I would like to know how to make the veracrypt volume (container) able to change permission with chmod (and have key permissions compatible with ssh).
I wish to store my .ssh folder securely with veracrypt. But when try to ssh using my credentials in a mounted veracrypt volume (using mac) I got an error: "Bad owner or permissions on xxxxxxx" and I cannot use ssh.
I tried to chown/chmod the files but it didnot work. All files have permissions "-rwxrwxrwx" for my user, even when I mount the volume in read only.
Is there a way t set the permissions properly or use a different FS for the container?
I tried a volume in exfat and fat from a file.
I first tried with the GUI.
Then I tried this :
veracrypt /dev/sda3 /mnt/ssh --filesystem=none
sudo mount -t exfat -o -m=022 /dev/mapper/veracrypt1 /mnt/ssh
and with fat :
veracrypt /dev/sda3 /mnt/ssh --filesystem=none
sudo mount -t fat -o -umask=022 /dev/mapper/veracrypt1 /mnt/ssh
but chmod still failed :
mount: exec /Library/Filesystems/lfs.fs/Contents/Resources/mount_[exfat/fat] for /mnt/ssh : No such file or directory
mount: /mnt/ssh failed with 72
Of course the /mnt/ssh directory do exist ;)
Do I misuse mount ? Or missed some veracrypt options ? Or choose the bad filesystem ?
Thank you !
Seem like choosing APFS works like a charm. And it's linux compatible.
Related
I ran the following command to install Nix on my Mac:
sh <(curl -L https://nixos.org/nix/install) --daemon --darwin-use-unencrypted-nix-store-volume
And I got the following error:
error: refusing to create Nix store volume because the boot volume is
FileVault encrypted, but encryption-at-rest is not available.
Manually create a volume for the store and re-run this script.
See https://nixos.org/nix/manual/#sect-macos-installation
https://nixos.org/nix/manual/#sect-macos-installation says:
If you're using a recent Mac with a T2 chip, your drive will still be encrypted at rest (in which case "unencrypted" is a bit of a misnomer). To use this approach, just install Nix with:
sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume
If you don't like the sound of this, you'll want to weigh the other approaches and tradeoffs detailed in this section.
I don't have a mac with a T2 chip, so what do I do?
I found some related github issues, but no direct answer.
I chose to use the Use a separate encrypted volume suggestion as outlined in by Philipp Haussleiter:
This approach only works if you have a Disk that is formated with APFS (that should always be the case, if your OS is running of a SSD).
You can check this with:
% diskutil list | grep APFS
…
0: APFS Container Scheme - +250.8 GB disk1
…
Create another Volume on your Disk for NIX:
% sudo diskutil apfs addVolume disk1 'APFS' nix
Will export new APFS Volume "nix" from APFS Container Reference disk1
Started APFS operation on disk1
Preparing to add APFS Volume to APFS Container disk1
Creating APFS Volume
Created new APFS Volume disk1s6
Mounting APFS Volume
Setting volume permissions
Disk from APFS operation: disk1s6
Finished APFS operation on disk1
Your disk may not be named disk1s6. Find the name of your disk with:
% diskutil list | grep nix
4: APFS Volume nix 7.7 GB disk1s6
Again, your disk may not be named disk1s6.
Encrypt disk:
You need to enter a passphrase for the encryption. You have to
remember that passphrase once – you can add it to your key chain later
on. After that the disk encryption will start in the background.
% sudo diskutil apfs encryptvolume disk1s6 -user disk
Passphrase for the new "Disk" user (672C4CFF-34C6-4407-83ED-294C1C42E161):
Repeat passphrase:
Starting background encryption with the new "Disk" crypto user on disk1s6
The new "Disk" user will be the only one who has initial access to disk1s6
The new APFS crypto user UUID will be 672C4CFF-34C6-4407-83ED-294C1C42E161
Background encryption is ongoing; see "diskutil apfs list" to see progress
Setup Mount Point:
MacOS Catalina does not allow to create folders directly under your
Root Path /. But we can use another method to have MacOS create that
folder for us. To do this, we have to add an entry into the file
/etc/synthetic.conf:
% sudo bash -c 'echo nix >> /etc/synthetic.conf'
Now, the next time, the system starts, a mount point /nix will be
created. The next task is to have our Volume mounted at Boot.
Setup Mount:
For the Mount Configuration, we need to the UUID of the Volume. We can
find this via the diskutil tool (again, your disk may not be named
disk1s6):
% diskutil info /dev/disk1s6 | grep UUID
We must edit /etc/fstab with vifs:
% sudo vifs
(vifs behaves just like vi, so use vi commands to edit the file):
UUID=1D9389C1-5676-4077-88F5-8D5304A0B1A6 /nix apfs rw
(Your UUID will be different!)
