I'm attempting to configure a OSX Mavericks server running Apache and Lasso. For security and convenience I only want users belonging to a specific "web" group to be able to access the web root. I have succeeded in letting both permitted regular users and Apache (_www) access the files, but I cannot for my life manage to set the correct permissions for Lasso. I'm hoping someone here can point me in the right direction.
Basically, what I have done is the following:
sudo dseditgroup -o create web
sudo dseditgroup -o edit -a _www -t user web
sudo dseditgroup -o edit -a _lasso -t user web
sudo chgrp -R web webroot
sudo chmod -R 770 webroot
This apparently works for Apache, but any lasso files merely output a Lasso permission error:
An unhandled failure during a web request
Error Code: 13
Error Msg: Permission denied - While opening //Library/Server/Web/Data/Sites/...
I have also tried adding the _www and _lasso groups to the web group, as well as creating a new Lasso instance in the instance manager with the effective group set to "web".
Strangely, setting permissions to the _lasso user or group directly on the files (i.e. not through the web group) seems to work which makes me believe there's something wrong with how I'm creating my ACLs.
A little more info:
ls -l#e example.lasso
-rwxrwx---+ 1 danielpervan web 0 Feb 19 15:20 example.lasso
0: user:_spotlight inherited allow read,execute
I've encountered problems similar to this when I have ACLs above and beyond the standard Unix permissions. From your post, it looks like there are some ACLs on the example.lasso file. I would run the following script on your web root to remove all ACLs from every folder / file:
sudo chmod -R -N /path/to/webroot/
If that doesn't work, verify that the _lasso user is part of the web group:
dscl . -read /groups/web | grep GroupMembership
Related
My user is in root group. I canot ssh to server as root because is says Permission denied, please try again. What I usualy do is I ssh as my user and once I'm logged in i type sudo su and I proivde my user's password to become root.
I want to automate part of my job so I want to write a bash script which would ssh as my user, switch to root and then call set of commands.
So far I came with following script but I am unable to switch to root user without asking user for password:
while read p; do
p=$(echo $p|tr -d '\r')
sshpass -p "myPasswd" ssh -T -o StrictHostKeyChecking=no myUser#remoteServer << EOT
cd /var/log/jboss/ #here I am getting 'permission denied' message as only root has access
exit
EOT
done < $nodes
I also tried:
sshpass -p "myPasswd" ssh -tt -o StrictHostKeyChecking=no myUser#remoteServer 'cd /var/log/jboss/'
but I got the same permission denied error message
For security reasons, root users are typically not allowed ssh access.
PermitRootLogin no # value in /etc/ssh/sshd_config
The above setting is preventing you from logging in as root in the first place. If you are "comfortable" with you network's security, you can consider modifying that setting. If you ever make modifications to the sshd config, you'll need to restart the ssh service:
sudo service sshd restart
Of course, if you want to adhere to common wisdom, you may want to make changes to your sudoers file (as recommended by chepner and Nic3500). Here's a reasonable configuration change to make:
Add the following line to the bottom of your /etc/sudoers file:
#includedir /etc/sudoers.d
And add the following files to your /etc/sudoers.d directory:
cat /etc/sudoers.d/10_wheel:
%wheel ALL=(ALL) NOPASSWD: ALL
The above example configures sudo to allow access to all commands to members of the wheel group, without a password. You may want to change the group name to a group that your user is a member of.
You can determine your groups by issuing the command:
groups
Also, to avoid the use of sshpass, you can deploy ssh public keys to the remote host. Lastly, if you don't want to change the server at all, you can achieve what you are trying to do with expect. If you are comfortable with python coding, I recommend pexpect - I find it soooo much easier than the TCL based expect that is typically discussed.
