Directory permissions for Cygwin SSH (Windows 7) - windows-7

I am a fan of Linux but due to bad Intel wireless drivers in Linux, I had to switch to Windows 7. I have installed Cygwin in Windows and want to configure SSH to remotely connect to my laptop.
I searched with Google and found information for installing openssh server on Win 7, but I am getting the following error when running ssh-host-config:
bala#bala-PC ~
$ ssh-host-config
yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/READ
ME.privsep.
*** Query: Should privilege separation be used? (yes/no) no
*** Info: Updating /etc/sshd_config file
*** Warning: The following functions require administrator privileges!
*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires. You need to have or to create a privileged
*** Info: account. This script will help you do so.
*** Warning: The owner and the Administrators need
*** Warning: to have .w. permission to /var/run.
*** Warning: Here are the current permissions and ACLS:
*** Warning: drwxr-xr-x 1 bala None 0 2010-01-17 22:34 /var/run
*** Warning: # file: /var/run
*** Warning: # owner: bala
*** Warning: # group: None
*** Warning: user::rwx
*** Warning: group::r-x
*** Warning: other:r-x
*** Warning: mask:rwx
*** Warning:
*** Warning: Please change the user and/or group ownership,
*** Warning: permissions, or ACLs of /var/run.
*** ERROR: Problem with /var/run directory. Exiting.
The permissions of this folder are shown as read-only (only applies to this folder), checked in gray. I tried to uncheck but after I open the properties again, the box is again checked. Is there a way to change the permissions of this folder?

Sorry to unbury such an old thread, but this question always came up when I googled this specific problem.
After a few months, I finally found a solution. When I set up cygwin, I didn't have my user and group accounts correctly created in cygwin. The main way to do this is to run:
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
If you are logging in using a domain user and passwd, you can do:
mkpasswd -l -d > /etc/passwd
mkgroup -l -d > /etc/group
Or, if you have an incredibly large network like mine, you may not really want that. An alternative is to just user your local users and group plus whatever one you are currently logged in as:
mkpasswd -l > /etc/passwd
mkpasswd -c >> /etc/passwd
mkgroup -l > /etc/group
mkgroup -c >> /etc/group
After I did this, I was finally able to run ssh-host-config correctly to create the service.

I'm running cygwin 1.7 on Windows 7 x64 and sshd. I don't remember getting this error when I ran sshd_config, but I just looked at my /var/run directory and it's set to 777.
Try this in a cygwin shell chmod 777 /var/run

I had a lot of trouble with this myself. I have found that the default install steps work just fine provided that I:
Start the Cygwin shell as an Administrative user with the "Run As Administrator" option.
Have UAC disabled.
Have real-time virus protection disabled.
Once these steps have been taken, the default install steps are:
Install "openssh" from the Cygwin installer.
Start the Cygwin shell as an Administrative user with the "Run As Administrator" option.
Run "ssh-host-config" from the Cygwin shell.
Privilege Separation: yes
New local account "sshd": yes
Install sshd as service: yes
CYGWIN value: ntsec tty
Different name for "cyg_server": no
Create new privileged user account "cyg_server": yes
Set "cyg_server" password and keep in a safe place
net start sshd
After that, everything seems to work fine on both Windows 7 Professional and Home.
If you already have a failed Cygwin sshd installation, it may be best to do a full uninstall and start fresh.
Here are the Cygwin uninstall instructions if you need them: http://cygwin.com/faq/faq.html#faq.setup.uninstall-all

I first had to remove the broken installation:
cygrunsrv --remove sshd
rm -rf /var/log/sshd* /etc/ssh_host* /etc/sshd_config /var/empty
then generate passwd & group as mentioned above:
mkpasswd -l > /etc/passwd
mkgroup -l > /etc/group
then I ran:
ssh-host-config -y
cygrunsrv --start sshd
and finaly the "setuid failed" messages dissapeared and login worked.

In a cygwin shell, make sure you are administrator then:
takeown /F "C:\cygwin" /R
icacls "C:\cygwin" /grant Everyone:\(F\) /T
icacls "C:\cygwin"
chmod 777 -R "c:\cygwin"

In Windows Explorer, for folder /var:
Properties.
Security.
Add group Administrators with full control for
the folder and subfolders.
It works for me.

