in a buildroot environment I added one user to the group wheel. Now I can execute commands with the root's privileges using sudo.
It seems it works but when I try to export a pin on my RPi I always get Permission denied:
rpi:~$ sudo echo 4 > /sys/class/gpio/export
sh: can't create /sys/class/gpio/export: Permission denied
Here the contents of that directory:
rpi:~$ ls -l /sys/class/gpio/
total 0
--w------- 1 root root 4096 Jan 1 00:00 export
lrwxrwxrwx 1 root root 0 Jan 1 00:00 gpiochip0 -> ../../devices/platform/soc/3f200000.gpio/gpio/gpiochip0
--w------- 1 root root 4096 Jan 1 00:00 unexport
Isn't enough to get the root's privilege with sudo to write in the export file? I'm afraid about the owner and groups. In fact if I type:
rpi:~$ sudo chmod a+w /sys/class/gpio/*
then I can successfully export the pin. But I don't know if this is the best way to do this.
When you run the command sudo echo 4 > /sys/class/gpio/export, it first executes sudo echo 4 which runs echo with elevated privileges (which is kind of pointless). Then the result is passed by the shell (not by echo) to a new command of /sys/class/gpio/export, which because it is a new command it isn't executed with elevated privileges.
There is a Unix.SE question here which explains this and the options.
In summary of that link you should be able to do something like:
sudo sh -c 'echo 4 > /sys/class/gpio/export'
Related
When a setuid program is run, are the permission bits for the owner technically rwx?
I was thinking that the first three permission bits were for the owner but thinking on it more if they were ---, this wouldn't make sense as a setUID program.
My understanding is the first three bits are for the user (i.e. the one currently logged in). Is this correct?
When a setuid program is run, are the permission bits for the owner technically rwx?
No.
When a setuid program is run, then (from chmod):
Executable files with this bit set will run with effective uid set to the uid of the file owner.
Nothing more, nothing less. The first three permission bits are for the owner, as you say. And yes, if the user did not have execute permission, that wouldn't make sense (and it wouldn't be an "executable file").
Is there a specific case you have in mind that you're having trouble testing?
You can do this, it will run the program with the effective uid of the owner.
However, it just won't work as you expect for setuid root binaries invoked by root. This is because root doesn't honor permission bits on executables in the way that other users do. When root runs a program it will execute if any of user, group or other executable permissions are present. Given it can execute the file, it will honor the user-setuid bit (but root defaults to effective uid of 0 so its redundant):
Here are two examples:
setuid root (which shows you can't prevent root from executing the program):
$ cp /usr/bin/id .
$ sudo chown root ./id
$ sudo chmod u-rwx ./id
$ sudo ./id
uid=0(root) gid=0(root) groups=0(root)
$ sudo chmod u+s ./id
$ ls -l ./id
---Sr-xr-x 1 2 root tinkerer Dec 5 07:25 ./id
$ ./id -u
0
$ sudo ./id -u
0
setuid bin (which shows it works exactly as you expect):
$ cp /usr/bin/id .
$ sudo chown bin ./id
$ sudo chmod u-rwx ./id
$ sudo -u bin ./id
sudo: unable to execute ./id: Permission denied
$ sudo chmod u+s ./id
$ ls -l ./id
---Sr-xr-x 1 2 bin tinkerer Dec 5 07:30 ./id
$ ./id -u
2
$ sudo ./id -u
2
$ sudo -u bin ./id
sudo: unable to execute ./id: Permission denied
I created a user with admin access named hadoop. The funny thing is that when I create a folder and try to give it 777 access it gives me back an error.
hadoop#linux:~$ mkdir testfolder
hadoop#linux:~$ ls -ltra testfolder/
total 8
drwxrwxrwx 25 hadoop sudo 4096 Jun 14 20:00 ..
drwxrwxr-x 2 hadoop hadoop 4096 Jun 14 20:00 .
hadoop#linux:~$ chmod -777 -R
testfolder/ chmod: cannot read directory ‘testfolder/’: Permission denied
Why is that when I am the creator of the directory ?
hadoop#linux:~$ groups
hadoop root sudo
Strangely, using the GUI, I can go in and right click the directory and change the file permissions. Can anyone help me understand what i am not understanding.
