trying to enable a user to see the letsencrypt keys - bash

I do not know if this is the right place to ask, but I'l give it a try
I was trying to let user mysql read the letsencrypt keys.
Normally any user can see the live and the archive folders so the mysql user can also
debian:~# sudo -u mysql ls /etc/letsencrypt/archive/
example1.com example2.com example3.com
if I try to see the files in there
debian:~# sudo -u mysql ls /etc/letsencrypt/archive/example1.com
ls: Zugriff auf /etc/letsencrypt/archive/example1.com/ nicht möglich: Keine Berechtigung
(what means in german : you have no right to see the files.)
then I garbed setfacl and tried to gain mysql access to the files, so I went:
setfacl -R -m "u:mysql:r" /etc/letsencrypt/archive/
then I checked the acl
debian:~# getfacl /etc/letsencrypt/archive/example1.com
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: etc/letsencrypt/archive/example1.com
# owner: root
# group: root
user::rwx
user:mysql:r--
group::r-x
mask::r-x
other::r-x
then I became confident and praised myself, as I always do when I do smart things
For some reason I checked again :
debian:~# sudo -u mysql ls /etc/letsencrypt/archive/example1.com
ls: Zugriff auf /etc/letsencrypt/archive/example1.com/ nicht möglich: Keine Berechtigung
the user mysql still sees nothing. (setfacl --version 2.2.52)
Is there something I missed ?

You need to set the executable bit (x) on the folder as well for a user to be able to actually navigate into the directory. Try the following:
setfacl -m "u:mysql:rx" /etc/letsencrypt/archive/
setfacl -R -m "u:mysql:r" /etc/letsencrypt/archive/*

Related

Sudoers syntax error

Everytime I run a sudo command, I get the following error message:
/etc/sudoers: syntax error near line 1 <<<
sudo: parse error in /etc/sudoers near line 1
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
My sudoers file within /etc/ is empty. How do I resolve this issue? I'm on Mac OS High Sierra
You could try this link to grab some sudoer file examples. Re-create your sudoers file using the visudo command
http://www.softpanorama.org/Access_control/Sudo/sudoer_file_examples.shtml
In case the link breaks, here is a "default" sudoer file that is described on that page:
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
##
# User alias specification
##
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
##
# Runas alias specification
##
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
##
# Host alias specification
##
Host_Alias SPARC = bigtime, eclipse, moet, anchor:\
SGI = grolsch, dandelion, black:\
ALPHA = widget, thalamus, foobar:\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
##
# Cmnd alias specification
##
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
/usr/sbin/rrestore, /usr/bin/mt
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn
##
# Override built-in defaults
##
Defaults syslog=auth
Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults#SERVERS log_year, logfile=/var/log/sudo.log
##
# User specification
##
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
# full time sysadmins can run anything on any machine without a password
FULLTIMERS ALL = NOPASSWD: ALL
# part time sysadmins may run anything but need a password
PARTTIMERS ALL = ALL
# jack may run anything on machines in CSNETS
jack CSNETS = ALL
# lisa may run any command on any host in CUNETS (a class B network)
lisa CUNETS = ALL
# operator may run maintenance commands and anything in /usr/oper/bin/
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
# joe may su only to operator
joe ALL = /usr/bin/su operator
# pete may change passwords for anyone but root on the hp snakes
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator)
bob SPARC = (OP) ALL : SGI = (OP) ALL
# jim may run anything on machines in the biglab netgroup
jim +biglab = ALL
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
# fred can run commands as oracle or sybase without a password
fred ALL = (DB) NOPASSWD: ALL
# on the alphas, john may su to anyone but root and flags are not allowed
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen ALL, !SERVERS = ALL
# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill SERVERS = /usr/bin/, !SU, !SHELLS
# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve CSNETS = (operator) /usr/local/op_commands/
# matt needs to be able to kill things on his workstation when
# they get hung.
matt valkyrie = KILL
# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
Never open sudoer file with a normal editor. always use visudo
just type
sudo visudo
this will take you to /etc/sudoers and upon saving it will make sure that there is no error in formatting.
if you make an error in sudoer file, you will lose sudo access, so always use visudo
You can use pkexec if you are stuck.
pkexec allows you to execute program as another user. If you don't specify a user then the program will be executed as root
Root Escalation
pkexec bash
Fix your syntax error
visudo
Ubuntu 20.04 encounter this error upon "sudo anycommand"
/etc/sudoers.d/sudoers: too many levels of includes near line 29 <<<
sudo: parse error in /etc/sudoers.d/sudoers near line 29
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
My solution:
Though not know how the sudoers file created in /etc/sudoers.d.
After reading README in /etc/sudoers.d,
Extract of README
Note that there must be at least one file in the sudoers.d directory (this one will do), and all files in this directory should be mode 0440.
Removed the sudoers in /etc/sudoers.d
pkexec rm /etc/sudoers.d/sudoers
System will prompt for user password.
Can execute sudo command as usual.