I was only able to run the ssh-host-config script successfully when I installed Cygwin on a hard drive of type NTFS. The ssh-host-config script did not work when I had Cygwin installed on a flash drive of type exFAT.

I was having the same problem. My problem, I believe, was because I had a custom /etc/fstab file where I was mounting the root folder with "noacl" option. Here is how I solved the problem:
Move the custom /etc/fstab out of the way:
mv /etc/fstab /etc/fstab.bak
Alternatively, you can edit your /etc/fstab file and remove the noacl option.
Close all Cygwin bash windows and any other Cygwin processes or services. If you have any Cygwin process running, it will keep things mounted with the old /etc/fstab settings.
Start a new Cygwin bash window.
You may need to run the following.
chmod +r /etc/passwd
chmod o+x /var
chmod +w /var/run
Cross your fingers, run ssh-host-config, and it should now complete without errors.
If you moved your /etc/fstab in Step 1, you can move it back now:
mv /etc/fstab.bak /etc/fstab
If you created new users after you first installed Cygwin, update /etc/passwd, otherwise those users may not be able login via ssh:
mkpasswd -l > /etc/passwd
Also, go to Windows Firewall, and allow C:/cygwin/usr/sbin/sshd.exe and C:/cygwin/usr/sbin/sftp-server.exe

for windows Users run "Cygwin Terminal" by right-clicking on shortcut and run it as a administrator....
Now Run "ssh-host-config" from the Cygwin Terminal...It will definitely work.

Related

chmod WSL (Bash) doesn't work

Running bash on windows 10, the simple syntax below works when I SSH to my webserver, but not when I exit out and am on my local machine. It doesn't give me an error, but I can see permissions are unchanged. I have to checked that I am set up as an administrator on my computer. Is this an error or is this just a consequence of the local operating system being windows? IF the later, it makes me question the value of using bash on windows if common operations such as this won't work.
$chmod 644 filename
To enable changing file owners & permissions, you need to edit /etc/wsl.conf and insert the below config options:
[automount]
options = "metadata"
Do this inside the WSL shell, potentially needing sudo to edit/create the file.
This may require restarting WSL (such as with wsl --shutdown which is a Windows command, not one within WSL) or the host machine to take effect. This has been possible since 2018:
You can now set the owner and group of files using chmod/chown and modify read/write/execute permissions in WSL. You can also create special files like fifos, unix sockets, and device files. We’re introducing new mounting options with DrvFs for projecting permissions onto files alongside providing new Linux metadata on files and folders.
[cite: Microsoft Dev Blog]
You can also temporarily re-mount a drive with the following commands:
sudo umount /mnt/c
sudo mount -t drvfs C: /mnt/c -o metadata
...but please note, the command only takes effect in session scope. If you exit current bash, you'll lose your settings (credit: answerer Amade).
Reference:
Automatically Configuring WSL
There was an update to WSL recently (source), which lets you change permissions to files (Insider Build 17063).
All you have to do is to run:
sudo umount /mnt/c
sudo mount -t drvfs C: /mnt/c -o metadata
Both Amades and Chaos answers are correct.
But it only works for local drives not for mapped network drives. Z: is one of my network drives. Same operation on /mnt/c/Users/xxx/ works fine.
$sudo mount -t drvfs Z: /mnt/z -o metadata
$touch test
$chmod +w test
chmod: changing permissions of 'test': Operation not permitted
This is a known issue, see drvfs: metadata (chmod\chown) possible for mounted SMB drives?

How disable need to sudo? Setting root to admi, sudivo, and disabling SIP didn't work