Note : I use Ubuntu 14
Your command chmod -777 -R testfolder/ is the issue here, more specific the - as part of the first argument.
Leave it away, just use chmod 777 -R testfolder/ and all should be fine...
Not exactly sure about the details, but the -777 should remove permissions, thus preventing access at least to the recursive portion of the command. I assume that is not what you want to do. Instead you probably want to grant more permissions to the directory. Looks like the command blocks itself. Though that might be by purpose, at least in an indirect manner.
So I "installed" SBT by following directions here under the "UNIX" section by downloading the jar and creating the sbt script to run it - however instead of putting it in ~/bin/ I put it in /usr/local/sbt/. I added it to my PATH variable and when I try to run it without sudo I get a Permission denied error (below). Also below is what I see when I type in ls -l in the sbt directory.
$ sbt compile
bash: /usr/local/sbt/sbt: Permission denied
-rwxrwxr-- 1 root wheel 120 Jun 20 09:21 sbt*
-rwxrwxr--# 1 adelbertc staff 1096763 Jun 20 09:20 sbt-launch.jar*
Help?
Try changing the permissions so that you can execute it:
sudo chmod o+x /usr/local/sbt/sbt /usr/local/sbt/sbt-launch.jar
Otherwise, you can add yourself to the wheel group, or change the owner so that you own it:
sudo chown adelbertcs:staff /usr/local/sbt/sbt
(assuming that your username is adelbertcs).
I am somewhat confused how soft links work in unix. See the example.
% cd /usr/local/
% ls -la
total 6
drwxr-xr-x 2 root root 512 Jan 19 15:03 .
drwxr-xr-x 41 root sys 1024 Jan 20 16:24 ..
lrwxrwxrwx 1 root root 38 Jan 19 15:03 java -> /otherDir/java/jdk1.6.0_17 **<- this is a soft link**
% cd java **<- move to the softlink**
% pwd
/usr/local/java **<- the current location, say LOCATION_A**
% cd /otherDir/java/jdk1.6.0_17/ **<-move to the location of the softlink**
% pwd
/otherDir/java/jdk1.6.0_17 **<- the new current location, say LOCATION_B**
Isn't this problematic that even though LOCATION_A is LOCATION_B, they have different paths?
Is there a command (other than pwd) that will give the real location of a file (not just how the user go there).
It seems to me like pwd is just the sum of a user's cd. NOT their current location.
Try pwd -P. It's not "other than pwd" but it does the trick, at least on my bash 4.0.35 on Fedora 12. YMMV.
Update: Even works with sh, so it seems to be portable.
This behaves like this with a purpose. If you cd to /a/b/c/d and then cd to .. then you realistically expect to be in /a/b/c. If c happens to be a symbolic link (or symlink in unix terms - but not soft link) that takes you to /f/g/h, with the behaviour you would like to have you would end up in /f/g and then you (or any program) would not understand how it got there.
You can use readlink on the current working directory to get the true directory name:
readlink `pwd`
Normally, pwd should return /usr/local/java in the last line, if i understand your example. But some shells have a build in pwd command that tries to be more "intelligent" handling symlinks in the current working directory.
Try /bin/pwd, do you get other results?
realpath does what you want.
It is not possible to absolutely get your path under all circumstances. This is a bit odd, but a variation of this (plus chroot and setuid) is sometimes used for locking down a process.
$ mkdir -p /tmp/a/b
$ cd /tmp/a/b
$ rmdir /tmp/a/b
$ chmod 0 /tmp/a
$ rmdir /tmp/a
$ ls ..
ls: cannot open directory ..: Permission denied
$ ls -al
total 0
$ pwd -P
pwd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
Does any operating system provide a mechanism (system call — not command line program) to change the pathname referenced by a symbolic link (symlink) — other than by unlinking the old one and creating a new one?
