I am working in terminal on macOS. I have a macOS App with permissions:
drwxr-xr-x+ 3 root admin
What does the + at the end mean?
There are similar questions to this for other environments.
I can't launch the App. I get this error.
LSOpenURLsWithRole() failed with error -10810 for the file /path/to/file
EDIT1: I have several user accounts setup. I have used chown to change from userA to root. I hoped this would allow any user to open the App. If I login to 'userA' account, I can launch the App, but if I use any other user account, I get the above error. What the jellybeans is going on ???
Edit2: I deleted the App from userA and re-downloaded / installed using userB. userB can launch the app just fine but userA cannot (same error). The user:group is slightly different this time though (notice the '+' isn't there by default this time.
drwxr-xr-x 3 userB staff
Performing sudo chown root /path/to/file changed the permissions to
drwxr-xr-x 3 root staff
This made no change i.e. userB can launch and userA cannot.
if you can see + in the file permission then ACL is setup on the file. It means a special permission has set on the file which allow owner of the file to provide the access to individual. You need to ask to owner of the file to execute below command then you will be able to execute the script/program/app.
setfacl -m u:youruserid:rwx file.txt
to know more about ACL, check here.
I Never get the chance to set ACL on mac file but I believe it will work same as it work in GNU/Linux.
Related
I have created an EC2 instance with Amazon Linux 2 Image. Access to the instance is only allowed via Session Manager and not via SSH.
I have the following users:
ec2-user (Created by default)
ssm-user (Created by default)
root (Created by default)
myrootec2-user (My custom root user created by me from Terraform and with password assigned)
I have tried to disable the root user because I only want to be able to perform administrator actions with the user myrootec2-user.
To do so, I have carried out the following steps:
sudo vim /etc/passwd
And then, I have changed:
root:x:0:0:root:/root:/bin/bash
to
root:x:0:0:root:/root:/sbin/nologin
However, depending on the parameter I assign to the sudo command, I can access or not:
sudo su - # Error: This account is currently not available.
sudo -s # OK: Log in to the root user without errors
Why can I log in with the second command? Do you recommend disabling the root user or could I have problems in the future? What alternative would you recommend otherwise, e.g. assigning a password to root?
I have tried to disable the root user because I only want to be able to perform administrator actions with the user myrootec2-user.
You cannot "disable" the root user. You can disable password login and set the root shell to /sbin/nologin, but you'll still need to sudo to run administrative commands.
If you think you can get away without ever running administrative commands, well, that sounds like an interesting challenge. With the right approach to immutable infrastructure you might be able to do it. You would remove all users access to sudo in addition to your stuff, and root would be close to inaccessible at runtime (certain system processes would still use it).
But your system will still need a root user. It's critical to system functionality.
I have an embedded system running linux and I have busybox installed for running different services. One of the services is ftpd, which I start like this from the etc/init.d/rcS file:
tcpsvd 0.0.0.0 21 ftpd -w -v /mnt/flash&
I have two users in the system, root and a regular user. Root user can easily connect to the FTP server, but when I try to login with the regular user's credentials, I get this error:
ftpd[678]: can't change root directory to '/mnt/flash': Operation not permitted
Now, I thought that it must be a directory permission problem, and I started with changing permissions on the /mnt/flash directory first, but after this didn't work, I ended up having all my files in file-system including / to be owned by this regular user and have drwxrwxrwt permissions (just to find the cause of the problem). But I still get this error.
I have also tried to start ftpd with different root folders, including /.
I also couldn't find any config files for the ftpd in my file-system, maybe I need to create one manually? If so, which one and how to tell ftpd to allow user logins?
I'd really appreciate any help. Thanks.
Well, after trying some random things, I discovered that user login works fine if there is no directory changing involved at all:
tcpsvd 0.0.0.0 21 ftpd -w -v &
I suspect that chroot is called otherwise and the user does not have a right to do that.
I am trying to setup my Apache local server. I noticed that my access was denied after I typed localhost into both Safari and Chrome. In Chrome it works but in Safari I given error 403 and told "Forbidden" and "you do not have permission to access / on this server"
So I have tried to modify the permissions of my Webserver directory using chmod in terminal. But even there I am told that the operation is not permitted. Even when attempting ls to view its contents, I am met with "Permission Denied"
I've run into this issue from a couple of different angles on OS X. It seems as if you are having a permissions error.
I suggest you check out this post, what you need to do is make sure the _www group has access.But, BEFORE YOU DO WHAT THE ABOVE LINK SAYS, try a solution with Finder.
Go to the root web directory in your finder.
Right-click and 'Get Info'.
Look at the permission of the _www user. Make sure it has 'Read & Write' access.
Click the settings-cog on while _www is selected.
Select the following options: "Make _www the owner" and "Apply to enclosed items..."
Try accessing your web server now.
If this does not work, or if there is no _www user, revert back to the post I spoke of earlier.
Try the suggested lines in terminal:
Let DIR be the different directories leading to your website. Replace "~" with the full directory path.
