How does rsync preserve ownership when uid/gid differs? - rsync

Upon deploying a new server and migrating the entire contents of /home using rsync I noticed that the group and user ownership were in fact preserved, despite the fact that the ids differ between the two servers.
Specifically, the command I ran was:
rsync -avz oldserver:/home/ /home
Though I have recreated all of the same users and groups on the new server, most of them have different ids than the old, but somehow this command has magically kept the correct ownership (based on name) and assigned new gid and uid where applicable. I am able to verify this with ls -n /home.
How is this possible? Does rsync do some kind of name lookup?

Yes, by default rsync matches owners and groups by name. Details are in the docs for --numeric-ids.
--numeric-ids
With this option rsync will transfer numeric group and user IDs rather than using user and group names and mapping them at both ends.
By default rsync will use the username and groupname to determine what ownership to give files. The special uid 0 and the special group 0 are never mapped via user/group names even if the --numeric-ids option is not specified.
If a user or group has no name on the source system or it has no match on the destination system, then the numeric ID from the source system is used instead.
rsync presumably uses getpwnam and getgrnam to look up the uid and gid associated with the user and group names.

Related

How to grant one particular user read access to a unix file

I want to give one particular user read access to a file on a unix machine. I am not root so I guess I can not do chown.
I tried searching for something that uses chmod, but there it looks like I can't specify a particular user, only a one-self, group, or all.
I guess this was asked before already, but I couldn't find anything.
Generally when you want more fine-grained permissions in Linux, you should use Access Control Lists. The Arch Wiki has a good guide on how to set it up.
Once set up, you can define more complex rules for modifying the access control policies for your mounted filesystem.
You can set these rules with commands that look like: setfacl -m "u:johny:r-x" abc.
This says "Give (user) Johny read and execute permissions to the file/directory specified by the path abc".
You would then also be able to see the permissions for a filesystem object using getfacl
root#testvm:/var/tmp# getfacl appdir/
# file: appdir/
# owner: root
# group: appgroup
user::rwx
group::rwx
group:testusers:r--
mask::rwx
other::r-x
In this example you can see the default for any user/group which is not (in) the testusers group, can read, write, or execute the directory. But testusers can only read.
The traditional, Unix way is, as you suggest, to chown the file and set permissions that way.
You might also be able to use access control lists (ACLs). Have a look for the getfacl and setfacl commands (link). The bad news is that ACLs are not always enabled and the default OS install doesn't always include the commands, which doesn't help you if you don't have root.

Should I create a new file for the new RSA key or just append the new RSA key without overwriting the old one ?

I am in this situation (Please note that I am still new to the idea of this ssh thing):
Basically, I have already set up SSH for my Github, so every time I do git push origin master, it will not prompt me to enter username and password, which is good. Now I want to set up another SSH for logging onto my school server. I wanted to follow the same instruction which I did for Github in this link. But after I typed in ssh-keygen -t rsa -C "me#school.com" . It says that /.ssh/id_rsa already exists. Overwrite (y/n)? .
Obviously, I do not want to overwrite it, since I still want instant access to my Github account. I know that I can create another id_rsa under a different name, but is this a good approach ? Does it have any side-effects ? It seems to look nicer if I can just append the new RSA key to the existing id_rsa but I have no idea how to do so. (Need to know the right command to do this I guess)
You don't need to create a new key. you can us the same public key and put it on your school account. The parameter -C just put's a comment to your key and it is only there, so that you can easily recognize it as your key. It has nothing to do with the ability log in on a specific server.

NFS uid mapping - reboot

I (as everybody )))) try to mount NFS folder on client while keeping UIDs on CentOS 6.5.
So I have user test with uid 10000 on server (useradd -u 10000 -g 9999 test), that has files belonging to him. I export folder with no_all_squash option.
After that I create user test with uid 10000 on client, mount NFS folder but ls -ln shows files owner 99 (nobody) until client reboot.
After reboot all works fine, client sees files with uid 10000. It seems that client side kernel somehow doesn't update user list/cache.
The same behavior on user delete - until reboot it shows right UIDs (though user already deleted), after reboot - 99.
Because the case in question not regular user, but system that created/deleted dynamically reboot is by no means not options. Any ideas - some config reload, etc.?
Actually what will be well is to see real UIDs on server, despite user existence on client.
Thanks.
can be solved by cleaning uid mapping cache on the client machines:
/usr/sbin/nfsidmap -c
you can see invalid entries in /proc:
cat /proc/keys | grep 3$
more info about the underlying technology:
https://www.kernel.org/doc/Documentation/security/keys.txt
https://www.kernel.org/doc/Documentation/filesystems/nfs/idmapper.txt
also mentioned on serverfault

Risk if a registrant picks a username that matches a unix command?

