Linux var run permissions

What is the default permission of folder /var?

I just installed Ubuntu 12.04 in a pendrive, then installed MySQL and Apache PHP and then I tried to install Moodle (a distance learning platform I use at work). The installation in Moodle stopped when the program tried to create a folder called moodledata inside the folder /var, and did not have permission to do so. So I did a chmod 777 to folder /var and removed the blockade, but I fear what I have done is not safe and I want to go back to the previous (initial/default) permission value of /var I can’t find anywhere what value should it be. Can you help me?

4 Answers 4

The default permission for /var is 755 = rwxr-xr-x : readable and executable (you need both for a directory) by everyone, and only writable by root.

Setting the permission on a file or directory to 777 is never right. In your case, you should

  • either have created the directory as root and then set its ownership to the user running Moodle (is this a web application? Then either www-data if the web application is supposed to write to this directory, or root if not);
  • or have configured the application to use a directory it can write to (e.g. under /var/www for a web application).

rwxr-xr-x.
owner can: read, write and Execute
owner group can : read and execute
others can : read and execute

result of command : ls -l /var in Fedora 17 :

drwxr-xr-x. 2 root root 4096 Jun 9 19:34 account drwxr-xr-x. 2 root root 4096 Feb 3 13:58 adm drwxr-xr-x. 19 root root 4096 Jun 9 18:44 cache drwxr-xr-x. 3 root root 4096 Jun 13 19:55 db drwxr-xr-x. 3 root root 4096 Jun 9 19:34 empty drwxr-xr-x. 3 root root 4096 Apr 26 18:58 ftp drwxr-xr-x. 2 root root 4096 Feb 3 13:58 games drwxrwx--T. 2 root gdm 4096 Jun 9 03:35 gdm drwxr-xr-x. 2 root root 4096 Feb 3 13:58 gopher drwxr-xr-x. 55 root root 4096 Jun 28 16:19 lib drwxr-xr-x. 2 root root 4096 Feb 3 13:58 local lrwxrwxrwx. 1 root root 11 Jun 9 19:18 lock -> ../run/lock drwxr-xr-x. 22 root root 4096 Jul 7 22:22 log lrwxrwxrwx. 1 root root 10 Jun 9 19:18 mail -> spool/mail drwxr-x---. 6 root named 4096 Jul 4 19:53 named drwxr-xr-x. 2 root root 4096 Feb 3 13:58 nis drwxr-xr-x. 2 root root 4096 Feb 3 13:58 opt drwxr-xr-x. 2 root root 4096 Feb 3 13:58 preserve lrwxrwxrwx. 1 root root 6 Jun 9 19:18 run -> ../run drwxr-xr-x. 17 root root 4096 Jun 9 19:38 spool drwxrwxrwt. 4 root root 4096 Jul 8 00:36 tmp drwxr-xr-x. 8 root root 4096 Jun 9 19:34 www drwxr-xr-x. 3 root root 4096 Jun 9 19:26 yp 

Источник

запись в каталог /var/run

процесс запускается от имени юзера, но при старте не хватает прав на запись pid-файла в в каталог /var/run, т.к. запись разрешена только руту:

Читайте также:  Linux input linux evdev

/var/run — симлинк на /run drwxr-xr-x 23 root root 900 Мар 14 14:10 run/

и процесс не может запуститься.

Запустить от рута, записать в /var/run, сменить uid? Посмотри, как любой другой демон это делает

записывать pid туда, куда имеет доступ пользователь

это наверное не соответствует LFS?

Исходники же. Хоть вот polipo возми (взял наугад из /var/run. Он под собственным пользователем работает)

В /var/run лежат PID’ы не абы чего, а системных сервисов. А init-скрипт всегда стартует от root. Если хочется понизить привилегии, то скрипт может запустить дочерний процесс и записать его PID в нужный каталог. То есть основную работу выполняет пользовательский процесс, но его PID сохраняет рутовый.

Пиши в хомяка PID, нее?
/me тока так и делает.

#!/bin/sh # # $FreeBSD: head/devel/distcc/files/distccd.in 357545 2014-06-11 22:19:30Z skreuzer $ # $MCom: ports/devel/distcc/files/distccd.sh.in,v 1.1 2007/05/19 17:43:14 ahze Exp $ # PROVIDE: distccd # REQUIRE: NETWORKING ldconfig # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf to enable distccd: # # distccd_enable (bool): Set to YES to enable distccd. # distccd_flags (str): Arguments passed to distccd. # distccd_path (str): DISTCCD_PATH environment value for distccd.. # distccd_enable=$ distccd_flags=$ . /etc/rc.subr name=distccd rcvar=distccd_enable command=/usr/local/sbin/$ # extract pid file from distccd_flags (if any) pidfile="`echo $ |sed -nE -e 's/^.*-P ([^ ]+).*$/\1/p'`" # set default value pidfile=$ distccd_precmd() < # distccd drops root privileges and then attempts to create the pid file touch $chown distcc:distcc $ if [ -n "$" ] then export DISTCCD_PATH="$" fi > start_precmd="distccd_precmd" load_rc_config $ run_rc_command "$1" 

Don’t put the PID file in /var/run/foo.pid, put it in /var/run/foo/foo.pid and have /var/run/foo owned by user foo and group foo. That way you can delete the pid file before exiting and you don’t have to raise your privilege level.

Источник

Cannot touch `/var/run/myfile/myfile.pid’: Permission denied

and changed the permissions. Do i need some special permission for «touch» command? And as touch could not succeed myfile.pid is not created and myfile folder is empty! EDIT: On doing a sudo touch and sudo chown i could create the file but i do not want to run as sudo! I am completely baffled here!

but why ? it is running «touch» as «openstdb» and opentsdb is the owner of the file. Why do I need to run as sudo ?

Hey sorry i had edited guess i didnt get saved and i didnt notice . check now . srry about the error.

2 Answers 2

No. You don’t need special permission for the touch command. Neither should you fiddle with the permissions of system directories, since this has security implications — as you found out.

  1. The script is executed with the effective userid opentsdb . See the docs for details about setuid
  2. Please make sure that the upstart script is owned by user root and group root and set it’s permissions to 0644
  3. Make sure /var/run/myfile is a directory by doing a sudo rm -rf /var/run/myfile && sudo install -o opentsdb -m 0755 -d /var/run/mydir
  4. In case you are using upstart, edit your upstart script in /etc/init like shown below
# You can omit 4 - it is a run level for custom use, but then. start on runlevel [345] # . add it here stop on runlevel [0126] pre-start script # Sanitizing environment # The contents of var run are _not_ guaranteed to persist over reboot if [ ! -d /var/run/mydir ] then install -m 0755 -o opentsdb -d /var/run/mydir else chown opentsdb.opentsdb /var/run/mydir chmod 0755 /var/run/mydir fi # Remove stale pidfile if it exists # Note that if your process does not fork # this can be omitted, as upstart will keep track of # your processes pid automatically - same goes for the piddir. if [ -e /var/run/mydir/myfile.pid ] then rm /var/run/mydir/myfile.pid fi end script # Set this to the numeric uid for opentsdb # as shown in /etc/passwd setuid 1234 # Same as for setuid, but for the primary group as it can be found # in /etc/group setgid 1234 # This is critical! # Read http://upstart.ubuntu.com/cookbook/#expect _very carefully_ # This one assumes that your process forks to background expect fork script # Do your stuff here - but don't fiddle with permissions end script 

Источник

How to let MySQL (mysqld) to create and write to «/var/run/mysqld» directory?

I really don’t understand how all those privileges work in Linuxes. To start MySQL server mysqld program has to write its .pid files to /var/run/mysqld/ directory. But we know from FHS (Filesystem Hierarchy Standard) that:

Files under this directory must be cleared (removed or truncated as appropriate) at the beginning of the boot process.

So mysqld has to create /mysqld directory under /var/run/ every time MySQL server is started. The owner and group of /var is root and /var is:

drwxr-xr-x 13 root root 4096 may 20 23:41 var. 

