I want to add a new user to my debian server.
The user should have access rights to ruby / rails / rvm / gem / git / and folder /var/www/
How do I add this user correctly?
The user should be able start a webrick server and install gems.
A standard user should be able to do all that with a single-user installation of rvm.
Just follow the instructions on https://rvm.io
In order to check if your user has rights on /var/www :
check your user's groups :
groups #{username}
check permissions on /var/www :
ls -al /var | grep www
you should get something like :
drwxr-xr-x 15 www-data www-data 4096 #{timestamp} www
Let's review this character by character :
d is for directory (- for a regular file, l for links, etc...)
next 3 characters are the permissions for the owner of the file (rwx here, meaning full access r for reading, w for writing, x for executing)
next 3 define permisssions for the group which the file belongs to (r-x means that writing is disabled)
next 3 define permissions for any (other) user on the machine.
The 15 is the link count (how many links to this item). It varies between platforms.
first name (www-data) next is the owner of the file, for which rwx applies, then second www-data is the name of the group /var/www belongs to.
Finally, you get size and name of the file.
To solve your problem of accessing /var/www with your user, he will have to have at least r-- (and probably r-x) on the directory. This can be provided in two ways : add your user to the group that /var/www belongs to (use usermod -G #{groupname} #{username}) and make sure the group has the good rights (use chmod for that). Second way is to make your user the owner of /var/www (chown is your ally there).
Can you post the results of these commands in your question?
Related
Due to some reason some of files were locked in xcode, which i resolved through the this solution.
but even after that i keep getting this error
****The file “project.pbxproj” could not be unlocked.**
Could not add write permission to the file because you do not own it. Try modifying the permissions of the file in the Finder or Terminal.**
I have also tried unlocking it through above method and it is not working, also i'm not even able to close the project and when i force close it, next time all the previous changes are gone.
Permission problem Try
sudo Chmod 777 .
"Could not add write permission to the file because you do not own it"
This means that the project was created by a different user. Log as that user, or if you cannot, create a "test.txt" file next to the file you can't unlock.
Open Terminal, go to the folder where the project resides, and run a command such as
ls -la test.txt project.pbxproj
You should see a list such as:
-rw-rw-r-- 1 dakkar users 434 Nov 23 12:17 project.pbxproj
-rw-r--r-- 1 lserni users 1 Nov 25 00:14 test.txt
Now, the "-rw-r--r--" is the permission. You just created test.txt, so those are the correct permissions from the GUI. r counts for 4, w counts for 2, x counts for one; rw-r--r-- is therefore 6,4,4. In the example, project.pbxproj is 6,6,4.
So the two commands you need are
sudo chown lserni:users project.pbxproj # To set ownership
sudo chmod 644 project.pbxproj # To set permissions
If you are in the project directory and are absolutely, utterly, deadly sure that nothing there or in its subdirectories should belong to anyone but you, then you can mass-change ownership of the directory, its subdirectories and all they contain:
sudo chown lserni:users -R .
If you do the above in the wrong directory (not yours, not a project directory, etc.), the -R (recursive) flag is a recipe for disaster, so be careful.
Just in case, remember that directories must have all x's set, so what is 644 for a file would become 755 for a directory.
When finished, you can delete the example file 'test.txt' - actually you can do that as soon as you have written down what the correct ownership and permissions should be.
I have a Rake at the end of which the server moves the processed file from a folder to another one, using FileUtils.mv, like this:
FileUtils.mv('/path-to-upload-folder/'+filename, '/path-to-imported-folder/'+filename) if File.exist?('/path-to-upload-folder/'+filename)
If i run this command from within the rails server (I have an action that is a copy of the rake task, just for simplicity of debugging inside a controller), everything goes fine (probably because I run the server with root privileges with rvmsudo).
When running from the Rake task, I get a permission denied error, like this
Errno::EACCES: Permission denied # sys_fail2 -
The source folder is called uploads, and the destination folder is the imported folder. Following the permissions and the user and groups of the folder
drwxr-xr-x 2 malatini malatini 4096 lug 14 14:26 imported/
drwxr-xr-x 2 www-data www-data 135168 lug 14 14:26 uploads/
where malatini is my current user.
I know that for running a raw mv from the two folders I need to be a sudo user, but why can I run the same command from within the Rails servers without any problem?
I also tried to change permissions and owners/groups of the destination folder, but with no luck.
