Here I have a file called uid_demo.c, which displays the real userid and the effective userid.
#include <stdio.h>
int main() {
printf("real uid: %d\n", getuid());
printf("effective uid: %d\n", geteuid());
}
And I ran the following commands:
gcc -o uid_demo uid_demo.c
sudo chown root:root ./uid_demo
sudo chmod u+s ./uid_demo
ls -l uid_demo
Output:
-rwsrwxr-x 1 root root 8712 Jun 29 15:09 uid_demo
When I run the program, it should display my real userid (1000) and the effective userid of 0 (root), as the owner of the file is root and the setuid permission is turned on. However, it displays the following:
real uid: 1000
effective uid: 1000
Any help? Thanks in advance.
You are probably running the program on a filesystem that is mounted wit the nosuid flag, thus your setuid bit is not respected.
Move your code to another location on the filesystem that does not have this, or disable the nosuid flag in the mount options for the current filesystem.
The nosuid flag is a security feature.
Related
When I am trying to make u-boot for apalis-aimx6-quad board, and below list is shows the details of my configuration:
CROSS_COMPILER = aarch64-unknown-linux-gnu
1.1 it already exported to path
1.2 menuconfig of the cross compiler remains as before.
Host Linux version = 5.4.0-109-generic #123~18.04.1-Ubuntu
version of the cross compiler : crosstool-ng-1.25-rc2
according to the mentioned software and hardware properties, I faced with the following error when i try to make the boot-loader for my board using u-boot:
cc1: error: bad value (‘generic-armv7-a’) for ‘-mtune=’ switch
cc1: note: valid arguments to ‘-mtune=’ switch are: nocona core2 nehalem corei7
westmere sandybridge corei7-avx ivybridge core-avx-i haswell core-avx2 broadwell
skylake skylake-avx512 bonnell atom silvermont slm knl intel x86-64 eden-x2
nano nano-1000 nano-2000 nano-3000 nano-x2 eden-x4 nano-x4 k8 k8-sse3 opteron
opteron-sse3 athlon64 athlon64-sse3 athlon-fx amdfam10 barcelona bdver1 bdver2 bdver3
bdver4 znver1 btver1 btver2 generic
scripts/Makefile.build:147: recipe for target 'lib/asm-offsets.s' failed
make[1]: *** [lib/asm-offsets.s] Error 1
Makefile:1965: recipe for target 'prepare0' failed
make: *** [prepare0] Error 2
what can be the error solution?
and the Second question is:
in the ./ct-ng list-samples what type of samples are suitable for my board?
CPU-NAME = NXP® i.MX 6Quad
CPU-TYPE : 4x Arm Cortex™-A9
CPU-CLOCK : 800MHz
FLOATING-POINT-UNIT : VFPv3
You are using the wrong compiler, i.e. the gcc from your Linux PC, this is why the error message is suggesting to use values such as corei7 for the -mtune option.
This being said, because your apalis-aimx6-quad SoC is a Cortex-A9,its architecture is Armv7-a and you therefore cannot use a compiler targeting the Armv8-a architecture, such as the aarch64-unknown-linux-gnu-gcc you are using. You should rather use, say, arm-unknown-linux-gnu-gcc or arm-none-eabi-gcc.I would strongly suggest to use an official Arm toolchain, such as this one (available here), for building u-boot, and to avoid using the latest 11.2 version: I have been unable to build u-boot when using it because of an internal compiler error.
You should use CROSS_COMPILE=, and not CROSS_COMPILER= in your build command,and this is the reason why you were using your system gcc instead of aarch64-unknown-linux-gnu-gcc for building u-boot.
Bottom line, your build command should be something like:
CROSS_COMPILE=arm-none-eabi- make mrproper apalis_imx6_defconfig all
After completion of the build command, you should see the u-boot artefacts:
ll u-boot*
-rwxrwxr-x 1 user user 4988448 May 13 07:56 u-boot*
-rw-rw-r-- 1 user user 569504 May 13 07:56 u-boot-dtb.bin
-rw-rw-r-- 1 user user 569568 May 13 07:56 u-boot-dtb.img
-rwxrwxr-x 1 user user 512920 May 13 07:56 u-boot-nodtb.bin*
-rw-rw-r-- 1 user user 639200 May 13 07:56 u-boot-with-spl.imx
-rw-rw-r-- 1 user user 569504 May 13 07:56 u-boot.bin
-rw-rw-r-- 1 user user 18081 May 13 07:55 u-boot.cfg
-rw-rw-r-- 1 user user 10858 May 13 07:55 u-boot.cfg.configs
-rw-rw-r-- 1 user user 56584 May 13 07:56 u-boot.dtb
-rw-rw-r-- 1 user user 569568 May 13 07:56 u-boot.img
-rw-rw-r-- 1 user user 1719 May 13 07:56 u-boot.lds
-rw-rw-r-- 1 user user 1100407 May 13 07:56 u-boot.map
-rwxrwxr-x 1 user user 1538914 May 13 07:56 u-boot.srec*
-rw-rw-r-- 1 user user 195657 May 13 07:56 u-boot.sym
I also do the same thing for RPI 4 which the following command lines do:
wget https://dev.iopsys.eu/fork/uboot.git
tar -xf u-boot.tar.gz
ls ./configs
ls ./configs|grep rpi
make rpi_4_defconfig
export PATH=/home/<your user name>/x-tools/aarch64-rpi4-linux-gnu/bin/:$PATH
type aarch an hit tab if system recognize the compiler continue else
go back and export the compiler path.
