I have made a script for installing a control panel.
I've uploaded the script to a server so people can wget it to their machines.
The only issue is that you have to chmod it after download. Is there a way to remove this step? How would I go about keeping 755 perms on the downloaded script?
When a user downloads the file, the file will automatically get some default permission. In UNIX, each user will have a default set of permissions which apply to all files created by that user, unless you explicitly set it to something else.
This default is called the umask, after the command used to change it. It is either inherited from the login process, or set in the .shrc or .login file which configures an individual account, or it can be run manually.
Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of:
-rw-r--r-- for regular files, or
drwxr-xr-x for directories.
In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories. As you see above, the execution access is not default for files.
Hence you need to explicitly change it.
Related
How can I prevent .git/index from constantly changing its permissions and ownership?
I run ls -al .git/index and see that the file is owned by root.
I change the permissions with sudo chown -R $USER:USER and sudo chmod -R 775 .git
I even tried deleting the lock file with rm -rf .git/index.lock
The permissions update but then a few minutes later they change back to being owned by root and 740 which breaks the git commands I'm attempting.
I set the global git config via Ansible so I'm wondering if that messed something up? Is there a global file I need to modify?
When Git writes the index, the way it does so is to create a new file called .git/index.lock (with O_EXCL), adjusts its permissions according to core.sharedRepository, and then rename it over top. Git does not offer a way to rewrite the file in place.
If this file is being created such that it's being owned by root, then root is creating the file because it's updating the index. That probably means that some process owned by root is modifying the working tree.
If that wasn't your intention, then the best thing to do is find that process and stop it from modifying the working tree. It's not a good idea for multiple users to modify the same working tree, and if your process owned by root is reading files out of the working tree and it's shared with another user, that could lead to a security vulnerability.
If you're certain what you're doing is safe and you want to modify the permissions with which files in the .git directory are created, you can use core.sharedRepository to set them. For example, you could use the value 0664. Note that Git will handle the executable bit automatically, and the index should not be marked executable.
If you want to always use the same group for your repository, you can set the setgid bit on all the directories in the repository and then set their group to the appropriate value. Assuming you also set core.sharedRepository to a value that makes things group writable, you can then modify the repository with any user in that group, and things should work. Note that this may still have security implications if one or more of those users are untrusted or have lower privileges, so you should be careful.
My question is how I can make one folder accessible when script running.
In this case lets call there is bob who copying his folder by using script to specific location and there is jeff who also sharing the same group as bob also he copying his file to there with using script.
The problem is that when I set file group they need write and execute permission and when I gave to them they are able to see each other file content if they know full path of the file.
To stop that I am thinking to completely deleting all permission on folder and only giving the permission when script running and doing copying process.
But problem is that when those users run the script and script try to chmod the file permission they are not going to be able to because they don't have enough permission to do it. Also if I add them on sudoers, they are going to be able to chmod and change anything as they want to change.
So I am so confused about how I can make the script change permission of folder and when copying completed turn back to previous permission
You should add a sudoers entry to allow ALL or the selected group to run a given script that does the copy to a restricted directory, with NOPASSWD to avoid the password prompt.
Then the users invoke
$ sudo /path/to/copy-to-restricted-dir files*
but users don't have access to restricted directory nor to chmod.
I have a script that creates a filesystem archive. For this I need superuser privileges, but I do not wish to run the whole script with sudo, just the specific line that creates the archive.
The problem is, when I prefix the archiving command with 'sudo', the files which are created inside the archive all have my uid (1000), not the root uid (0). When this filesystem is later unpacked into the target platform, and we boot into it as root, attempting to perform actions that require superuser priviliges fails: the system thinks that the root account should have uid 1000, not 0.
How do I make the tar command run as root while also have the correct uid in the result?
tar preserves the permissions, ownership, etc. that the files have on the filesystem by default.
You can override that with the --owner=USER and --group=USER flags.
Additionally, you can tell tar to use the numeric ownership and group information stored in the tar file instead of the name equivalents (in case the names differ on the different systems) with the --numeric-owner argument.
So if the only reason you needed root for the tar command was to set ownership, etc. in the tarball then you don't need that at all.
I have a shared directory. The directory's groupid is dev and many users are members of the group dev.
Now I need to give all the files created under the folder to have the same permission say, rwxrwxr--.
How would I do that? One solution that came to my mind is:
I would need a 2 shell scripts executable by all members of the group. One script should change the umask after checking that the current directory's groupID is dev. The other should change the umask to the previous default value.
Please let me know how to do this in shell script.
You can avoid the use of shell scripts by applying a default POSIX ACL (Access Control List) to the shared directory. e.g. On linux:
setfacl -m d:u::rwx,d:g::rwx,d:o::r,d:g:dev:rwx /shared/dir
The default ACL applied to /shared/dir above overrides the user's umask setting when new files are subsequently created in /shared/dir. The following is cut from the acl(5) man page on linux:
OBJECT CREATION AND DEFAULT ACLs
The access ACL of a file object is initialized when the object is
created
with any of the creat(), mkdir(), mknod(), mkfifo(), or open()
functions.
If a default ACL is associated with a directory, the mode parameter
to
the functions creating file objects and the default ACL of the
directory
are used to determine the ACL of the new object:
The new object inherits the default ACL of the containing directory
as its access ACL.
The access ACL entries corresponding to the file permission
bits are modified so that they contain no permissions that are not
contained
in the permissions specified by the mode parameter.
Create a single shell script to copy files into the shared directory. In that shell script, set the permissions on the file after copying. Make sure the directory has the SGID bit set; all files created in the directory will automatically belong to the group that owns the directory - dev in your scenario. Note that MacOS X effectively always has the SGID bit set on directories; that is, when a file is created, its group is the group that owns the directory.
Chastise anyone who self-evidently does not use the shell script, leaving files with the incorrect permissions.
Worry about whether all files should be executable; documents should not.
Worry about whether all files should be writable; where is the version control system in all this?
(I'd be happier with 444 permissions on the files - except for the few programs where 554 might be sensible.)
The question of the title doesn't seem related to the question in the body, but to answer the question in the title:
id=$( stat -f %g directory )
We have two users:
user1
user2
They both belong to the group 'admin'.
We have a directory that has been set to 775. The directory's group has been changed to 'admin'. Each user has full access to write into that directory, though when a user writes a new file to the directory, the group permissions of the folder are not persisted to the file that was written.
How should we make it so that files inherit the directory's group permissions?
Clarification: when a new file or directory is written, it uses the users' group as the group of the new file, rather than that of the directory, which makes sense - but how do I not make that happen?
You can propagate group permissions by setting the directory's setgid bit (chmod g+s). This may not be portable across all *nixes and all file systems.
http://en.wikipedia.org/wiki/Setuid#setgid_on_directories
http://www.gnu.org/software/coreutils/manual/html_node/Directory-Setuid-and-Setgid.html
If you are using ext3 or ReiserFS, this page about creating a Linux file server may help. Specifically step 7 suggests the following command.
setfacl -d -m g:sales:rw /groups/sales
I think you should look here.
As the site says, "Unix doesn't support the idea of inherited permissions."
However, there is a section on ACLs (Access Control Lists), which I think is what you are looking for. By setting up an ACL, you can have your files inherit the same ACL from the directory, which I think is what you are asking for. setfacl is the shell command that will be what you need to look into.
Hope that helps!