What permissions does the home directory need for ssh? - openssh

I have created several linux users with a home directory in a container and now I want to connect via ssh.
addgroup -S user1 && adduser -S user1 -G user1 -s /bin/sh
addgroup -S user2 && adduser -S user2 -G user2 -s /bin/sh
I then have the following directory structure in the container:
/home/
/home/user1/.ssh/
/home/user2/.ssh/
I noticed that the connection only works if the /home directory belongs to the respective user. Why is that?
ls -la /home
drwx------ 1 user1 user1 37 Jun 23 09:25 .
drwxr-xr-x 1 root root 92 Jun 23 12:17 ..
drwxr-sr-x 1 user1 user1 38 Jun 23 14:37 user1
drwxr-sr-x 1 user2 user2 38 Jun 23 14:43 user2
In this case I can log in via ssh as user1 without any problems. When logging in with user2 I get an error message - Permission denied (publickey).
If I now give the home directory to user2 instead of user1, I can log in with user2 but no longer with user1.
ls -la /home
drwx------ 1 user2 user2 37 Jun 23 09:25 .
drwxr-xr-x 1 root root 92 Jun 23 12:17 ..
drwxr-sr-x 1 user1 user1 38 Jun 23 14:37 user1
drwxr-sr-x 1 user2 user2 38 Jun 23 14:43 user2
How do I have to change my configuration so that I can log in with both users via ssh?

As mentioned by user Progman:
The /home directory shouldn't be owned by any "normal" user. No "normal" user should own the content of the other users. Instead it should be owned by root and the directory permissions should be something like rwxr-xr-x

Related

Can't run go permission denied?

david#raspberrypi:~ $ go env
-bash: /usr/bin/go: Permission denied
this is my bash.rc
export GOPATH=$HOME/go
$HOME/.bashrc
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
if i run ls-lah in my david#raspberry pi, i get the following:
david#raspberrypi:~ $ ls -lah
total 28K
drwxr-xr-x 3 david david 4.0K Mar 2 22:20 .
drwxr-xr-x 4 root root 4.0K Mar 2 20:03 ..
-rw------- 1 david david 3.1K Mar 2 21:48 .bash_history
-rw-r--r-- 1 david david 220 Mar 2 20:03 .bash_logout
-rw-r--r-- 1 david david 3.6K Mar 2 22:15 .bashrc
lrwxrwxrwx 1 david root 11 Mar 2 21:31 go -> /usr/lib/go
drwxr-xr-x 2 david david 4.0K Mar 2 20:25 .nano
-rw-r--r-- 1 david david 675 Mar 2 20:03 .profile
I am assuming that the user you're logged in as doesn't have permissions to run go.
To find that out, run the following
$ which go
/usr/local/go/bin/go
$ ls -l $(which go)
-rwxr-xr-x 1 root wheel 12896684 Jan 24 01:28 /usr/local/go/bin/go
From the above we know that the owner is root and group owner is wheel.
Now run echo $USER to see if who is logged in user.
Since you're getting permission denied to run go as $USER, you may want to add the user into the group mentioned in ls -l. So, run the below.
$ usermod -aG $USER wheel
And reboot the system! Then try go env again to see if it works.
-a is for append
-G is for which groups to append
usermod docs
Remember wheel is the group owner that I got while running ls -l. Yours might be different.
This usermod command is for ubuntu. In your case, it is raspberry pi so raspbian OS. Find out the correct options as it changes from OS to OS.

chown: /usr/local: Operation not permitted - issue with brew update /usr/local is not writable - MacOS 10.13.1 high sierra

I am unable to do brew update because I can’t chown /usr/local:
$ brew update
Error: /usr/local is not writable. You should change the ownership
and permissions of /usr/local back to your user account:
sudo chown -R $(whoami) /usr/local
based on this: https://github.com/Homebrew/brew/issues/385
I tried these 2 chown command but it didnt work:
$ sudo chown -R $(whoami) $(brew --prefix)
chown: /usr/local: Operation not permitted
$ sudo chown -R $(whoami) /usr/local
chown: /usr/local: Operation not permitted
Here is my /usr/local listing:
$ cd /usr/local
$ ls -al
total 56
drwxr-xr-x 23 root wheel 736 Dec 2 15:24 .
drwxr-xr-x# 9 root wheel 288 Oct 26 00:22 ..
-rw-r--r-- 1 megasap wheel 0 Dec 2 15:11 .com.apple.installer.keep
drwxr-xr-x 16 megasap admin 512 Jan 11 14:08 .git
drwxr-xr-x 5 megasap admin 160 Dec 2 15:24 .github
-rw-r--r-- 1 megasap admin 1112 Aug 11 2016 .gitignore
-rw-r--r-- 1 megasap admin 253 Aug 11 2016 .travis.yml
-rw-r--r-- 1 megasap admin 291 Aug 11 2016 .yardopts
-rw-r--r-- 1 megasap admin 3161 Aug 11 2016 CODEOFCONDUCT.md
drwxr-xr-x 35 megasap admin 1120 Jan 11 11:35 Cellar
-rw-r--r-- 1 megasap admin 1241 Jan 26 2016 LICENSE.txt
drwxr-xr-x 9 megasap admin 288 Dec 2 15:25 Library
-rw-r--r-- 1 megasap admin 5451 Aug 11 2016 README.md
drwxr-xr-x 262 megasap admin 8384 Jan 11 23:09 bin
drwxr-xr-x 11 megasap admin 352 Dec 2 15:25 etc
drwxr-xr-x 57 megasap staff 1824 Dec 2 15:25 include
drwxr-xr-x 102 megasap staff 3264 Dec 2 15:25 lib
drwx------ 4 megasap wheel 128 Dec 2 15:24 libexec
drwxr-xr-x 3 megasap admin 96 Dec 2 15:23 n
drwxr-xr-x 34 megasap admin 1088 Dec 2 15:25 opt
drwxr-xr-x 8 megasap admin 256 Dec 2 15:24 sbin
drwxr-xr-x 16 megasap admin 512 Dec 2 15:25 share
drwxr-xr-x 8 megasap admin 256 Dec 2 15:25 var
I'm using macOS 10.13.1 high sierra.
Reinstalling Homebrew worked for me
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
You may want to try:
sudo chown -R $(whoami) $(brew --prefix)/*
For more see: https://github.com/Homebrew/brew/issues/3228
Apparently this is due to mac's "system integrity configuration". To get around this you need to reboot your machine into recovery mode (restart your machine and hold down ⌘+R) go into Utilities > Terminal and type the command:
csrutil disable
reboot
And then run your chown command. I guess its recommended to reenable this after changing permissions to re-enable the security.
Full disclosure, I haven't tried this myself - I'll give it a go later today since its a massive PITA. For the record, I'm only attempting to install python3.
Original information
On Mac, I have to give "Full Disk Access" to the terminal using the below page -
https://macreports.com/terminal-says-operation-not-permitted-on-mac-fix/
uninstall and install Homebrew using https://github.com/Homebrew/install