I am having to type "sudo" before most terminal commands, and am also getting EACCES errors sometimes even when using sudo when chained to a secondary file/folder.
I've done the standard setting of root user to admin, added my username with all permissions in visudo, and successfully disabled SIP. It may have to do with permissions I may have changed when I first got my Mac years ago.
Does anybody have any ideas as to what could be wrong?
Sometimes you use sudo command1, you also encountered permission denied. It's because the command1 will invoke another process which don't have root prividge. In this situation you can put command in a script, and use sudo bash script, or su to change to root user. And sometimes sudo filename also permission denied, it's that you not have the x priviledge, you can sudo chmod 744 filename, then execute the command.
methods to avoid type sudo passward every minutes.
method 1 recomended. sudo -i
method2 use sudo visudo or sudo vim /etc/sudoers and put this in it. this will make username user neednot to pass passward when use sudo.
username ALL=(ALL) NOPASSWD: ALL
you can refer here for config for one command
hope helps.
Log in and open your terminal app. Run these two commands:
sudo echo >> /etc/sudoers
sudo echo "$(id -u -n) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
Now you can run sudo without a password. Do normal stuff under your regular account and when you want to run as root for a while do:
sudo bash
macOS includes a "root user" that can be enabled using Directory Utility. Have a look at the following article from Apple: Enabling and using the "root" user in OS X. The article, while not explicitly saying it, implies that using the root user is the same thing as sudo.
The Apple article includes some warnings about use of the root user, but if you think about it, it's no more risky than deliberately disabling the password required by sudo. Either way you're creating an unrestricted path to root-level functions, so do be careful about it!
None of these solutions worked as things are. Ended up wiping my computer's hard drive and permissions settings went back to normal.

Mac OSX no valid sudoers sources found

I am always getting this error. What is the solution ?
As the error message says: your /etc/sudoers file has the wrong permissions.
the normal permissions (on OS X 10.10) are:
$ ls -l /etc/sudoers
-r--r----- 1 root wheel 1293 Sep 19 2012 /etc/sudoers
so get a root shell in some other manner and issue chmod 660 /etc/sudoers
and/or the appropriate chgrp and chown commands.
To get a root shell, it all depends on what you have left as assets.
The failsafe method would be from a recovery partition, but booting in single user mode should be enough in most cases.
Single user mode: boot holding "Command-S"
ref: https://support.apple.com/en-us/HT201573

TeamCity with Xcode3 and Xcode4 [duplicate]