For each parent directory leading to your web root (e.g. ~/my, ~/my/web, ~/my/web/root)
chmod go-rwx DIR (nobody other than owner can access content)
chmod go+x DIR (to allow "users" including _www to "enter" the dir)
Then apply these commands to just the web root.
sudo chgrp -R _www ~/my/web/root (all web content is now group _www)
chmod -R go-rwx ~/my/web/root (nobody other than owner can access web content)*
chmod -R g+rx ~/my/web/root (all web content is now readable/executable/enterable by _www)
Try to access your website again. If this doesn't work, go back to finder and try to add add the permissions again as stated in the first part of this post.
If you are using Server for OS X you may also enable and edit sharing properties for other users and FTP.
I have solved my problem with a simple fix:
Open "Disk Utilities" from the "Utilities" folder in "Applications"
Click on the root drive
Click "repair permissions"
Done
I'm having a lot of issues with PHP and Apache while using os-x mountain lion. Basically my plugin needs wordpress to move some files but it always ask for ftp server credential, like if apache doesn't have permission to write those directories.
Apache is running with
User daemon
Group daemon
if i do
ls -lad htdocs/
i get
drwxrwxr-x 7 root staff 238 13 Ago 21:51 htdocs/
i'm using zend server ce 5.6. What should i do to make sure that apache has full rights to do everything? I would give it root access (it' my dev machine and i must get things working, so i don't care about security issues, but i don't know how to that, if i can do it in a cleaner why i'd be happy but i need this to work )
Your htdocs directory is owned by root, and in the group staff. User permissions on it are rwx, group permission are rwx, and world permissions are rx. So apache needs to be run as either user root or group staff to have full read/write/execute permissions. Otherwise change the owner and/or group of your htdocs directory to daemon and apache will have full rwx permissions. If you really don't care about security at all, just do chmod 777 htdocs (not recommended).
WordPress isn't really checking if it has the right to write in a directory (it's the same for plugin installation), it's only checking if the user and group it's running through Apache is the same that the parent folder.
So the only way is indeed to chmod the folder to your Apache user/group
It's hard to find Mac-specific answers to this question on the web, so I'm hoping someone out there can put this one to rest for me? My permissions are screwed up on my sites and I'm not sure how to fix them without just slamming a recursive 777 on everything which is quite obviously incorrect.
Thanks!
This is the most restrictive and safest way I've found, as explained here for hypothetical ~/my/web/root/ directory for your web content:
For each parent directory leading to your web root (e.g. ~/my, ~/my/web, ~/my/web/root):
chmod go-rwx DIR (nobody other than owner can access content)
chmod go+x DIR (to allow "users" including _www to "enter" the dir)
sudo chgrp -R _www ~/my/web/root (all web content is now group _www)
chmod -R go-rwx ~/my/web/root (nobody other than owner can access web content)
chmod -R g+rx ~/my/web/root (all web content is now readable/executable/enterable by _www)
All other solutions leave files open to other local users (who are part of the "staff" group as well as obviously being in the "o"/others group). These users may then freely browse and access DB configurations, source code, or other sensitive details in your web config files and scripts if such are part of your content. If this is not an issue for you, then by all means go with one of the simpler solutions.
If you really don't like the Terminal here is the GUI way to do dkamins is telling you :
1) Go to your user home directory (ludo would be mine) and from the File menu choose Get Info cmdI in the inspector :
2) By alt/option clicking on the [+] sign add the _www group and set it's permission to read-only :
Thus consider (good practice) not storing personnal information at the root of your user home folder (& hard disk) !
You may skip this step if the **everyone** group has **read-only** permission but since AirDrop the **/Public/Drop Box** folder is mostly useless...
3) Show the Get Info inspector of your user Sites folder and reproduce step 2 then from the gear action sub-menu choose Apply to enclosed Items... :
VoilĂ 3 steps and the GUI only way...
I know this is an old post, but for anyone upgrading to Mountain Lion (10.8) and experiencing similar issues, adding FollowSymLinks to your {username}.conf file (in /etc/apache2/users/) did the trick for me. So the file looks like this:
<Directory "/Users/username/Sites/">
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
2 month old thread, but better late than never! On 10.6, I have my webserver documents folder set to:
owner:root
group:_www
permission:755
_www is the user that runs apache under Mac OS X. I then added an ACL to allow full permissions to the Administrators group. That way, I can still make any changes with my admin user without having to authenticate as root.
Also, when I want to allow the webserver to write to a folder, I can simply chmod to 775, leaving everyone other than root:_www with only read/execute permissions (excluding any ACLs that I have applied)
On my 10.6 system:
vhosts folder:
owner:root
group:wheel
permissions:755
vhost.conf files:
owner:root
group:wheel
permissions:644
The user owner for me is the admin user and the group is _www and works with permissions set to 775 for dir and for files 664
Catalina Update / Desktop Permissions
I come across this once a year on macOS. I usually use apache2 for hosting a
folder on my desktop.
If you are trying to give access to the desktop folder you need to follow this to allow httpd to have access to all folders: https://apple.stackexchange.com/a/373139/353465
Open up terminal first and then go to directory of web server
cd /Library/WebServer/Documents
and then type this and what you will do is you will give read and write permission
sudo chmod -R o+w /Library/WebServer/Documents
This will surely work!