weird output when i run sh file.

I've made a sh file
#!/bin/bash
myvariable=Hello
anothervar=Fred
echo $myvariable $anothervar
echo
sampledir=/etc
ls $sampledir
when i run it with
$sh simplevariables.sh
I get this output:
afpovertcp.cfg networks
afpovertcp.cfg~orig networks~orig
aliases newsyslog.conf
aliases.db newsyslog.d
apache2 nfs.conf
asl nfs.conf~orig
asl.conf notify.conf
auto_home ntp-restrict.conf
auto_master ntp.conf
auto_master~orig ntp_opendirectory.conf
autofs.conf openldap
bashrc pam.d
bashrc_Apple_Terminal passwd
bashrc~previous passwd~orig
com.apple.IPConfiguration.plist paths
com.apple.screensharing.agent.launchd paths~orig
csh.cshrc periodic
csh.cshrc~orig pf.anchors
csh.login pf.conf
csh.login~orig pf.os
csh.logout php-fpm.conf.default
csh.logout~orig php.ini.default
cups php.ini.default-previous
defaults postfix
dnsextd.conf ppp
efax.rc~previous profile
emond.d profile~orig
find.codes protocols
find.codes~orig protocols~previous
fstab.hd racoon
fstab.hd~previous rc.common
ftpd.conf rc.common~previous
ftpd.conf.default rc.netboot
ftpusers resolv.conf
ftpusers~orig rmtab
gettytab rpc
gettytab~orig rpc~previous
group rtadvd.conf
group~previous rtadvd.conf~previous
hosts security
hosts-original services
hosts.equiv services~previous
hosts~orig shells
irbrc shells~orig
kern_loader.conf snmp
kern_loader.conf~previous ssh
krb5.keytab ssl
localtime sudo_lecture
locate.rc sudoers
mach_init.d sudoers.d
mach_init_per_login_session.d sudoers~orig
mach_init_per_user.d syslog.conf
mail.rc syslog.conf~previous
mail.rc~orig ttys
man.conf ttys~previous
manpaths xtab
master.passwd zprofile
master.passwd~orig zshrc
nanorc
Any suggestions how to just get an output of
Hello Fred
What should I do to get rid of all the unnecessary Garbo and just the output?
This happens to all the other scripting files that I run as well. Any suggestions?
You should remove this
sampledir=/etc
ls $sampledir
it is printing out the contents of /etc, and you are not seeing your wanted output

apache chown on its files not working

My apache user generate one file :
# ls -lsa /tmp/reference_file.csv
76 -rwxrwxrwx 1 apache apache 69921 Aug 16 14:14 /tmp/reference_file.csv
the user and the group belong to apache, but when i am trying to change it :
su -l apache -s /bin/bash
-bash-3.00$ whoami
apache
-bash-3.00$ chown explorer:btunix /tmp/reference_file.csv
chown: changing ownership of `/tmp/reference_file.csv': Operation not permitted
I tried to another folder, but the result was the same, I ve also checked attribut :
# lsattr /tmp/reference_file.csv
------------- /tmp/reference_file.csv
there is no immutable attribut
How can I do ?
Thanks
There are criteria associated with chown. Only super-user can chown files willy-nilly. Whether you can give away a file that you own depends on your UNIX flavor and how associated kernel configuration parameters (like K_CHOWN_MAY_GIVE_AWAY, for argument's sake) may have been, well, configured. This is the most GENERALLY correct answer.