I am trying to compile some sources using a makefile. In the makefile there is a bunch of commands that need to be ran as sudo.
When I compile the sources from a terminal all goes fine and the make is paused the first time a sudo command is ran waiting for password. Once I type in the password, make resumes and completes.
But I would like to be able to compile the sources in NetBeans. So, I started a project and showed netbeans where to find the sources, but when I compile the project it gives the error:
sudo: no tty present and no askpass program specified
The first time it hits a sudo command.
I have looked up the issue on the internet and all the solutions I found point to one thing: disabling the password for this user. Since the user in question here is root. I do not want to do that.
Is there any other solution?
Granting the user to use that command without prompting for password should resolve the problem. First open a shell console and type:
sudo visudo
Then edit that file to add to the very end:
username ALL = NOPASSWD: /fullpath/to/command, /fullpath/to/othercommand
eg
john ALL = NOPASSWD: /sbin/poweroff, /sbin/start, /sbin/stop
will allow user john to sudo poweroff, start and stop without being prompted for password.
Look at the bottom of the screen for the keystrokes you need to use in visudo - this is not vi by the way - and exit without saving at the first sign of any problem. Health warning: corrupting this file will have serious consequences, edit with care!
Try:
Use NOPASSWD line for all commands, I mean:
jenkins ALL=(ALL) NOPASSWD: ALL
Put the line after all other lines in the sudoers file.
That worked for me (Ubuntu 14.04).
Try:
ssh -t remotehost "sudo <cmd>"
This will remove the above errors.
After all alternatives, I found:
sudo -S <cmd>
The -S (stdin) option causes sudo to read the password from the standard input instead of the terminal device.
Source
Above command still needs password to be entered. To remove entering password manually, in cases like jenkins, this command works:
echo <password> | sudo -S <cmd>
sudo by default will read the password from the attached terminal. Your problem is that there is no terminal attached when it is run from the netbeans console. So you have to use an alternative way to enter the password: that is called the askpass program.
The askpass program is not a particular program, but any program that can ask for a password. For example in my system x11-ssh-askpass works fine.
In order to do that you have to specify what program to use, either with the environment variable SUDO_ASKPASS or in the sudo.conf file (see man sudo for details).
You can force sudo to use the askpass program by using the option -A. By default it will use it only if there is not an attached terminal.
Try this one:
echo '' | sudo -S my_command
For Ubuntu 16.04 users
There is a file you have to read with:
cat /etc/sudoers.d/README
Placing a file with mode 0440 in /etc/sudoers.d/myuser with following content:
myuser ALL=(ALL) NOPASSWD: ALL
Should fix the issue.
Do not forget to:
chmod 0440 /etc/sudoers.d/myuser
Login into your linux. Fire following commands. Be careful, as editing sudoer is a risky proposition.
$ sudo visudo
Once vi editor opens make the following changes:
Comment out Defaults requiretty
# Defaults requiretty
Go to the end of the file and add
jenkins ALL=(ALL) NOPASSWD: ALL
If by any chance you came here because you can't sudo inside the Ubuntu that comes with Windows10
Edit the /etc/hosts file from Windows (with Notepad), it'll be located at: %localappdata\lxss\rootfs\etc, add 127.0.0.1 WINDOWS8, this will get rid of the first error that it can't find the host.
To get rid of the no tty present error, always do sudo -S <command>
This worked for me:
echo "myuser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
where your user is "myuser"
for a Docker image, that would just be:
RUN echo "myuser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
In Jenkins:
echo '<your-password>' | sudo -S command
Eg:-
echo '******' | sudo -S service nginx restart
You can use Mask Password Plugin to hide your password
Make sure the command you're sudoing is part of your PATH.
If you have a single (or multi, but not ALL) command sudoers entry, you'll get the sudo: no tty present and no askpass program specified when the command is not part of your path (and the full path is not specified).
You can fix it by either adding the command to your PATH or invoking it with an absolute path, i.e.
sudo /usr/sbin/ipset
Instead of
sudo ipset
Command sudo fails as it is trying to prompt on root password and there is no pseudo-tty allocated (as it's part of the script).
You need to either log-in as root to run this command or set-up the following rules in your /etc/sudoers
(or: sudo visudo):
# Members of the admin group may gain root privileges.
%admin ALL=(ALL) NOPASSWD:ALL
Then make sure that your user belongs to admin group (or wheel).
Ideally (safer) it would be to limit root privileges only to specific commands which can be specified as %admin ALL=(ALL) NOPASSWD:/path/to/program
I think I can help someone with my case.
First, I changed the user setting in /etc/sudoers referring to above answer. But It still didn't work.
myuser ALL=(ALL) NOPASSWD: ALL
%mygroup ALL=(ALL:ALL) ALL
In my case, myuser was in the mygroup.
And I didn't need groups. So, deleted that line.
(Shouldn't delete that line like me, just marking the comment.)
myuser ALL=(ALL) NOPASSWD: ALL
It works!
Running shell scripts that have contain sudo commands in them from jenkins might not run as expected. To fix this, follow along
Simple steps:
On ubuntu based systems, run " $ sudo visudo "
this will open /etc/sudoers file.
If your jenkins user is already in that file, then modify to look like this:
jenkins ALL=(ALL) NOPASSWD: ALL
save the file
Relaunch your jenkins job
you shouldnt see that error message again :)
This error may also arise when you are trying to run a terminal command (that requires root password) from some non-shell script, eg sudo ls (in backticks) from a Ruby program. In this case, you can use Expect utility (http://en.wikipedia.org/wiki/Expect) or its alternatives.
For example, in Ruby to execute sudo ls without getting sudo: no tty present and no askpass program specified, you can run this:
require 'ruby_expect'
exp = RubyExpect::Expect.spawn('sudo ls', :debug => true)
exp.procedure do
each do
expect "[sudo] password for _your_username_:" do
send _your_password_
end
end
end
[this uses one of the alternatives to Expect TCL extension: ruby_expect gem].
For the reference, in case someone else encounter the same issue, I was stuck during a good hour with this error which should not happen since I was using the NOPASSWD parameter.
What I did NOT know was that sudo may raise the exact same error message when there is no tty and the command the user try to launch is not part of the allowed command in the /etc/sudoers file.
Here a simplified example of my file content with my issue:
bguser ALL = NOPASSWD: \
command_a arg_a, \
command_b arg_b \
command_c arg_c