Reading here I suppose the problem is the user that is running the rake task. The same problem happens either if I manually run the rake task, either if it is run as a cron job.
I am running under
Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linux
Any suggestion?
EDIT:
As #Nic Nilov suggested I tried to change owner and group of source and destination foleders, and actually I managed to perform the mv, and hence rake task, changing owner and group of both folders to malatini
drwxr-xr-x 2 malatini malatini 4096 lug 14 14:26 imported/
drwxr-xr-x 2 malatini malatini 135168 lug 14 14:26 uploads/
but in this way, apache (which is in charge of moving files to uploads folder) is not able to write to uploads folder. No other configuration is working (not just the group of uploads folder, nor the 777 to imported folder).
You basically answered your own question. This is a permission issue, related to the OS user under which the move operation is attempted. It works from Rails since, as you say, you run it with rvmsudo.
Two ways around that would be to either run your rake task from a privileged user or set ownership on both folders such that the current user you run rake under is allowed to perform mv.
On your folders both user and group set to be the same. You could set their group to the group of the user running rake, e.g.:
chgrp malatini ./uploads
This would make malatini group the owner of both folders:
drwxr-xr-x 2 malatini malatini 4096 lug 14 14:26 imported/
drwxr-xr-x 2 www-data malatini 135168 lug 14 14:26 uploads/
Which should allow the mv operation.
UPDATE
When running rake under a privileged user and doing that from cron and to avoid keeping the password stored anywhere you can use NOPASSWD directive.
See for more details this askubuntu answer.
I wanted to know how can I set right permission for my file /log/production.log? Everyone is saying just use chmod or chown but no one explains what I should wright after these commands. I am beginner and would appreciate if you could explain.
In my particular example I have rails app on production server where I need to set permission to production.log file in /var/www/my_app/log/ directory.
Here is what documentation is asking from me:
By default, Phusion Passenger runs Rails applications as the owner of
config.ru. So the log file can only be written to if that user has
write permission to the log file. Please chmod or chown your log file
accordingly.
Hope you can help. Thanks.
Try chmod 0660 production.log and take a look at this explanation/diagram of chmod.
chmod allows change the permissions of a file or a directory. Exists three basic permissions (read,write,execute) for three differents groups (owner,group,other).
chown allows change who is the owner of a file or a directory.
I recommend you use chmod 640. Looking the syntax of chmod here you're defining the production.log's owner (usually root) can read and write this file. If you want, you can give read-access for all users of the same group of the owner. But you shouldn't offer permissions for other people, even less in a production environment.
I would create a deploy user for your application, say myapp (doesn't particularly matter what the name is). The use this user to deploy/manage your application. Assuming username myapp
chown -R myapp:myapp /var/www/my_app
and then restart nginx/passenger. This will cause passenger to run as the myapp user, and allow it to write logs under the logs directory. (Also make sure that you don't have /var/www as the docroot, accessible outside of passenger as it can cause information leakage)
another option, if the server isn't shared, is that you can run as the www user. so
chown -R www:www /var/www/my_app
which should allow the process to write to your logs.
I'm trying to install Jenkins on a Tomcat 7 container.
When I try to open the Jenkins web app I get following error:
Unable to create the home directory '/home/myuser/jenkins/work'. This is most
likely a permission problem.
To change the home directory, use JENKINS_HOME environment variable or set
the JENKINS_HOME system property. See Container-specific documentation for
more details of how to do this.
Before starting Tomcat, I did chmod uog+rwx /home/myuser/jenkins. So, I suppose that Jenkins should be able to create a subdirectory there.
But obviously it can't.
How can I fix this problem?
Update 1:
lt -lt returns
drwxrwxrwx 2 root ec2-user 4096 Jun 23 10:25 jenkins
for /home/myuser/jenkins. /home/myuser/jenkins/work doesn't exist because Jenkins is supposed to create it.
Update 2: Just tried to create the work directory and to run chmod uog+rwx on it. It didn't help.
Update 3: Additional information:
I need Jenkins in order to
run lengthy tests in the night (fast unit tests are run before every mvn install, slow tests are executed every night) and
save software quality metrics (checkstyle, PMD, FindBugs, unit test coverage etc.) over time.
I have only one machine available for that and there is a Tomcat7 container installed there already.
At the moment, I don't want to invest additional money into buying new machines.