Reboot. You will get a GUI prompt to enter your encryption passphrase,
and save it to the keychain.
I then ran:
sh <(curl -L https://nixos.org/nix/install) --daemon
The --darwin-use-unencrypted-nix-store-volume option isn't necessary because we have an encrypted volume now.
I've been experimenting with running apps within a chroot-ed directory.
Many apps and binaries require access to items within /dev, such as /dev/null and /dev/random to work.
Is there a way to recreate or bind mount the /dev filesystem within a directory to this end?
I have tried the following without success:
(Where root is the directory I want to chroot into)
$ sudo bindfs -o dev -o allow_other /dev ./root/dev/
Leading to:
$ cat ./root/dev/urandom
cat: ./root/dev/urandom: Operation not permitted
$ mount -t devfs devfs ./root/dev
Leading to:
$ cat ./root/dev/urandom
cat: ./root/dev/urandom: Device not configured
Attempting to manually make the devices with mknod doesn't work either.
$ sudo mknod null c 1 3
$ sudo chmod 666 ./null
$ cat ./null
cat: ./null: Operation not permitted
Is there a way to either use the existing /dev items within a chroot or to recreate them?
Unfortunately, there doesn't appear to be much documentation of using chroot with OSX/macOS on the internet.
Operating System Details: macOS Mojave, 10.14.6. SIP enabled.
Well, this one is mainly on me being dumb.
sudo mount -t devfs devfs ./dev
Works just fine.
If the above command is ran without root, it will bind the devfs devices within ./dev, but all devices will respond with a "Device not configured" error. If it is ran as root, all ./dev devices will work as expected.
Running bash on windows 10, the simple syntax below works when I SSH to my webserver, but not when I exit out and am on my local machine. It doesn't give me an error, but I can see permissions are unchanged. I have to checked that I am set up as an administrator on my computer. Is this an error or is this just a consequence of the local operating system being windows? IF the later, it makes me question the value of using bash on windows if common operations such as this won't work.
$chmod 644 filename
To enable changing file owners & permissions, you need to edit /etc/wsl.conf and insert the below config options:
[automount]
options = "metadata"
Do this inside the WSL shell, potentially needing sudo to edit/create the file.
This may require restarting WSL (such as with wsl --shutdown which is a Windows command, not one within WSL) or the host machine to take effect. This has been possible since 2018:
You can now set the owner and group of files using chmod/chown and modify read/write/execute permissions in WSL. You can also create special files like fifos, unix sockets, and device files. We’re introducing new mounting options with DrvFs for projecting permissions onto files alongside providing new Linux metadata on files and folders.
[cite: Microsoft Dev Blog]
You can also temporarily re-mount a drive with the following commands:
sudo umount /mnt/c
sudo mount -t drvfs C: /mnt/c -o metadata
...but please note, the command only takes effect in session scope. If you exit current bash, you'll lose your settings (credit: answerer Amade).
Reference:
Automatically Configuring WSL
There was an update to WSL recently (source), which lets you change permissions to files (Insider Build 17063).
All you have to do is to run:
sudo umount /mnt/c
sudo mount -t drvfs C: /mnt/c -o metadata
Both Amades and Chaos answers are correct.
But it only works for local drives not for mapped network drives. Z: is one of my network drives. Same operation on /mnt/c/Users/xxx/ works fine.
$sudo mount -t drvfs Z: /mnt/z -o metadata
$touch test
$chmod +w test
chmod: changing permissions of 'test': Operation not permitted
This is a known issue, see drvfs: metadata (chmod\chown) possible for mounted SMB drives?
I have an Ubuntu server on Amazon, I installed everything for working with it (php, mysql, phpmyadmin, apache..), The problem is that I cant move around or edit files using the FTP.
I get the error message:
Permission denied.
Error code: 3
Error message from server: Permission denied
from my WINSCP.
The only way I can trancefer/edit file is using 'putty' with the sudo/nano command.
I found a lot of information about this on google, but there are no updated soulution I can find. Linux isn't my usual work-space.
How do I get the permissions working for the WINSCP ?
A lot of answers say to change permissions on /var/www/ ... however AWS shortcuts out of the WWW folder and into the /var/app/current/ directory. If all else fails try:
sudo chown -R -v ec2-user /var/app/current/
On Ubuntu image in AWS, default user is ubuntu. Instead of using system folders like /var/... better to use /home/your_folder. Then change the ownership using {chown} command. For eg.
$ sudo chown -R -v ubuntu /home/your_folder/
This will change the ownership of 'your_folder' and contents inside it from 'root' user to 'ubuntu'. Then Winscp should be able to upload/delete/create files using SFTP/FTP etc..