PHP-FPM rm Permission denied

I have nginx+php-fpm and I need to delete folder recursively from php-script:
<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
$out = shell_exec('/bin/rm -vrf /data/vmail/test');
var_dump($out);
$out is NULL, but in error.log i receive
WARNING: [pool www] child 7210 said into stderr: "rm: "
WARNING: [pool www] child 7210 said into stderr: "cannot remove `/data/vmail/test'"
WARNING: [pool www] child 7210 said into stderr: ": Permission denied"
PHP-FPM runs under user "nginx"
NGINX runs under user "nginx"
/data/vmail and all child folders are owned by vmail:vmail (chmod 770)
Supplementary groups exists:
# groups nginx
nginx : nginx vmail
# groups vmail
vmail : vmail nginx
Solutions
If I chown /data/vmail/test to nginx:nginx it contents becomes deleteable. But /data/vmail/test still is not, as long as /data/vmail is owned by vmail:vmail I suppose.
If I chmod -R 777 /data/vmail/test && chmod 777 /data/vmail the meant folder becomes deleteable.
PHP-function rmdir() works (don't know why)! But recursive deletion for large folders is too resource-intensive
I don't consider these options as a solution. Also I don't consider a solution involving root user and /etc/sudoers or running php-fpm as a root. So... how is it possible to get /bin/rm working?
Additional info ##
php-fpm.conf
nginx.conf
Deleting content of a directory is a write operation in The directory. So the user that runs PHP needs write permission on /data/vmail.

Files created through Cygwin (calling a shell script) don't have correct Windows permissions

I am currently running Cygwin on a target Windows Server 2003 machine to fire off a shell script that, among other things, creates a bunch of files on disc. However after the files are created I no longer have permissions to manipulate them through Windows.
When the files are created the owner is getting set to 'SYSTEM' and the permissions for Administrators/Creator Group/Creator Owner/system are set to only 'special permissions' and nothing else.
The permissions for Everyone and Users have Read & Execute, List folder contents and Read.
My problem is that I cannot delete/modify the files now through Windows. I would prefer to have something built into my scripts (either the shell script or something to call in Cygwin) that would allow Administrators full control on the folder and all contents.
My current workaround has been to either do file modifications through Cygwin but this is not preferable. I have also used setfacl -r -m default:other:rwx to add write permissions for the 'Users' group but it doesn't appear to have a recursive option and still doesn't give 'full control'
Is there a better way to use setfacl? Can I call the shell script using different/elevated permissions?
Results of getfacl on a newly created directory:
$ getfacl Directory/
# file: Directory/
# owner: SYSTEM
# group: root
user::rwx
group::r-x
group:Users:rwx
mask:rwx
other:r-x
default:user::rwx
default:group::r-x
default:group:Users:rwx
default:mask:rwx
default:other:r-x
You can try setting umask:
umask u=rwx,g=rwx,o=rwx
That should give user, group, and other read/write/execute on any newly created dirs.
If you only want the modified umask permanently, you can add it to your .bash_profile
Edit - Added example of mkdir before/after umask.
Here's the output of getfacl on a directory created before I set umask:
[/cygdrive/c/Documents and Settings/NOYB/Desktop]
==> getfacl test_wo_umask/
# file: test_wo_umask/
# owner: NOYB
# group: Domain Users
user::rwx
group::r-x
group:root:rwx
group:SYSTEM:rwx
mask:rwx
other:r-x
default:user::rwx
default:user:NOYB:rwx
default:group::r-x
default:group:root:rwx
default:group:SYSTEM:rwx
default:mask:rwx
default:other:r-x
Here's the output of getfacl on a directory created after I set umask:
[/cygdrive/c/Documents and Settings/NOYB/Desktop]
==> getfacl test_w_umask/
# file: test_w_umask/
# owner: NOYB
# group: Domain Users
user::rwx
group::rwx
group:root:rwx
group:SYSTEM:rwx
mask:rwx
other:rwx
default:user::rwx
default:user:NOYB:rwx
default:group::rwx
default:group:root:rwx
default:group:SYSTEM:rwx
default:mask:rwx
default:other:rwx

Resources