combine cp / chmod to modify perms during cp

I was looking for a way to cp a file and mod its perms to 400 at the same time... after some testing in the public_html folder...
public_html >> ls -lah
-rw-r--r-- 1 user user 0 Feb 27 14:21 a.txt
public_html >> cp a.txt{,.bak}
-rw-r--r-- 1 user user 0 Feb 27 14:21 a.txt
-rw-r--r-- 1 root root 0 Feb 27 14:23 a.txt.bak
perms are still the same (644) and although the file is owned by root, it is still readable via public_html
public_html >> cp a.txt{,.bak} && chmod 400 a.txt.bak
-rw-r--r-- 1 user user 653 Feb 27 14:26 a.txt
-r-------- 1 root root 653 Feb 27 14:30 a.txt.bak
this works but looking for something for a set newbs to use
awk/sed command possibly?
dont think I'm missing a cp flag that could modify the perms, wasn't seeing anything and don't think there are but wanted to pick the collective brain
thanks...
install(1) can both copy files and create directories, and set their permissions at the same time.
install -m 0400 foo bar/

Bash script acts differently depending on what executes it

I have a bash script which acts as a post-process script for utorrent-server that passes on variables to a media renamed called FileBot.
Script:
#!/bin/bash
TORRENT_NAME=$1
TORRENT_PATH=$2
TORRENT_LABEL=$3
TORRENT_KIND=$4
TORRENT_TITLE=$5
/usr/share/filebot/bin/filebot.sh -script fn:amc --output "/mnt/Storage/" \
--log-file "amc.log" --action move --conflict override -non-strict \
--def music=n subtitles=en artwork=n xbmc="192.168.0.123" deleteAfterExtract=y \
clean=y "ut_dir=$TORRENT_PATH" "ut_file=$TORRENT_NAME" "ut_kind=$TORRENT_KIND" \
"ut_title=$TORRENT_TITLE" "ut_label=$TORRENT_LABEL" "ut_state=5" "seriesFormat=TV \
Shows/{n}/Season {s.pad(2)}/{n} - {s00e00} - {t}" "movieFormat=Movies/{n} ({y})/{n} ({y})" \
&>> /home/xbmc/run.log
If i run this script manually, it works as intended, however when uTorrent executes it, it returns "No such file or directory." via stderr. I originally had uTorrent calling this script directly however I was having the same issue.
Does anyone know what could cause this?
UPDATE (Permissions for all directories/folders):
drwxr-xr-x 3 root root 4096 Nov 27 23:52 /home
drwxr-xr-x 20 xbmc xbmc 4096 Dec 15 21:46 /home/xbmc
drwxr-xr-x 10 root root 4096 Oct 17 06:51 /usr
drwxr-xr-x 218 root root 4096 Dec 13 15:32 /usr/share
drwxr-xr-x 3 root root 4096 Dec 15 15:55 /usr/share/filebot
drwxr-xr-x 2 root root 4096 Dec 15 18:56 /usr/share/filebot/bin
-rwxr-xr-x 1 xbmc xbmc 615 Dec 15 21:44 /home/xbmc/run.sh
-rwxr-xr-x 1 root root 552 Dec 15 18:56 /usr/share/filebot/bin/filebot.sh
Change the current working directory.
IF filebot.sh is the no-such-file, I suggest you to try with this:
chmod -R a+x /usr/share/filebot/bin/filebot.sh
IF it is your run.sh,
chmod -R a+x /home/xbmc/run.sh
You can try running filebot.sh as the owner. I think it worths a shot.
chown YOURUSERNAME /usr/share/filebot/bin/filebot.sh
chmod u+s /usr/share/filebot/bin/filebot.sh

Mount point permission change HDFS

How can I change the ownership of a mount point (mounting is done using HDFS-FUSE)?
chown -R user:user mount-point doesn't work (I mean it doesn't change the ownership).
My attempt:
[hduser#ocs /]$ ls -ltrhd hdfs1
drwxr-xr-x 1 root root 4.0K Mar 31 22:05 hdfs1
[hduser#ocs /]$ chown -R eucalyptus:eucalyptus hdfs1
[hduser#ocs /]$ ls -ltrhd hdfs1
drwxr-xr-x 1 root root 4.0K Mar 31 22:05 hdfs1
[hduser#ocs /]$

Resources