The POSIX standard does not. Solaris 10 does not. MacOS X 10.5 (Leopard) does not. (I'm tolerably certain neither AIX nor HP-UX does either. Judging from this list of Linux system calls, Linux does not have such a system call either.)
Is there anything that does?
(I'm expecting that the answer is "No".)
Since proving a negative is hard, let's reorganize the question.
If you know that some (Unix-like) operating system not already listed has no system call for rewriting the value of a symlink (the string returned by readlink()) without removing the old symlink and creating a new one, please add it — or them — in an answer.
Yes, you can!
$ ln -sfn source_file_or_directory_name softlink_name
AFAIK, no, you can't. You have to remove it and recreate it. Actually, you can overwrite a symlink and thus update the pathname referenced by it:
$ ln -s .bashrc test
$ ls -al test
lrwxrwxrwx 1 pascal pascal 7 2009-09-23 17:12 test -> .bashrc
$ ln -s .profile test
ln: creating symbolic link `test': File exists
$ ln -s -f .profile test
$ ls -al test
lrwxrwxrwx 1 pascal pascal 8 2009-09-23 17:12 test -> .profile
EDIT: As the OP pointed out in a comment, using the --force option will make ln perform a system call to unlink() before symlink(). Below, the output of strace on my linux box proving it:
$ strace -o /tmp/output.txt ln -s -f .bash_aliases test
$ grep -C3 ^unlink /tmp/output.txt
lstat64("test", {st_mode=S_IFLNK|0777, st_size=7, ...}) = 0
stat64(".bash_aliases", {st_mode=S_IFREG|0644, st_size=2043, ...}) = 0
symlink(".bash_aliases", "test") = -1 EEXIST (File exists)
unlink("test") = 0
symlink(".bash_aliases", "test") = 0
close(0) = 0
close(1) = 0
So I guess the final answer is "no".
EDIT: The following is copied from Arto Bendiken's answer over on unix.stackexchange.com, circa 2016.
This can indeed be done atomically with rename(2), by first creating the new symlink under a temporary name and then cleanly overwriting the old symlink in one go. As the man page states:
If newpath refers to a symbolic link the link will be overwritten.
In the shell, you would do this with mv -T as follows:
$ mkdir a b
$ ln -s a z
$ ln -s b z.new
$ mv -T z.new z
You can strace that last command to make sure it is indeed using rename(2) under the hood:
$ strace mv -T z.new z
lstat64("z.new", {st_mode=S_IFLNK|0777, st_size=1, ...}) = 0
lstat64("z", {st_mode=S_IFLNK|0777, st_size=1, ...}) = 0
rename("z.new", "z") = 0
Note that in the above, both mv -T and strace are Linux-specific.
On FreeBSD, use mv -h alternately.
Editor's note: This is how Capistrano has done it for years now, ever since ~2.15. See this pull request.
It is not necessary to explicitly unlink the old symlink. You can do this:
ln -s newtarget temp
mv temp mylink
(or use the equivalent symlink and rename calls). This is better than explicitly unlinking because rename is atomic, so you can be assured that the link will always point to either the old or new target. However this will not reuse the original inode.
On some filesystems, the target of the symlink is stored in the inode itself (in place of the block list) if it is short enough; this is determined at the time it is created.
Regarding the assertion that the actual owner and group are immaterial, symlink(7) on Linux says that there is a case where it is significant:
The owner and group of an existing symbolic link can be changed using
lchown(2). The only time that the ownership of a symbolic link matters is
when the link is being removed or renamed in a directory that has the sticky
bit set (see stat(2)).
The last access and last modification timestamps of a symbolic link can be
changed using utimensat(2) or lutimes(3).
On Linux, the permissions of a symbolic link are not used in any operations;
the permissions are always 0777 (read, write, and execute for all user
categories), and can't be changed.