I had the same issues. The solution is: You can solve this by changing WordPress ownership type:
sudo chown -R www-data:ubuntu /var/www/wordpress
Then, Change the right permission for the particular files and directories, type command
sudo find /var/www/wordpress/ -type d -exec chmod 755 {} \;
sudo find /var/www/wordpress/ -type f -exec chmod 644 {} \;
Apart from this, set the following important files to chmod 600 so that only the owner can fully read and write access to these files:
sudo chmod 600 /var/www/wordpress/wp-config.php
sudo chmod 600 /var/www/wordpress/.htaccess
Then everything will work. You will be able to access your wordpress files
for me using free tier from cloud providers will not give you root access, to fix this you have to change folder permission from SSH or try this solution
OS: windows 10 Pro
Open WinSCP instead of SFTP you select SCP go to advance settings click on SCP/Shell and change the shell option to sudo su -
Now you will be able to get permission.
Change file permision by command chmod 777 /var/app/current/ and transfer files to the directory
I'm running boot2docker 1.3 on Win7.
I want to connect a shared folder.
In the VirtualBox Manager under the image properties->shared folders I've added the folder I've want and named it "c/shared". The "auto-mount" and "make permanent" boxes are checked.
When boot2docker boots, it isn't mounted though. I have to do an additional:
sudo mount -t vboxsf c/shared /c/shared
for it to show up.
Since I need that for every time I'll ever use docker, I'd like that to just run on boot, or just already be there. So I thought if there were some startup script I could add, but I can't seem to find where that would be.
Thanks
EDIT: It's yelling at me about this being a duplicate of Boot2Docker on Mac - Accessing Local Files which is a different question. I wanted to mount a folder that wasn't one of the defaults such as /User on OSX or /c/Users on windows. And I'm specifically asking for startup scripts.
/var/lib/boot2docker/bootlocal.sh fits your need probably, it will be run by initial script /opt/bootscripts.sh
And bootscripts.sh will also put the output into the /var/log/bootlocal.log, see segment below (boot2docker 1.3.1 version)
# Allow local HD customisation
if [ -e /var/lib/boot2docker/bootlocal.sh ]; then
/var/lib/boot2docker/bootlocal.sh > /var/log/bootlocal.log 2>&1 &
fi
One use case for me is
I usually put shared directory as /c/Users/larry/shared, then I add script
#/bin/bash
ln -s /c/Users/larry/shared /home/docker/shared
So each time, I can access ~/shared in boot2docker as the same as in host
see FAQ.md (provided by #KCD)
If using boot2docker (Windows) you should do following:
First create shared folder for boot2docker VM:
"C:/Program Files/Oracle/VirtualBox/VBoxManage" sharedfolder add default -name some_shared_folder -hostpath /c/some/path/on/your/windows/box
#Then make this folder automount
docker-machine ssh
vi /var/lib/boot2docker/profile
Add following at the end of profile file:
sudo mkdir /windows_share
sudo mount -t vboxsf some_shared_folder /windows_share
Restart docker-machine
docker-machine restart
Verify that folder content is visible in boot2docker:
docker-machine ssh
ls -al /windows_share
Now you can mount the folder either using docker run or docker-compose.
Eg:
docker run it --rm --volume /windows_share:/windows_share ubuntu /bin/bash
ls -al /windows_share
If changes in the profile file are lost after VM or Windows restart please do following:
1) Edit file C:\Program Files\Docker Toolbox\start.sh and comment out following line:
#line number 44 (or somewhere around that)
yes | "${DOCKER_MACHINE}" regenerate-certs "${VM}"
#change the line above to:
# yes | "${DOCKER_MACHINE}" regenerate-certs "${VM}"
Thanks for your help with this. An additional few flags I needed to add, in order for the new mount to be accessible by the boot2docker "docker" user:
sudo mount -t vboxsf -o umask=0022,gid=50,uid=1000 Ext-HD /Volumes/Ext-HD
With docker 1.3 you do not need to manually mount anymore. Volumes should work properly as long as the source on the host vm is in your user directory.
https://blog.docker.com/2014/10/docker-1-3-signed-images-process-injection-security-options-mac-shared-directories/
I can't make it work following Larry Cai's instruction. I figured I could make changes to "c:\Program Files\Boot2Docker for Windows\start.sh", add below
eval "$(./boot2docker.exe shellinit 2>/dev/null | sed 's,\\,\\\\,g')"
your mount command
eval "$(./boot2docker ssh 'sudo mount -t vboxsf c/shared /c/shared')"
I also add the command to start my container here.
eval "$(docker start KDP)"