i'm trying to make a file removable just by root user In mac 10.10.
i was try this :
chown root <fileName>
but other user can remove it;
any idea?
As an alternative to changing the permissions on the containing directory, you can set the uimmutable flag on the file:
sudo chown root foo
sudo chflags uimmutable foo
Now only root will be able to delete foo. Note, though, that nobody will be able to modify the file, either. Root could remove the uimmutable flag and then modify it, of course, but that opens a window for others to delete it.
The act of removing an entry in a directory modifies the directory, but not the file. (When you remove a file, you are unlinking the name from the file and the link count on the file is decremented. The file itself may not be deleted, but will no longer be accessible by the name that was removed.) In order to ensure that only some process with root privilege can unlink a file, you need to modify the permissions on the directory. So to ensure that no-one but root can delete the file /p/a/t/h/file:
sudo chown root /p/a/t/h # make root the owner of the directory
sudo chmod og-w /p/a/t/h # remove write permissions from other and group
Note that this is less fine grained that you might like and will prevent non-root users from removing or creating any files in /p/a/t/h.
Related
How can I prevent .git/index from constantly changing its permissions and ownership?
I run ls -al .git/index and see that the file is owned by root.
I change the permissions with sudo chown -R $USER:USER and sudo chmod -R 775 .git
I even tried deleting the lock file with rm -rf .git/index.lock
The permissions update but then a few minutes later they change back to being owned by root and 740 which breaks the git commands I'm attempting.
I set the global git config via Ansible so I'm wondering if that messed something up? Is there a global file I need to modify?
When Git writes the index, the way it does so is to create a new file called .git/index.lock (with O_EXCL), adjusts its permissions according to core.sharedRepository, and then rename it over top. Git does not offer a way to rewrite the file in place.
If this file is being created such that it's being owned by root, then root is creating the file because it's updating the index. That probably means that some process owned by root is modifying the working tree.
If that wasn't your intention, then the best thing to do is find that process and stop it from modifying the working tree. It's not a good idea for multiple users to modify the same working tree, and if your process owned by root is reading files out of the working tree and it's shared with another user, that could lead to a security vulnerability.
If you're certain what you're doing is safe and you want to modify the permissions with which files in the .git directory are created, you can use core.sharedRepository to set them. For example, you could use the value 0664. Note that Git will handle the executable bit automatically, and the index should not be marked executable.
If you want to always use the same group for your repository, you can set the setgid bit on all the directories in the repository and then set their group to the appropriate value. Assuming you also set core.sharedRepository to a value that makes things group writable, you can then modify the repository with any user in that group, and things should work. Note that this may still have security implications if one or more of those users are untrusted or have lower privileges, so you should be careful.
I'm using OSX Mojave and I've been wanting to use the at command to run scripts at certain times, but I've discovered that I need to change its plist file in order to use it. Right now, one of the attributes in it is Disabled=true which of course, isn't what I want.
I've gone to the ends of the earth to try to change that. I tried XCode, Pref Setter, chmod, chown, vim, and doing all of that in root. No matter what, it always says, "readonly file" or "You do not have permission."
Are plists supposed to be immutable? I'm pretty sure they aren't. Here is some of the things I've tried.
~root# id
uid=0(root) gid=0(wheel) groups=0(wheel ...
~root# atrun=/System/Library/LaunchDaemons/com.apple.atrun.plist
~root# chmod 777 $atrun
chmod: Unable to change file mode on
/System/Library/LaunchDaemons/com.apple.atrun.plist: Operation not permitted
~root# ls -l $atrun
-rw-r--r-- 1 root wheel 444 Aug 22 23:11 /System/Library/LaunchDaemons/com.apple.atrun.plist
Make a copy of com.apple.atrun.plist from /System/Library/LaunchDaemons
into your home directory or wherever you want to work on it.
Open com.apple.atrun.plist with Xcode and the settings will show up in user readable form.
Change the setting for "Disabled" from 1 to 0 then save and exit Xcode
Copy your changed com.apple.atrun.plist file to /Library/LaunchDaemons
This can be manually launched to enable batch.
I am trying to move a file from one directory to other by command line.I used this command
raghul#raghul-Aspire-5750Z:~/temp/newfolder$ mv copy.txt /temp/
I got error like this
cannot create regular file '/temp': Permission denied
Can someone help me to figure this out? I need to move a file from one directory to other.
First of all you are using the copy command cp, not the move command mv.
Secondly you are trying to copy the file to a new file named /temp, ie. a file named temp in the / directory. This resides in the filesystem's root directory, which is mostly likely owned by root. Unless you have root permissions you can not write to the root directory.
Given that you are naming the file temp, I assume that you want to move the file to the /tmp directory, for which you will have permission to write to. Do this:
$ mv copy.txt /tmp
This will work only if you also have write permission on the file copy.txt because you need to be able to remove it. If you just wanted to copy the file, just read permission is required.
Otherwise, if you really do wish to move the file to a /temp directory, you can use sudo to do that, provided that you are set up as a sudo user:
$ sudo mv copy.txt /temp
[sudo] password for raghul
I just noticed that you're in a personal directory called ~/temp/newfolder. Is that the temp you're trying to move the file to: your personal one, in which onefolder is in? So you want to move the file up one directory?
Then the problem is that your command is missing the 'personal' tag ~. The command should be:
mv copy.txt ~/temp/
Try moving it with sudo command as it seems you don't have permission to move the file.
If you are requested for a password enter the root's password.
Try this:
sudo cp copy.txt /temp/
Try this: change /temp to
mv index.text temp
I have a folder with drwxrwxr-x permissions, where the owner is uploading his own files.
I want to upload on that directory a readme file. The owner of the folder shouldn't have the right to delete that file. How I can do that? What rights should I set for the directory & for the file.
There are ways of doing this with ACLs, but the easiest way, if your OS supports it, is to make readme an immutable file. A file with the immutable flag can't be modified, deleted, or renamed, even by the owner or the owner of the containing directory. On Linux, this would be done with sudo chattr +i /path/to/directory/readme. On Linux, not even the owner of a file can remove the immutable flag (well, unless the owner can run a process with the CAP_LINUX_IMMUTABLE capability).
The file should have drwxr--r--, this way only you, the owner of the file, have the ability to delete it.
chmod 744 <file>
I have used chmod 0000 on a directory yet the directory can still be renamed. How can I prevent a user from modifying the name of a directory?
Removing write permission on the parent directory should do the trick.
If you own a file (or directory) you can still perform various operations on it regardless of permissions including mv, rm and chmod. Other users cannot perform these options based on write permissions. If you want to prevent the owner from moving the directory, you can't. The owner can always use chmod on the file. The only solution would be to change the owner of the file or move the file under a write-protected directory that the user does not own.