export CROSS_COMPILE=aarch64-rpi4-linux-gnu-
make menuconfig
make
------------------------------------------------------------------------
cd ..
mkdir sdcard
sudo cp ../u-boot/u-boot.bin .
wget
------------------------------------------------------------------------
PREPARE MEMORY FOR BOOT
connect your memory to pc.
lsblk --> to know what is the name of the memory (assume it is sdb)
sudo umount /dev/sdb1
sudo cfdisk /dev/sdb --> erase older partitions and clear on 100M partition
-- note : type of the partition have to be fat32
once the partition is created.
sudo mkfs.vfat /dev/sdb1
sudo mount /dev/sdb1 /mnt
wget https://github.com/raspberrypi/firmware/raw/master/boot/start4.elf
wget https://github.com/raspberrypi/firmware/raw/master/boot/bcm2711-rpi-4-b.dtb
gedit config.txt
--#######################
IN THE CONFIG
enable_uart=1
kernel=u-boot.bin
arm_64bit=1
--#######################
cat config.txt
sudo cp * /mnt
sudo umount /mnt
unconnect the memory and connect it to the target machine.
How to print specific user temp directory in macOS? It should be able to determine the temp dir depending on which user is currently logged in. I see that my current user temp dir is set to /Users/myuser/private/tmp but i have no generic way to get hold of this
Googled a bit and it recommeds using $TMPDIR but looks like my user temp dir is somewhat set to /Users/myuser/private/tmp
I should be able to determine the exact tmp directory whether the current user is root or other user
Related SO question and answer, cross-platform: Cross-platform way of getting temp directory in Python
It's pretty generic.
In Qt5:
#include <QCoreApplication>
#include <QTemporaryDir>
#include <QDebug>
int main(int argc, char *argv[])
{
QTemporaryDir dir;
if (dir.isValid()) {
// dir.path() returns the unique directory path
qDebug() << "Path name: " << dir.path() ;
}
}
Also pretty generic.
In bash (terminal or script): echo $TMPDIR
The /var/folders/ is user-specific because if you run ls -l /var/folders/.../ (right before the -Tmp- directory, you will see that the folder is owned by the logged in user. If another user is logged in, their folder is protected by their permissions/ownership and they won't be able to read/modify another users' data. I suggest looking into unix/linux/mac file and folder permissions if you want to know more.
new-host-2:Applications ThisIsMe$ ls -l /var/folders/cp/cpI9fK8qG3y4x4sedjGIOE+++TI/
total 0
drwx------ 16 ThisIsMe staff 544 Jan 6 22:12 -Caches-
drwx------ 11 ThisIsMe staff 374 Jan 6 22:56 -Tmp-
http://www.filepermissions.com/articles/what-are-file-permissions-in-linux-and-mac
https://www.linux.com/tutorials/understanding-linux-file-permissions/
I'm trying to use gpg to --clearsign a file (for debian packaging purposes) from a script.
I have an exported password-less private-key.gpg file and want to:
gpg --clearsign -o output input
I don't want to mess with the current user's ~/.gnupg or /run/user/$(id -u)/gnupg because they have nothing to do with my script. Also, the script could be running in multiple instances simultaneously and I don't want them interfering with one another.
I thought that would be easy. Setup $GNUPGHOME to a temp dir and be done with it. But I cannot figure out how to get gpg to run in a script without messing with the user's standard configuration at all. It seems gpg has gone to great lengths to make it impossible to avoid the gpg-agent and gpg-agent insists on using global/hard-coded paths.
Can I keep everything under $GNUPGHOME? Or how do I safely use gpg from a shell script without influencing the user's config or use of gpg or other instances of my script?
