommended when you have access to them on your server
because changing the umask is not thread-safe.
http://symfony.com/doc/current/book/installation.html#checking-symfony-application-configuration-and-setup
source :
Failed to write cache file "/var/www/myapp/app/cache/dev/classes.php" when clearing the cache
Most likely it means that the directory and/or sub-directories are not writable. Many forget about sub-directories.
Symfony 2
chmod -R 777 app/cache app/logs
Symfony 3 directory structure
chmod -R 777 var/cache var/logs
Additional Resources
Permissions solution by Symfony (mentioned previously).
Permissions solution by KPN University - additionally includes an screen-cast on installation.
Note: If you're using Symfony 3 directory structure, substitute app/cache and app/logs with var/cache and var/logs.
If the folder is already writable so thats not the problem.
You can also just navigate to /www/projet_etienne/app/cache/ and manualy remove the folders in there (dev, dev_new, dev_old).
Make sure to SAVE a copy of those folder somewhere to put back if this doesn't fix the problem
I know this is not the way it should be done but it worked for me a couple of times now.
You probably aborted a clearcache halfway and now you already have an app/cache/dev_old.
Try this (in the root of your project, assuming you're on a Unixy environment like OS X or Linux):
rm -rf app/cache/dev*
Maybe you forgot to change the permissions of app/cache app/log
I'm using Ubuntu so
sudo chmod -R 777 app/cache
sudo chmod -R 777 app/logs
sudo setfacl -dR -m u::rwX app/cache app/logs
Hope it helps..
I move the whole directory from my Windows installation to a unix production server and I got the same error. To fix it, I just ran these two lines in unix and everything started to run fine
rm -rf app/cache/*
rm -rf app/logs/*
i executed:
ps aux | grep apache
and got something like that:
root 28147 0.0 5.4 326336 27024 ? Ss 20:06 0:00 /usr/sbin/apache2 -k start
www-data 28150 0.0 1.3 326368 6852 ? S 20:06 0:00 /usr/sbin/apache2 -k start
www-data 28151 0.0 4.4 329016 22124 ? S 20:06 0:00 /usr/sbin/apache2 -k start
www-data 28152 0.1 6.0 331252 30092 ? S 20:06 0:00 /usr/sbin/apache2 -k start
www-data 28153 0.0 1.3 326368 6852 ? S 20:06 0:00 /usr/sbin/apache2 -k start
www-data 28154 0.0 1.3 326368 6852 ? S 20:06 0:00 /usr/sbin/apache2 -k start
www-data 28157 0.0 1.3 326368 6852 ? S 20:06 0:00 /usr/sbin/apache2 -k start
user 28297 0.0 0.1 15736 924 pts/4 S+ 20:12 0:00 grep --color=auto apache
so my user with no access turned out to be www-data thus i executed commands:
sudo chown -R www-data app/cache
sudo chown -R www-data app/logs
and it solved access errors.
Never-ever use unsecure 777 for solving specific access probles:
sudo chmod -R 777 app/cache
sudo chmod -R 777 app/logs
if symfony version less than 2.8
sudo chmod -R 777 app/cache/*
if symfony version great than or equal 3.0
sudo chmod -R 777 var/cache/*
If you face this error when you start Symfony project with docker (my Symfony version 5.1). Or errors like these:
Uncaught Exception: Failed to write file "/var/www/html/mysite.com.local/var/cache/dev/App_KernelDevDebugContainer.xml"" while reading upstream
Uncaught Warning: file_put_contents(/var/www/html/mysite.com.local/var/cache/dev/App_KernelDevDebugContainerDeprecations.log): failed to open stream: Permission denied" while reading upstream
Fix below helped me.
In Dockerfile for nginx container add line:
RUN usermod -u 1000 www-data
In Dockerfile for php-fpm container add line:
RUN usermod -u 1000 www-data
Then remove everything in directories "/var/cache", "/var/log" and rebuild docker's containers.
Just use this acl cmd, next time the files inside var are created it will have the r/w/x permission for www-data user.
cd var
rm -rf *
cd ..
setfacl -d -m u:www-data:rwx var
Cmd explanation:
setfacl -> Set acl command
-d -> default behavior
-m -> modify
u:www-data: -> for user
rwx -> adding permissions
var -> on the folder
I am somewhat confused how soft links work in unix. See the example.
% cd /usr/local/
% ls -la
total 6
drwxr-xr-x 2 root root 512 Jan 19 15:03 .
drwxr-xr-x 41 root sys 1024 Jan 20 16:24 ..
lrwxrwxrwx 1 root root 38 Jan 19 15:03 java -> /otherDir/java/jdk1.6.0_17 **<- this is a soft link**
% cd java **<- move to the softlink**
% pwd
/usr/local/java **<- the current location, say LOCATION_A**
% cd /otherDir/java/jdk1.6.0_17/ **<-move to the location of the softlink**
% pwd
/otherDir/java/jdk1.6.0_17 **<- the new current location, say LOCATION_B**
Isn't this problematic that even though LOCATION_A is LOCATION_B, they have different paths?
Is there a command (other than pwd) that will give the real location of a file (not just how the user go there).
It seems to me like pwd is just the sum of a user's cd. NOT their current location.
Try pwd -P. It's not "other than pwd" but it does the trick, at least on my bash 4.0.35 on Fedora 12. YMMV.
Update: Even works with sh, so it seems to be portable.
This behaves like this with a purpose. If you cd to /a/b/c/d and then cd to .. then you realistically expect to be in /a/b/c. If c happens to be a symbolic link (or symlink in unix terms - but not soft link) that takes you to /f/g/h, with the behaviour you would like to have you would end up in /f/g and then you (or any program) would not understand how it got there.
You can use readlink on the current working directory to get the true directory name:
readlink `pwd`
Normally, pwd should return /usr/local/java in the last line, if i understand your example. But some shells have a build in pwd command that tries to be more "intelligent" handling symlinks in the current working directory.
Try /bin/pwd, do you get other results?
realpath does what you want.
It is not possible to absolutely get your path under all circumstances. This is a bit odd, but a variation of this (plus chroot and setuid) is sometimes used for locking down a process.
$ mkdir -p /tmp/a/b
$ cd /tmp/a/b
$ rmdir /tmp/a/b
$ chmod 0 /tmp/a
$ rmdir /tmp/a
$ ls ..
ls: cannot open directory ..: Permission denied
$ ls -al
total 0
$ pwd -P
pwd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory