What is the default permission of folder /var?
I just installed Ubuntu 12.04 in a pendrive, then installed MySQL and Apache PHP and then I tried to install Moodle (a distance learning platform I use at work). The installation in Moodle stopped when the program tried to create a folder called moodledata inside the folder /var, and did not have permission to do so. So I did a chmod 777 to folder /var and removed the blockade, but I fear what I have done is not safe and I want to go back to the previous (initial/default) permission value of /var I can’t find anywhere what value should it be. Can you help me?
4 Answers 4
The default permission for /var is 755 = rwxr-xr-x : readable and executable (you need both for a directory) by everyone, and only writable by root.
Setting the permission on a file or directory to 777 is never right. In your case, you should
- either have created the directory as root and then set its ownership to the user running Moodle (is this a web application? Then either www-data if the web application is supposed to write to this directory, or root if not);
- or have configured the application to use a directory it can write to (e.g. under /var/www for a web application).
rwxr-xr-x.
owner can: read, write and Execute
owner group can : read and execute
others can : read and execute
result of command : ls -l /var in Fedora 17 :
drwxr-xr-x. 2 root root 4096 Jun 9 19:34 account drwxr-xr-x. 2 root root 4096 Feb 3 13:58 adm drwxr-xr-x. 19 root root 4096 Jun 9 18:44 cache drwxr-xr-x. 3 root root 4096 Jun 13 19:55 db drwxr-xr-x. 3 root root 4096 Jun 9 19:34 empty drwxr-xr-x. 3 root root 4096 Apr 26 18:58 ftp drwxr-xr-x. 2 root root 4096 Feb 3 13:58 games drwxrwx--T. 2 root gdm 4096 Jun 9 03:35 gdm drwxr-xr-x. 2 root root 4096 Feb 3 13:58 gopher drwxr-xr-x. 55 root root 4096 Jun 28 16:19 lib drwxr-xr-x. 2 root root 4096 Feb 3 13:58 local lrwxrwxrwx. 1 root root 11 Jun 9 19:18 lock -> ../run/lock drwxr-xr-x. 22 root root 4096 Jul 7 22:22 log lrwxrwxrwx. 1 root root 10 Jun 9 19:18 mail -> spool/mail drwxr-x---. 6 root named 4096 Jul 4 19:53 named drwxr-xr-x. 2 root root 4096 Feb 3 13:58 nis drwxr-xr-x. 2 root root 4096 Feb 3 13:58 opt drwxr-xr-x. 2 root root 4096 Feb 3 13:58 preserve lrwxrwxrwx. 1 root root 6 Jun 9 19:18 run -> ../run drwxr-xr-x. 17 root root 4096 Jun 9 19:38 spool drwxrwxrwt. 4 root root 4096 Jul 8 00:36 tmp drwxr-xr-x. 8 root root 4096 Jun 9 19:34 www drwxr-xr-x. 3 root root 4096 Jun 9 19:26 yp запись в каталог /var/run
процесс запускается от имени юзера, но при старте не хватает прав на запись pid-файла в в каталог /var/run, т.к. запись разрешена только руту:
/var/run — симлинк на /run drwxr-xr-x 23 root root 900 Мар 14 14:10 run/
и процесс не может запуститься.
Запустить от рута, записать в /var/run, сменить uid? Посмотри, как любой другой демон это делает
записывать pid туда, куда имеет доступ пользователь
это наверное не соответствует LFS?
Исходники же. Хоть вот polipo возми (взял наугад из /var/run. Он под собственным пользователем работает)
В /var/run лежат PID’ы не абы чего, а системных сервисов. А init-скрипт всегда стартует от root. Если хочется понизить привилегии, то скрипт может запустить дочерний процесс и записать его PID в нужный каталог. То есть основную работу выполняет пользовательский процесс, но его PID сохраняет рутовый.
Пиши в хомяка PID, нее?
/me тока так и делает.