In my app I ask users to register using a unique name. The app creates a directory for them with that name that they then can work with, saving files, etc.
I hadn't really thought about screening for other than alpha-numeric for the name. However, I ran across a thread somewhere than said to make sure not to create directory names that match a unix command name.
Is this a legitimate risk? If so, how might one programmatically screen for such an occurrence? I'm also curious how such a scenario might play out to illustrate the problem (exploit?). That last part is academic interest only, of course.
Generally, it doesn't matter(has no obvious security risk). Most softwares, for example shell, search a unix command based on some enviroment variables(like PATH). So even if your created directory matches a unix command like "cd", it can only be used as a parameter to other unix command, like cd cd.
However, if another application search the unix command based on other approaches like searching some directories, it may lead to security breaches.
The only way I can think of that being a risk is if you're going to turn around and process those user names through command-line functions. You would want to be careful to escape the user names anywhere that they could be interpreted as a command...though off the top of my head, with strictly alphanumeric user names, you'd have to go to a lot of trouble to run into such a risk.
If you decided anyway that you wanted to ensure that the username didn't match an application on the path of the creating process, you could shell out from whatever your app environment is, and evaluate the result of which $prospectiveUsername. If it returns anything other than an empty string, you know that the username is an application on the process's path.
NOTE: In the above scenario, make sure you sanitize the username before calling out to the shell command. Otherwise, you do run security risks, if e.g. the user decides to enter her username as "janedoe; rm -rf /".

CODA setting owner & group [duplicate]

I have a script (Joomla) that creates files and directories on the server. The problem is that it creates them under owner 99 99 (nobody) and after I can't delete or modify them by FTP without the help of the server admin.
I think that is move_uploaded_file function of php.
Is there any solution of this problem by the WHM or by the server admin? Can I modify the default owner in ftp?
What happens is the HTTP server is ran by a user called "nobody", and your FTP user is another one. When the upload occurs, the HTTP server creates the file under its username, and your FTP user has no permission to write (or delete) these files.
The easiest way to fix this (but not really secure) is to add both users in a same group, and change the file permissions to allow users of the same group to read/write on these files.
Your admin should take care of it, but you'll have to call chmod() to change the permissions of your uploaded files.
Explaining it better:
The linux/unix file permissions are composed by permissions of user (u), group (g) and others (o).
I'll only cover 3 types of file permisions here, which are read (r), write (w) and execute (x). So, you end up having something like this:
-rw-rw---x 1 jweyrich staff 12288 Oct 24 00:22 avatar.png
The first rw- is the permission (read/write) of the USER that owns the file (jweyrich).
The second rw- is the permission (read/write) of the GROUP that owns the file (staff).
The --x at the end are the permissions (execute) of the OTHERS users..
Your PHP scripts run as "nobody" user (and by, let's say, "nobody" group), so every file you create from your PHP will be owned by the "nobody" user (and his group). A user can be part of one or more groups.
To solve the permission problem, your FTP user and the "nobody" must be in a common group, let's say the admin put your user in the "nobody".
Once they're in the same group, your PHP script has to give "rw" (read/write) permissions to the "nobody" group members. To do so:
chmod("path_to_your_file", 0770);
The 0770 is equivalent to "u+rwx,g+rwx,o-rwx" , which I explain here:
u+rwx = for user (owner, which is "nobody"), give read/write/execute permissions
u+rwx = for group (which is also "nobody"), give read/write/execute permissions
o-rxw = for others, remove the read/write/execute permissions
After that, your FTP user, which is now part of the "nobody" group, will have read//write access to the uploaded files, and thus can also delete the files. It would look like this:
-rwxrwx--- 1 nobody nobody 12288 Oct 24 00:22 avatar.png
It's not the ideal introduction to unix file permissions, but I hope this helps.
The user that PHP runs under - nobody - is set by the system administrator. There's nothing you can do about that.
You can try chown() to change the file's owner if you know the FTP user's ID. Usually though, you will not be allowed to do this from within PHP.
Depending on the group situation on the server, it could be that if you use chmod to change the file's access rights after the file has been uploaded, the FTP account can access the file:
Try this first:
chmod($uploaded_file, 0660); // owner+group read+write
If that doesn't work, try this:
chmod($uploaded_file, 0666); // global read+write
one of these should make the file usable by the FTP account.
The 0666 is highly discouraged because other users on the server could write into your files, but in some configurations, it's the only way to get going.

Resources