I'm actually trying to run Symfony2 on my MacBook Pro (Mac OS X 10.6).
When i launch my application by apache, all cache and log file are created by the _www:_www user/group.
But, i already have to edit these files in the CLI, with my own user.
My question is : how to add my user to the _www group ?
I have tried to edit the /etc/group to add my user name to _www group, restart apache : fail
I have also tried to edit /etc/apache2/httpd.conf to change user and group used by Apache : complete error acces.
Anyone have an idea ?
sudo dseditgroup -o edit -a your_username -t user _www
I'd suggest the same as above but here's a bit more copy/paste friendly version:
sudo dseditgroup -o edit -a `whoami` -t user _www
I was facing the same issue just to make it global on your personal mac not production i would suggest to run this and you will never have to do chmod again
sudo dseditgroup -o edit -a _www -t user staff
Related
I'm attempting to configure a OSX Mavericks server running Apache and Lasso. For security and convenience I only want users belonging to a specific "web" group to be able to access the web root. I have succeeded in letting both permitted regular users and Apache (_www) access the files, but I cannot for my life manage to set the correct permissions for Lasso. I'm hoping someone here can point me in the right direction.
Basically, what I have done is the following:
sudo dseditgroup -o create web
sudo dseditgroup -o edit -a _www -t user web
sudo dseditgroup -o edit -a _lasso -t user web
sudo chgrp -R web webroot
sudo chmod -R 770 webroot
This apparently works for Apache, but any lasso files merely output a Lasso permission error:
An unhandled failure during a web request
Error Code: 13
Error Msg: Permission denied - While opening //Library/Server/Web/Data/Sites/...
I have also tried adding the _www and _lasso groups to the web group, as well as creating a new Lasso instance in the instance manager with the effective group set to "web".
Strangely, setting permissions to the _lasso user or group directly on the files (i.e. not through the web group) seems to work which makes me believe there's something wrong with how I'm creating my ACLs.
A little more info:
ls -l#e example.lasso
-rwxrwx---+ 1 danielpervan web 0 Feb 19 15:20 example.lasso
0: user:_spotlight inherited allow read,execute
I've encountered problems similar to this when I have ACLs above and beyond the standard Unix permissions. From your post, it looks like there are some ACLs on the example.lasso file. I would run the following script on your web root to remove all ACLs from every folder / file:
sudo chmod -R -N /path/to/webroot/
If that doesn't work, verify that the _lasso user is part of the web group:
dscl . -read /groups/web | grep GroupMembership
I've been looking for a way to force usermod to modify the password/group/... files despite the user being in use.
What I do get now is this:
!! Failed to execute 'usermod --home '...' --password '...' --shell '/bin/false' 'zabbix' 2>&1':
usermod: user zabbix is currently used by process 518
I know that for being secure I need to restart the service. But this is done within a setup script. I am restarting all services at the end.
Is there any way to say --force? (well, except for modifying all necessary files.)
Thanks
If you can get root rights via sudo and are confident enough to change system files using vi then I would change the files manually.
Only a few things need to be changed in
- /etc/passwd
here you could change UID, GID, Homedirectory, Shell ...
- /etc/group
here you might need to change UID/GID as well for the username if there was a change
The File /etc/shadow will be changed automatically when using passwd to set a new password. This you can directly perform if you are root: "passwd username"
You can run usermod in a separate user namespace (with a recent enough linux), but you need to map the root user to root (otherwise you won't have permissions to modify /etc/passwd).
I.e. something like this:
unshare --user --map-root-user usermod ...
Now usermod won't find the processes running with the uid of user you are modifying.
You probably won't be able to modify the root user itself with this.
I have crafted a script (python+bash) which makes use of tcpdump to monitor and filter the TCP headers that flow through a network interface. It works smoothly for all interfaces but when it comes to ethernet en0 interface, Mac requires for tcpdump to be executed as root user (sudo).
Is there any programatic solution by which I can bypass the need to run it with sudo?
I find that tools like wireshark is able to do it without requesting the user for sudo password.
Any solution without requiring sudo would be great.
Is there any programatic solution by which I can bypass the need to run it with sudo?
What do you mean by "programatic"?