#!/bin/sh # # $FreeBSD: head/devel/distcc/files/distccd.in 357545 2014-06-11 22:19:30Z skreuzer $ # $MCom: ports/devel/distcc/files/distccd.sh.in,v 1.1 2007/05/19 17:43:14 ahze Exp $ # PROVIDE: distccd # REQUIRE: NETWORKING ldconfig # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf to enable distccd: # # distccd_enable (bool): Set to YES to enable distccd. # distccd_flags (str): Arguments passed to distccd. # distccd_path (str): DISTCCD_PATH environment value for distccd.. # distccd_enable=$ distccd_flags=$ . /etc/rc.subr name=distccd rcvar=distccd_enable command=/usr/local/sbin/$ # extract pid file from distccd_flags (if any) pidfile="`echo $ |sed -nE -e 's/^.*-P ([^ ]+).*$/\1/p'`" # set default value pidfile=$ distccd_precmd() < # distccd drops root privileges and then attempts to create the pid file touch $chown distcc:distcc $ if [ -n "$" ] then export DISTCCD_PATH="$" fi > start_precmd="distccd_precmd" load_rc_config $ run_rc_command "$1" Don’t put the PID file in /var/run/foo.pid, put it in /var/run/foo/foo.pid and have /var/run/foo owned by user foo and group foo. That way you can delete the pid file before exiting and you don’t have to raise your privilege level.
Cannot touch `/var/run/myfile/myfile.pid’: Permission denied
and changed the permissions. Do i need some special permission for «touch» command? And as touch could not succeed myfile.pid is not created and myfile folder is empty! EDIT: On doing a sudo touch and sudo chown i could create the file but i do not want to run as sudo! I am completely baffled here!
but why ? it is running «touch» as «openstdb» and opentsdb is the owner of the file. Why do I need to run as sudo ?
Hey sorry i had edited guess i didnt get saved and i didnt notice . check now . srry about the error.
2 Answers 2
No. You don’t need special permission for the touch command. Neither should you fiddle with the permissions of system directories, since this has security implications — as you found out.
- The script is executed with the effective userid opentsdb . See the docs for details about setuid
- Please make sure that the upstart script is owned by user root and group root and set it’s permissions to 0644
- Make sure /var/run/myfile is a directory by doing a sudo rm -rf /var/run/myfile && sudo install -o opentsdb -m 0755 -d /var/run/mydir
- In case you are using upstart, edit your upstart script in /etc/init like shown below
# You can omit 4 - it is a run level for custom use, but then. start on runlevel [345] # . add it here stop on runlevel [0126] pre-start script # Sanitizing environment # The contents of var run are _not_ guaranteed to persist over reboot if [ ! -d /var/run/mydir ] then install -m 0755 -o opentsdb -d /var/run/mydir else chown opentsdb.opentsdb /var/run/mydir chmod 0755 /var/run/mydir fi # Remove stale pidfile if it exists # Note that if your process does not fork # this can be omitted, as upstart will keep track of # your processes pid automatically - same goes for the piddir. if [ -e /var/run/mydir/myfile.pid ] then rm /var/run/mydir/myfile.pid fi end script # Set this to the numeric uid for opentsdb # as shown in /etc/passwd setuid 1234 # Same as for setuid, but for the primary group as it can be found # in /etc/group setgid 1234 # This is critical! # Read http://upstart.ubuntu.com/cookbook/#expect _very carefully_ # This one assumes that your process forks to background expect fork script # Do your stuff here - but don't fiddle with permissions end script How to let MySQL (mysqld) to create and write to «/var/run/mysqld» directory?
I really don’t understand how all those privileges work in Linuxes. To start MySQL server mysqld program has to write its .pid files to /var/run/mysqld/ directory. But we know from FHS (Filesystem Hierarchy Standard) that:
Files under this directory must be cleared (removed or truncated as appropriate) at the beginning of the boot process.
So mysqld has to create /mysqld directory under /var/run/ every time MySQL server is started. The owner and group of /var is root and /var is:
drwxr-xr-x 13 root root 4096 may 20 23:41 var. /var/run should be unwritable for unprivileged users (root or users running daemons); it is a major security problem if any user can write in this directory.
So mysqld cannot write to the directory. Indeed when I run mysqld to start MySQL server I always get an error:
user@user-desktop:~$ sudo mysqld --console 130720 23:43:02 [ERROR] Can't start server : Bind on unix socket: Permission denied 130720 23:43:02 [ERROR] Do you already have another mysqld server running on socket: /var/run/mysqld/mysqld.sock ? 130720 23:43:02 [ERROR] Aborting The question is: how mysqld can write .pid files to /var/run/mysqld/ if standard forbids to open this directory for writing? This is a clear contradiction, isn’t it? My question is: how to let mysqld to create and write its files to /var/run/mysqld/ without changing permissions of the /var/run directory? For now I see the only way:
user@user-desktop:$ sudo chmod a+w /var Permanently change permissions of /var/run/postgresql
On Linux Mint 17.0 Cinnamon Edition, I want to use /var/run/postgresql as the unix_socket_directories option for all of my postgres databases. Whenever I run the command pg_ctl -D postgres-data -o ‘-F -p 33311’ start to start my local database, I get the error FATAL: could not create lock file «/var/run/postgresql/.s.PGSQL.33311.lock»: Permission denied . As many answers across AskUbuntu, StackOverflow and various forums suggest, I have to run sudo chmod 777 /var/run/postgresql or sudo chown -R $USER:$USER /var/run/postgresql to change the permissions of the directory so that I can write to it. Then I am able to start my database. However, every time I reboot, the permissions go away; the directory is no longer world-writable and the user postgres-xc reclaims user and group ownership over the directory. Neither sudo adduser $USER postgres or sudo adduser $USER postgres-xc alleviates the permissions issue. I tried doing a clean install as described here, but I still have the issue on reboot. I’ve tried changing the value of unix_socket_directories to /tmp in ./postgres-data/postgresql.conf (the local database config file), and this allows me to start that particular database without having to update permissions on every reboot. However, I also have a script which uses pg_ctl -D $DIR initdb && pg_ctl -D $DIR start to setup and start databases on the fly. As such, a default postgresql.conf config file is used for these databases, so unix_socket_directories is the unwritable /var/run/postgresql and I get permission denied errors when running that script. Manually/programmatically editing these configs on-the-fly to use unix_socket_directories = ‘/tmp’ is. undesirable. I know that I could use the -o flag with pg_ctl to override the unix_socket_directories option to /tmp , but this script is shared by other developers who do not use Ubuntu, so I would not necessarily want to restrict everyone to using the /tmp directory, especially if their configurations differed slightly. I would prefer everyone use the default location for their installation. Personally, I would also prefer to keep the default directory for general compatibility with other Ubuntu packages; e.g., pgadmin looks at /var/run/postgresql for a lock file by default. I have also tried editing /etc/postgresql/9.3/main/pg_ctl.conf in an attempt to automatically pass set these options whenever I use pg_ctl :
# Automatic pg_ctl configuration # This configuration file contains cluster specific options to be passed to # pg_ctl(1). pg_ctl_options = '-o "-c unix_socket_directories=/tmp -c unix_socket_group=jackson -c unix_socket_permissions=0777"' But that did not have any effect. Please advise on how I can use /var/run/postgresql as my unix_socket_directories option for all of my postgres databases without having to run sudo chown -R $USER:$USER /var/run/postgresql every time I restart my system. Thanks.
What kind of file system is sitting in? When you reboot/restart the system, does this directory exist? Just wondering if this is sitting in a tmpfs file system or similar.
4 Answers 4
Permissions for /var/run/postgresql are taken from /usr/lib/tmpfiles.d/postgresql.conf
At what point do these permissions get set from the file? I ran chmod on the file and it worked. restarted the server and nothing changed. Is it created on boot or under some other circumstance?