Just a warning to the correct answers above:
Using the -f / --force Method provides a risk to lose the file if you mix up source and target:
mbucher#server2:~/test$ ls -la
total 11448
drwxr-xr-x 2 mbucher www-data 4096 May 25 15:27 .
drwxr-xr-x 18 mbucher www-data 4096 May 25 15:13 ..
-rw-r--r-- 1 mbucher www-data 4109466 May 25 15:26 data.tar.gz
-rw-r--r-- 1 mbucher www-data 7582480 May 25 15:27 otherdata.tar.gz
lrwxrwxrwx 1 mbucher www-data 11 May 25 15:26 thesymlink -> data.tar.gz
mbucher#server2:~/test$
mbucher#server2:~/test$ ln -s -f thesymlink otherdata.tar.gz
mbucher#server2:~/test$
mbucher#server2:~/test$ ls -la
total 4028
drwxr-xr-x 2 mbucher www-data 4096 May 25 15:28 .
drwxr-xr-x 18 mbucher www-data 4096 May 25 15:13 ..
-rw-r--r-- 1 mbucher www-data 4109466 May 25 15:26 data.tar.gz
lrwxrwxrwx 1 mbucher www-data 10 May 25 15:28 otherdata.tar.gz -> thesymlink
lrwxrwxrwx 1 mbucher www-data 11 May 25 15:26 thesymlink -> data.tar.gz
Of course this is intended, but usually mistakes occur. So, deleting and rebuilding the symlink is a bit more work but also a bit saver:
mbucher#server2:~/test$ rm thesymlink && ln -s thesymlink otherdata.tar.gz
ln: creating symbolic link `otherdata.tar.gz': File exists
which at least keeps my file.
Wouldn't unlinking it and creating the new one do the same thing in the end anyway?
Just in case it helps: there is a way to edit a symlink with midnight commander (mc).
The menu command is (in French on my mc interface):
Fichier / Éditer le lien symbolique
which may be translated to:
File / Edit symbolic link
The shortcut is C-x C-s
Maybe it internally uses the ln --force command, I don't know.
Now, I'm trying to find a way to edit a whole lot of symlinks at once (that's how I arrived here).
Technically, there's no built-in command to edit an existing symbolic link. It can be easily achieved with a few short commands.
Here's a little bash/zsh function I wrote to update an existing symbolic link:
# -----------------------------------------
# Edit an existing symbolic link
#
# #1 = Name of symbolic link to edit
# #2 = Full destination path to update existing symlink with
# -----------------------------------------
function edit-symlink () {
if [ -z "$1" ]; then
echo "Name of symbolic link you would like to edit:"
read LINK
else
LINK="$1"
fi
LINKTMP="$LINK-tmp"
if [ -z "$2" ]; then
echo "Full destination path to update existing symlink with:"
read DEST
else
DEST="$2"
fi
ln -s $DEST $LINKTMP
rm $LINK
mv $LINKTMP $LINK
printf "Updated $LINK to point to new destination -> $DEST"
}
You can modify the softlink created once in one of the two ways as below in Linux
one is where you can remove existing softlink with rm and again create new softlink with ln -s command .
However this can be done in one step , you can replace existing softlink with updated path with "ln -vfns Source_path Destination_path" command.
Listing initial all files in directory
$ ls -lrt
drwxrwxr-x. 3 root root 110 Feb 27 18:58 test_script
$
Create softlink test for test_script with ln -s command.
$ ln -s test_script test
$ ls -lrt
drwxrwxr-x. 3 root root 110 Feb 27 18:58 test_script
lrwxrwxrwx. 1 root root 11 Feb 27 18:58 test -> test_script
$
Update softlink test with new directory test_script/softlink with single command
$ ln -vfns test_script/softlink/ test
'test' -> 'test_script/softlink/'
$
List new softlink location
$ ls -lrt
lrwxrwxrwx. 1 root root 21 Feb 27 18:59 test -> test_script/softlink/
$
ln --help
-v, --verbose print name of each linked file
-f, --force remove existing destination files
-n, --no-dereference treat LINK_NAME as a normal file if it is a symbol
-s, --symbolic make symbolic links instead of hard links