Details
Reading the gpg docs I see that:
--use-agent
--no-use-agent
This is dummy option. gpg always requires the agent.
And gpg-agent docs say:
--use-standard-socket
--no-use-standard-socket
--use-standard-socket-p
Since GnuPG 2.1 the standard socket is always used.
These options have no more effect. The command gpg-agent
--use-standard-socket-p will thus always return success.
This "standard socket" is presumably in /run/user/$(id -u)/gnupg - so it seems I can't avoid gpg messing with the user's "normal" use of gpg.
Versions: gpg 2.1.18 on Debian 9 / stretch / stable
If you can't stop gpg from creating files, would it help to give gpg a place to put them that's unique to the current process?
# Create a temporary directory for gpg.
dir="$(mktemp -d)"
# Remove the directory and its contents when the script exits.
trap '[[ ! -d "${dir}" ]] || rm -r "${dir}"' EXIT
# Put your private-key.gpg in the temporary directory.
$(your command here)
# Tell gpg to use the temporary directory.
gpg --homedir "${dir}" --clearsign -o output input
After multiple hours of searching the internet for some option to enable running multiple instances of gpg-agent with different gnupg homes I tried just restricting the access to the global socket location and it worked. It fell back to placing the socket files in the gnupg home directory. I used bwrap to do that. Here's the full command that worked: bwrap --dev-bind / / --tmpfs /run/user/$(id -u)/gnupg gpg-agent .... Since your question is about scripts in general, you probably can't rely on bwrap being installed, so the next best thing is a shim that prevents gpg-agent from using the user's xdg runtime directory for its sockets.
After looking through the output of strace, the switch of location when running under bwrap to gnupg home seems to happen after a stat on /run/user/${UID}/gnupg is issued. Looking through the gpg-agent.c code this seems to do that check:
/* Check that it is a directory, owned by the user, and only the
* user has permissions to use it. */
if (!S_ISDIR(sb.st_mode)
|| sb.st_uid != getuid ()
|| (sb.st_mode & (S_IRWXG|S_IRWXO)))
{
*r_info |= 4; /* Bad permissions or not a directory. */
if (!skip_checks)
goto leave;
}
Using this we can just tell gpg-agent that the /run/user/${UID}/gnupg exists, but is not a directory, so it will fail the first of these checks.
Here's the code for a shim that does just that (could be better, but it works):
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
#include <dlfcn.h>
#include <stdio.h>
#define STR_MAX 4096
#define MIN(a, b) (a < b ? a : b)
#define MAX(a, b) (a > b ? a : b)
// Set up checking stuff
#define MAX_UID_LEN 11
#define PREFIX_1 "/run/user"
#define PREFIX_2 "/var/run/user"
#define TEST_LEN_1 (sizeof(PREFIX_1) - 1 + 1 + MAX_UID_LEN + sizeof("/gnupg") - 1)
#define TEST_LEN_2 (sizeof(PREFIX_2) - 1 + 1 + MAX_UID_LEN + sizeof("/gnupg") - 1)
#define MAX_TEST_LEN MAX(TEST_LEN_1, TEST_LEN_2)
// Override stat function
int stat(const char *restrict pathname, struct stat *restrict statbuf) {
int (*original_stat)(const char *restrict, struct stat *restrict) = dlsym(RTLD_NEXT, "stat");
// Call original stat function
int retval = original_stat(pathname, statbuf);
if (retval == 0) {
// Check if a path we want to modify
size_t pathlen = strnlen(pathname, STR_MAX);
char path_check[MAX_TEST_LEN + 1];
snprintf(path_check, MAX_TEST_LEN + 1, "%s/%u/gnupg", PREFIX_1, getuid());
if (strncmp(pathname, path_check, MIN(MAX_TEST_LEN, pathlen)) == 0) {
// Report a regular file with perms: rwxrwxrwx
statbuf->st_mode = S_IFREG|0777;
}
snprintf(path_check, MAX_TEST_LEN + 1, "%s/%u/gnupg", PREFIX_2, getuid());
if (strncmp(pathname, path_check, MIN(MAX_TEST_LEN, pathlen)) == 0) {
// Report a regular file with perms: rwxrwxrwx
statbuf->st_mode = S_IFREG|0777;
}
}
return retval;
}
You can compile it with: clang -Wall -O2 -fpic -shared -ldl -o gpg-shim.so gpg-shim.c and then add it to LD_PRELOAD and it should then allow you to run multiple gpg-agents as long as they have different gnupg homes.