When bguser will try to launch "sudo command_b arg_b" without any tty (bguser being used for some daemon), then he will encounter the error "no tty present and no askpass program specified".
Why?
Because a comma is missing at the end of line in the /etc/sudoers file...
(I even wonder if this is an expected behavior and not a bug in sudo since the correct error message for such case shoud be "Sorry, user bguser is not allowed to execute etc.")
I was getting this error because I had limited my user to only a single executable 'systemctl' and had misconfigured the visudo file.
Here's what I had:
jenkins ALL=NOPASSWD: systemctl
However, you need to include the full path to the executable, even if it is on your path by default, for example:
jenkins ALL=NOPASSWD: /bin/systemctl
This allows my jenkins user to restart services but not have full root access
If you add this line to your /etc/sudoers (via visudo) it will fix this problem without having to disable entering your password and when an alias for sudo -S won't work (scripts calling sudo):
Defaults visiblepw
Of course read the manual yourself to understand it, but I think for my use case of running in an LXD container via lxc exec instance -- /bin/bash its pretty safe since it isn't printing the password over a network.
Using pipeline:
echo your_pswd | sudo -S your_cmd
Using here-document:
sudo -S cmd <<eof
pwd
eof
#remember to put the above two lines without "any" indentations.
Open a terminal to ask password (whichever works):
gnome-terminal -e "sudo cmd"
xterm -e "sudo cmd"
I faced this issue when working on an Ubuntu 20.04 server.
I was trying to run a sudo command from a remote machine to deploy an app to the server. However when I run the command I get the error:
sudo: no tty present and no askpass program specified
The remote script failed with exit code 1
Here's how I fixed it:
The issue is caused by executing a sudo command which tries to request for a password, but sudo does not have access to a tty to prompt the user for a passphrase. As it can’t find a tty, sudo falls back to an askpass method but can’t find an askpass command configured, so the sudo command fails.
To fix this you need to be able to run sudo for that specific user with no password requirements. The no password requirements is configured in the /etc/sudoers file. To configure it run either of the commands below:
sudo nano /etc/sudoers
OR
sudo visudo
Note: This opens the /etc/sudoers file using your default editor.
Next, Add the following line at the bottom of the file:
# Allow members to run all commands without a password
my_user ALL=(ALL) NOPASSWD:ALL
Note: Replace my_user with your actual user
If you want the user to run specific commands you can specify them
# Allow members to run specific commands without a password
my_user ALL=(ALL) NOPASSWD:/bin/myCommand
OR
# Allow members to run specific commands without a password
my_user ALL=(ALL) NOPASSWD: /bin/myCommand, /bin/myCommand, /bin/myCommand
Save the changes and exit the file.
For more help, read the resource in this link: sudo: no tty present and no askpass program specified
That's all.
I hope this helps
The solution to the problem is
If you came across this issue anywhere else apart from the Jenkins instance follow this from the 2nd step. The first step is for the user who is having issue with the Jenkins instance.
Go to Jenkins instance of Google Cloud Console.
Enter the commands
sudo su
visudo -f /etc/sudoers
Add following line at the end
jenkins ALL= NOPASSWD: ALL
Checkout here to understand the rootcause of this issue
No one told what could cause this error, in case of migration from one host to another, remember about checking hostname in sudoers file:
So this is my /etc/sudoers config
User_Alias POWERUSER = user_name
Cmnd_Alias SKILL = /root/bin/sudo_auth_wrapper.sh
POWERUSER hostname=(root:root) NOPASSWD: SKILL
if it doesn't match
uname -a
Linux other_hostname 3.10.17 #1 SMP Wed Oct 23 16:28:33 CDT 2013 x86_64 Intel(R) Core(TM) i3-4130T CPU # 2.90GHz GenuineIntel GNU/Linux
it will pop up this error:
no tty present and no askpass program specified
Other options, not based on NOPASSWD:
Start Netbeans with root privilege ((sudo netbeans) or similar) which will presumably fork the build process with root and thus sudo will automatically succeed.
Make the operations you need to do suexec -- make them owned by root, and set mode to 4755. (This will of course let any user on the machine run them.) That way, they don't need sudo at all.
Creating virtual hard disk files with bootsectors shouldn't need sudo at all. Files are just files, and bootsectors are just data. Even the virtual machine shouldn't necessarily need root, unless you do advanced device forwarding.
Although this question is old, it is still relevant for my more or less up-to-date system. After enabling debug mode of sudo (Debug sudo /var/log/sudo_debug all#info in /etc/sudo.conf) I was pointed to /dev: "/dev is world writable". So you might need to check the tty file permissions, especially those of the directory where the tty/pts node resides in.
I was able to get this done but please make sure to follow the steps properly.
This is for the anyone who is getting import errors.
Step1: Check if files and folders have got execute permission issue.
Linux user use:
chmod 777 filename
Step2: Check which user has the permission to execute it.
Step3: open terminal type this command.
sudo visudo
add this lines to the code below
www-data ALL=(ALL) NOPASSWD:ALL
nobody ALL=(ALL) NOPASSWD:/ALL
this is to grant permission to execute the script and allow it to use all the libraries. The user generally is 'nobody' or 'www-data'.
now edit your code as
echo shell_exec('sudo -u the_user_of_the_file python your_file_name.py 2>&1');
go to terminal to check if the process is running
type this there...
ps aux | grep python
this will output all the process running in python.
Add Ons:
use the below code to check the users in your system
cut -d: -f1 /etc/passwd
Thank You!
1 open /etc/sudoers
type sudo vi /etc/sudoers. This will open your file in edit mode.
2 Add/Modify linux user
Look for the entry for Linux user. Modify as below if found or add a new line.
<USERNAME> ALL=(ALL) NOPASSWD: ALL
3 Save and Exit from edit mode
I had the same error message when I was trying to mount sshfs which required sudo : the command is something like this :
sshfs -o sftp_server="/usr/bin/sudo /usr/lib/openssh/sftp-server" user#my.server.tld:/var/www /mnt/sshfs/www
by adding the option -o debug
sshfs -o debug -o sftp_server="/usr/bin/sudo /usr/lib/openssh/sftp-server" user#my.server.tld:/var/www /mnt/sshfs/www
I had the same message of this question :
sudo: no tty present and no askpass program specified
So by reading others answer I became to make a file in /etc/sudoer.d/user on my.server.tld with :
user ALL=NOPASSWD: /usr/lib/openssh/sftp-server
and now I able to mount the drive without giving too much extra right to my user.
Below actions work for on ubuntu20
edit /etc/sudoers
visudo
or
vi /etc/sudoers
add below content
userName ALL=(ALL) NOPASSWD: ALL
%sudo ALL=(ALL:ALL) NOPASSWD:ALL
I'm not sure if this is a more recent change, but I just had this problem and sudo -S worked for me.