The way Wireshark does this is that its installer
creates an access_bpf group and puts the user into it;
installs a StartupItem that changes the group owner of the current BPF devices to access_bpf and changes the permissions on them to rw-rw---- (as per the ls -l /dev/bpf* output in jonschipp's answer);
so that the user who installs Wireshark can run programs that use BPF (all programs using libpcap use BPF on OS X; tcpdump and Wireshark both use libpcap) without having to run them as root (at least as long as the program doesn't need a new BPF device; they're automatically created as needed, but they're created with permissions rw------- and owned by user and group root).
So if you've installed Wireshark, you can run not only Wireshark (and TShark, and the dumpcap program that both of them use to do packet capturing) as an ordinary user and capture traffic, you can also, for example, run tcpdump as an ordinary user and capture traffic.
I.e., it's not something in the Wireshark code that enables this, so it's not "programatic" in that sense, it's something installed by the Wireshark installer that enables this, and it enables it for all programs.
If you do not need to be in promiscuous mode then you can use tcpdump as a normal user. Use the '-p' option to disable promiscuous mode.
tcpdump -nni en0 -p
If you need to set your interface in promiscuous mode then you could enable the root account and become root via su and then proceed to run your script.
su root -
python myscript.py
Or
su -
python myscript.py
With sudo defaults it can be done like (presuming an admin account called Administrator)
su Administrator
sudo su
python myscript.py
If you're concerned about the password prompt sudo can avoid it by configuring the /etc/sudoers file to use the NOPASSWD option. You can then run your script as a normal user
without a password prompt.
You may also try giving the bpf device files read permission for other users.
Note: I haven't tested this.
$ ls -l /dev/bpf*
crw-rw---- 1 root access_bpf 23, 0 Aug 4 22:17 /dev/bpf0
crw-rw---- 1 root access_bpf 23, 1 Aug 4 22:16 /dev/bpf1
crw-rw---- 1 root access_bpf 23, 2 Aug 4 22:16 /dev/bpf2
crw-rw---- 1 root access_bpf 23, 3 Aug 4 22:16 /dev/bpf3
e.g.
chmod o+r /dev/bpf*
I have been tasked with setting up a centOS 6.2 development box (even though I do not know linux) and am currently using vsftpd to FTP into a box at work. The problem is sftp is not working.
Authentication failed. Error: Critical error Error: Could not connect
to server
this is the error I am getting.
I have added the user by doing the following:
sudo useradd -d /var/www/PATH -s /usr/sbin/nologin USERNAME
sudo passwd USERNAME
sudo chown -R USERNAME /var/www/ PATH
sudo chmod 755 /var/www/PATH
it works for ftp (and the folder structure is jailed) but it does not work with sftp.
However, when I add a user the following way:
sudo useradd USERNAME
sudo passwd USERNAME
sudo chown –R USERNAME /opt/USERNAME
sudo chmod 777 /opt/USERNAME
I have sftp access unjailed and no FTP access.
It does not matter if I have to create multiple accounts (one for ftp and one for sftp), they do have to be jailed to the directory.
If there is a better solution to my problem, help would be welcomed!
Thanks,
Matt
You are on good way.
Personally I am using chrooting of sftp user described here: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
IMHO in article is not stressed out enough that user's home directory has to be owned by root
# ls -ld /var/www/PATH
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /var/www/PATH
You can get a lot of helpful info from logs, it this case you can search
tail -f /var/log/secure
while connecting from external host.
Let me know if you have any more help with this problem.
I've created a script for this purpose, you can use it what ever the distribution that you are using is, it works on both RHEL based and Deb's as well to create a jailed SFTP directory with no shell access, only SFTP.
SFTP Jailing with no shell access
I'm trying to set myself as a root and once I type in su - root in the terminal it just give me an error saying /bin/su: Permission denied so I checked the permission in that file
-rwsr-x--- 1 root wheel 24120 Mar 30 2011 su*
I'm wondering why I can't use this I'm trying to install some plugin and it asks me to use root thats why I needed it.
have you tried using the command:
$ sudo su
I had a similar problem. I wanted to allow a user to switch to root, but didn't want to add the user to wheel group. Hence, I used sudoers file.
Add the following line to the sudoers file to allow admin user to use su
admin ALL= /bin/su
Do not edit sudoers file directly, instead use visudo.
Now you can switch to another user with
sudo su - user2
In my case, I added the following line to make sudo prompt for root password and not admin user's password.
Defaults:admin rootpw