I know this answer is really late, but I hope it can help some people that were, like me, looking for a way to run multiple gpg-agents with different homedirs. (For my specific case, I wanted to run multiple gpg-agent instances to have keys cached different amounts of time).
My apache user generate one file :
# ls -lsa /tmp/reference_file.csv
76 -rwxrwxrwx 1 apache apache 69921 Aug 16 14:14 /tmp/reference_file.csv
the user and the group belong to apache, but when i am trying to change it :
su -l apache -s /bin/bash
-bash-3.00$ whoami
apache
-bash-3.00$ chown explorer:btunix /tmp/reference_file.csv
chown: changing ownership of `/tmp/reference_file.csv': Operation not permitted
I tried to another folder, but the result was the same, I ve also checked attribut :
# lsattr /tmp/reference_file.csv
------------- /tmp/reference_file.csv
there is no immutable attribut
How can I do ?
Thanks
There are criteria associated with chown. Only super-user can chown files willy-nilly. Whether you can give away a file that you own depends on your UNIX flavor and how associated kernel configuration parameters (like K_CHOWN_MAY_GIVE_AWAY, for argument's sake) may have been, well, configured. This is the most GENERALLY correct answer.
I am really new to Bash Scripting so please bear with me if this question sounds stupid. I am also not too sure what to search on the internet.What should I do if I need to write a shell script to list any directory where one user's home directory can be modified by some other user? I am not able to understand what this 'modified by some other user means'.Please help. Thanks !
The very short answer to your question is: no script needed, simply:
ls -al /home
That will list for you all users and the respective permissions for each users home directory. Linux file permission are controlled by 10 bits that represent who has access and what, if any, special permissions are associated with a given file. The permissions bits are usually represented for discussion as drwxrwxrwx. The first, or special, bit meaning is as follows:
_: (unset) indicates a regular file with no special properties
d: directory,
l: link,
s: the directory is setuid/setgid
t: sticky bit
The next nine bits rwxrwxrwx (3 sets of rwx) control the access the owner group world has to the file in question. So who is the owner group or world? Let's look at an example from ls -al /home:
drwxr-xr-x 15 deborah users 4096 Mar 11 2011 deborah
Looking at the information we can separate the 10 bits and information as follow:
d rwx r-x r-x .. deborah users ..... deborah
| | | \ \ \
owner | world owner group filename
group
Above the special permission bit is a d which indicates that the filename (at the far right deborah) is a directory. The first set of 3 bit specifies that the owner (deborah) has read, write and execute permission on the file. Similarly, the next set of 3 specify that the group (users) has read and and execute permission but no write permission. NOTE: with a directory, the execute bit also control whether the (owner, group or world) can descend into the directory. In like manner, the world (everybody) has the same permission as group (users).
To manipulate the bits, you use the chmod (change mode) command. To manipulate the user or group, you use the chown (change owner) command. The chown command has simple basic usage, just specify the new owner and group separated by a colon :. For example to change the file shown above to be owned by user david and group samba the command would be chown david:samba filename
There are two ways to change the permissions or (mode) with chmod. You either specify the octal equivalent for special bit and the 3 sets of owner, group and world bits at once numerically. Example: to make the directory rwx for the user and group you would issue the command:
chmod 0775 filename # to set all permissions as desired at once
The 0 simply stating no special bit settings for the directory, the first 7 indicating the binary 111 (or rwx) for the user, the second 7 indicating the same for the group and the final 5 indicating the world should have (binary 101) r_x permissions. While not always required, it is recommended to provide the leading 0 even when there will be no change to the special permission bit to remove any ambiguity.
You can also use chmod with +/-/= r, w, x (for corresponding rwx bits) for u, g, or o user, group, or owner permissions (you can shorcut using a for all). To put it all together and set the mode the same as shown above using octal bit, you would simply do:
chmod g+w filename # to add the single write bit to group 'users'
Using this method, you may be required to make multiple calls to chmod to set all permission as required, but contrast using the octal permissions, you can set all permission fields in a single call.
Obviously there is much more to it than this, but for a good introduction, this should be enough to get you started managing permissions and ownership. (obviously this post also turned out way longer than initially anticipated, enjoy).
The:
where one user's home directory can be modified by some other user?
can be:
if the user1 is in the same group as user2 AND the home directory is group-writable, or
if the user has world-writable directory
You really need understand how unix-like permissions works. (or in wider context - how ACLs works in general)
For the (partial) solution (many ways - one of them is the next):
you can get the path of home directories from the /etc/passwd file.
can read them in a cycle, (filter the /etc/passwd with the cut command), and
test, if they're writable for you (for this, read the man page about the shell builtins if and the command test alias [.