I have a deep directory called root,with a lot of folders,each folder is set with different permissions and there're several users registered in the system.In the subfolders of root these users have different privileges and i don't want to change them,but i need to give to the admin user rwx permissions on all files and subdirectories in root.I can do that manually by using the get info menu with the second mouse button on each file that is still not with rwx permission for the admin user but that would require too much time.So the question is,how can i give permissions on a folder recursively to a specific user without changing files and folders owners and permissions for other users?is there no way to do something like
chmod -R specific_user=rwx root_directory
?
On the Mac, login as Local Admin and at the Terminal, run:
sudo dseditgroup -o edit -a [username] -t user admin
Where [username] is the user you want to give admin permissions.
For example if the username was "User1", then the command would be:
sudo dseditgroup -o edit -a User1 -t user admin
http://community.centrify.com/t5/Centrify-Express/OSX-give-an-Ad-User-local-admin-permissions/td-p/8022
I have been tasked with setting up a centOS 6.2 development box (even though I do not know linux) and am currently using vsftpd to FTP into a box at work. The problem is sftp is not working.
Authentication failed. Error: Critical error Error: Could not connect
to server
this is the error I am getting.
I have added the user by doing the following:
sudo useradd -d /var/www/PATH -s /usr/sbin/nologin USERNAME
sudo passwd USERNAME
sudo chown -R USERNAME /var/www/ PATH
sudo chmod 755 /var/www/PATH
it works for ftp (and the folder structure is jailed) but it does not work with sftp.
However, when I add a user the following way:
sudo useradd USERNAME
sudo passwd USERNAME
sudo chown –R USERNAME /opt/USERNAME
sudo chmod 777 /opt/USERNAME
I have sftp access unjailed and no FTP access.
It does not matter if I have to create multiple accounts (one for ftp and one for sftp), they do have to be jailed to the directory.
If there is a better solution to my problem, help would be welcomed!
Thanks,
Matt
You are on good way.
Personally I am using chrooting of sftp user described here: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
IMHO in article is not stressed out enough that user's home directory has to be owned by root
# ls -ld /var/www/PATH
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /var/www/PATH
You can get a lot of helpful info from logs, it this case you can search
tail -f /var/log/secure
while connecting from external host.
Let me know if you have any more help with this problem.
I've created a script for this purpose, you can use it what ever the distribution that you are using is, it works on both RHEL based and Deb's as well to create a jailed SFTP directory with no shell access, only SFTP.
SFTP Jailing with no shell access
I'm trying to set myself as a root and once I type in su - root in the terminal it just give me an error saying /bin/su: Permission denied so I checked the permission in that file
-rwsr-x--- 1 root wheel 24120 Mar 30 2011 su*
I'm wondering why I can't use this I'm trying to install some plugin and it asks me to use root thats why I needed it.
have you tried using the command:
$ sudo su
I had a similar problem. I wanted to allow a user to switch to root, but didn't want to add the user to wheel group. Hence, I used sudoers file.
Add the following line to the sudoers file to allow admin user to use su
admin ALL= /bin/su
Do not edit sudoers file directly, instead use visudo.
Now you can switch to another user with
sudo su - user2
In my case, I added the following line to make sudo prompt for root password and not admin user's password.
Defaults:admin rootpw
I'm actually trying to run Symfony2 on my MacBook Pro (Mac OS X 10.6).
When i launch my application by apache, all cache and log file are created by the _www:_www user/group.
But, i already have to edit these files in the CLI, with my own user.
My question is : how to add my user to the _www group ?
I have tried to edit the /etc/group to add my user name to _www group, restart apache : fail
I have also tried to edit /etc/apache2/httpd.conf to change user and group used by Apache : complete error acces.
Anyone have an idea ?
sudo dseditgroup -o edit -a your_username -t user _www
I'd suggest the same as above but here's a bit more copy/paste friendly version:
sudo dseditgroup -o edit -a `whoami` -t user _www
I was facing the same issue just to make it global on your personal mac not production i would suggest to run this and you will never have to do chmod again
sudo dseditgroup -o edit -a _www -t user staff