The machine with the Tomcat7 container (and where I want Jenkins to be installed) is an Amazon EC2 microinstance (OS version is given below).
$ cat /etc/*-release
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Amazon Linux AMI release 2013.03
Update 4 (29.06.2013 13:34 MSK): The output of yum list does not contain any Jenkins/Hudson package.
If Tomcat is running as a separate user you will need to give execute permission to your home directory to that user - either by giving it to all or by creating a group especially for you and the tomcat user.
(UPDATE) More specifically: You say you already did chmod uog+rwx /home/myuser/jenkins, if Tomcat is not running asl 'myuser' it also needs execute permission on /home and on /home/myuser to be able to open /home/myuser/jenkins. If you are not picky about other users on the system opening your homedir you could allow this by: chmod a+x /home/myuser. (I'm assuming here the permissions for /home are already ok)
If you are running tomcat as 'myuser' the filsystem permissions look fine, but Tomcat's own permission system might be the problem as webapps are not allowed to touch the filesystem if the default settings of the security manager are on.
See: https://wiki.jenkins-ci.org/display/JENKINS/Tomcat
You don't specify more about your exact Tomcat/OS setup so I can't give exact details, but the fast way to find out if it's a security manager issue is to give AllPermission to you webapp. If you don't run in a safe environment it is advisable to only use that as a test, and setup only the really needed permissions later.
run these three commands
cd /usr/share/tomcat7
sudo mkdir .jenkins
sudo chown tomcat7:nogroup .jenkins
https://seleniumwithjavapython.wordpress.com/home/jenkins-installation/
It looks like the problem may be that jenkins cannot see /home/myuser, and therefore it cannot access the jenkins folder inside this (even though it has write permissions in /home/myuser/jenkins, I believe the fact it can't read /home/myuser causes a problem).
Try running the below command and then see if Jenkins works after that:
chmod +r /home/myuser
#robjohncox Yes - drwx------ 5 myuser myuser 4096 Jun 23 10:25 myuser
you must add +x to this dir to make it possible for jenkins to access it's contents, to be precise whole path has to have +x enabled for everyone.
Also, what commands have you used to move it's home dir from default - possible error is somwhere there. Cheers, Piotr
I have a setuid program (getpwd) that runs as expected only when owned by root.
-rwsr-xr-x 1 root root 7981 2011-11-17 18:28 getpwd*
In other words when my program is executed on the command line by user "alice" all works fine
The program opens a file in directory /home/secure and print the contents to screen.
alice#devbox:/home/alice/tmp$ ./getpwd
setuid is working
However when I change the ownership and set setuid of the file:
chown secure:users getpwd
chmod 4755 getpwd
-rwsr-xr-x 1 secure users 7981 2011-11-17 18:28 getpwd*
The program does not run when executed as user "alice".
alice#devbox:/home/alice/tmp$ ./getpwd
cannot open file /home/secure/test ...
Why is this happening?
ls -ld /home/ /home/secure/
drwx--x--x 2 secure users 280 Nov 18 11:16 /home/secure/
ls -ld /home/secure/*
-rw------- 1 secure users 33 Nov 15 14:35 /home/secure/test
How do I ensure that only user "alice" can run the setuid program owned by secure?
There are two possible approaches. One uses nothing but traditional Unix permissions and the other uses newfangled ACLs.
Traditional Unix
Create a new group; perhaps ALICE or something obviously different from an alice user account. Make sure alice is a member of ALICE in group(5). (vigr(8) is a great way to edit the group(5) file.) Set the ownership of your getpwd program secure:ALICE and remove world execute privileges on the file. Then, only secure and members of the ALICE group can execute the setuid getpwd program.
If alice is just a stand-in for a potentially larger group of people, then maybe name the group SECURE. (Upper case is just convenient for my description. You don't have to stick with upper case.)
Newfangled ACLs
setfacl -m u:alice:x getpwd
The setfacl(1) program is a bit complicated, but it allows you to create far more complex permissions than the traditional Unix permissions. Because these are pretty different, most systems I have seen don't have them turned on by default -- that requires the acl option to mount(8) when mounting the filesystem. You would need to add acl to the filesystems in /etc/fstab that need the extra permissions. (You don't need to reboot to make it available, though; mount /file/system -oremount,acl would be sufficient for as long as the filesystem is mounted -- typically until reboot.)
I suggest sticking with the traditional Unix method.