/var/run should be unwritable for unprivileged users (root or users running daemons); it is a major security problem if any user can write in this directory.

So mysqld cannot write to the directory. Indeed when I run mysqld to start MySQL server I always get an error:

user@user-desktop:~$ sudo mysqld --console 130720 23:43:02 [ERROR] Can't start server : Bind on unix socket: Permission denied 130720 23:43:02 [ERROR] Do you already have another mysqld server running on socket: /var/run/mysqld/mysqld.sock ? 130720 23:43:02 [ERROR] Aborting 

The question is: how mysqld can write .pid files to /var/run/mysqld/ if standard forbids to open this directory for writing? This is a clear contradiction, isn’t it? My question is: how to let mysqld to create and write its files to /var/run/mysqld/ without changing permissions of the /var/run directory? For now I see the only way:

user@user-desktop:$ sudo chmod a+w /var 

Источник

Permanently change permissions of /var/run/postgresql

On Linux Mint 17.0 Cinnamon Edition, I want to use /var/run/postgresql as the unix_socket_directories option for all of my postgres databases. Whenever I run the command pg_ctl -D postgres-data -o ‘-F -p 33311’ start to start my local database, I get the error FATAL: could not create lock file «/var/run/postgresql/.s.PGSQL.33311.lock»: Permission denied . As many answers across AskUbuntu, StackOverflow and various forums suggest, I have to run sudo chmod 777 /var/run/postgresql or sudo chown -R $USER:$USER /var/run/postgresql to change the permissions of the directory so that I can write to it. Then I am able to start my database. However, every time I reboot, the permissions go away; the directory is no longer world-writable and the user postgres-xc reclaims user and group ownership over the directory. Neither sudo adduser $USER postgres or sudo adduser $USER postgres-xc alleviates the permissions issue. I tried doing a clean install as described here, but I still have the issue on reboot. I’ve tried changing the value of unix_socket_directories to /tmp in ./postgres-data/postgresql.conf (the local database config file), and this allows me to start that particular database without having to update permissions on every reboot. However, I also have a script which uses pg_ctl -D $DIR initdb && pg_ctl -D $DIR start to setup and start databases on the fly. As such, a default postgresql.conf config file is used for these databases, so unix_socket_directories is the unwritable /var/run/postgresql and I get permission denied errors when running that script. Manually/programmatically editing these configs on-the-fly to use unix_socket_directories = ‘/tmp’ is. undesirable. I know that I could use the -o flag with pg_ctl to override the unix_socket_directories option to /tmp , but this script is shared by other developers who do not use Ubuntu, so I would not necessarily want to restrict everyone to using the /tmp directory, especially if their configurations differed slightly. I would prefer everyone use the default location for their installation. Personally, I would also prefer to keep the default directory for general compatibility with other Ubuntu packages; e.g., pgadmin looks at /var/run/postgresql for a lock file by default. I have also tried editing /etc/postgresql/9.3/main/pg_ctl.conf in an attempt to automatically pass set these options whenever I use pg_ctl :

# Automatic pg_ctl configuration # This configuration file contains cluster specific options to be passed to # pg_ctl(1). pg_ctl_options = '-o "-c unix_socket_directories=/tmp -c unix_socket_group=jackson -c unix_socket_permissions=0777"' 

But that did not have any effect. Please advise on how I can use /var/run/postgresql as my unix_socket_directories option for all of my postgres databases without having to run sudo chown -R $USER:$USER /var/run/postgresql every time I restart my system. Thanks.

What kind of file system is sitting in? When you reboot/restart the system, does this directory exist? Just wondering if this is sitting in a tmpfs file system or similar.

4 Answers 4

Permissions for /var/run/postgresql are taken from /usr/lib/tmpfiles.d/postgresql.conf

At what point do these permissions get set from the file? I ran chmod on the file and it worked. restarted the server and nothing changed. Is it created on boot or under some other circumstance?

Источник

Оцените статью
Adblock
detector