nohup - permission denied

I am trying to get a start up script for OrientDB (a database) on Ubuntu to work.
This is currently the line that causes problems:
ORIENTDB_DIR="/usr/local/orientdb"
ORIENTDB_USER="www-user"
sudo -u $ORIENTDB_USER sh -c "cd \"$ORIENTDB_DIR/bin\"; /usr/bin/nohup server.sh 1>../log/orientdb.log 2>../log/orientdb.err &"
If I start the script, it results in this:
sh: 1: cannot create ../log/orientdb.log: Permission denied
Here's the setup:
www-user is in the sudoers file
server.sh and any the shell script posted above have execute privileges for root.
If I change the script to this:
sudo -u $ORIENTDB_USER sh -c "cd \"$ORIENTDB_DIR/bin\"; /usr/bin/nohup pwd 1>/home/www-user/test.log &", test.log shows /usr/local/orientdb/bin/ as the working directory.
/usr/local/orientdb/log exists but is an empty folder.
Given the above and the fact that I am using sudo to elevate the user, why is permission still denied?
You may have been misunderstanding sudo a bit — sudo does not necessarily elevate a user's rights; in fact, it may reduce the rights they have. When you pass sudo the -u flag, it will change to that user. If that user has more rights — root, for example (the default if -u is not passed) — then you'll get more rights. If the user has less rights — nobody, for example — you'll have less rights. You said that the log directory has these permissions:
drwxrwxr-x 2 root root 4096 Dec 11 10:13 /usr/local/orientdb/log
Yet, you're changing to the www-user user. The www-user user, unless it is part of the root group (unlikely), will not be able to write to that directory: it is only writable by the owner and group, and www-user is clearly not the root user and www-user is probably not part of the root group.
In short, don't pass -u (and its associated argument) if you want to elevate to root.
Try rewriting the last line of your script to:
sudo -u $ORIENTDB_USER sh -c "/usr/bin/nohup \"$ORIENTDB_DIR\"/bin/server.sh 1> \"$ORIENTDB_DIR\"/log/orientdb.log 2> \"$ORIENTDB_DIR\"/log/orientdb.err &"
If that still doesn't work, then www-user probably doesn't have write permission to /usr/local/orientdb/log (Note that you said /usr/local/orientdb/logs exists but is an empty folder: one of them has a s at the end)

Resources