Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Need help with user rights (Permission denied)

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Need help with user rights (Permission denied)
# 1  
Old 11-12-2012
Need help with user rights (Permission denied)
I have a script that do read data for Munin Graph.
My problem is that it have some reading problems, and I do not know how to fix it.

script traf.sh (its not the complete script)
Code:
#!/bin/sh
PORT="80"
NETDEVICE="eth0"
IPTRAFlogdir="/var/log/iptraf"

LOG="$IPTRAFlogdir/tcp_udp_services-${NETDEVICE}.log"
TRAFFICIN=$(awk '$1 ~ port {p=$11}END{if(length(p)) print p}' port=$PORT $LOG)
whoami
echo "trafficin.value ${TRAFFICIN}"

Running it as root ./traf.sh gives:
Code:
root
trafficin.value 653

Running it as Munin munin-run traf.sh gives:
Code:
awk: cmd. line:1: fatal: cannot open file `/var/log/iptraf/tcp_udp_services-eth0.log' for reading (Permission denied)
nobody
trafficin.value

I added whoami just to see who is running the script.
How do I make nobody able to read the file/folders?
# 2  
Old 11-12-2012
Blade Be VERY VERY careful when making log data public.
If and only if there is no sensitive data in the file, then:
Code:
chmod o+r /var/log/iptraf/tcp_udp_services-eth0.log

will grant read permission for that file to everyone who is not the file's owner and is not a member of the file's group (which fits the intended use for user nobody).

The command:
Code:
chmod -R o+r /var/log/iptraf

will change the directory named and all files in the file hierarchy below that directory. But, again, log files in an iptraf directory may well show details about users on your system, the sites to which they connect, and data sent to and received from those sites that should be considered PRIVATE data and not made visible to everyone who wants to snoop around on your system.

If the file is removed and recreated by some process on your system you will either need to run this chmod command in or before running this script or you will need to track down the process(es) that create(s) this log file and either change the umask when creating the file or change its mode immediately after creating it to grant read permission to everyone.

Note that a script running as nobody won't have permission to use the above command to change the mode; chmod will succeed only if it is run by the file's owner or by someone with appropriate privileges (i.e., root on systems that don't have extended privileges mechanisms).
# 3  
Old 11-12-2012
Setting the permission on file/folder did not help. Still the same Permission denied
What other can prevent Munin from reading it?
# 4  
Old 11-12-2012
Please show us the output sent to stdout and to stderr by the command:
Code:
ls -ld /var/log/iptraf/tcp_udp_services-eth0.log /var/log/iptraf /var/log /var

# 5  
Old 11-12-2012
Code:
drwxr-xr-x 18 root   root      4096 2012-09-18 10:13 /var
drwxr-xr-x 15 root   root      4096 2012-11-12 06:29 /var/log
drw-r--r--  2 nobody nogroup   4096 2012-11-12 06:28 /var/log/iptraf
-rw-r--rw-  1 nobody nogroup 459638 2012-11-12 20:29 /var/log/iptraf/tcp_udp_services-eth0.log

I may have tried to change owner/group to nobody to be able to read them, without luck.
# 6  
Old 11-12-2012
Quote:
Originally Posted by Jotne
Code:
drwxr-xr-x 18 root   root      4096 2012-09-18 10:13 /var
drwxr-xr-x 15 root   root      4096 2012-11-12 06:29 /var/log
drw-r--r--  2 nobody nogroup   4096 2012-11-12 06:28 /var/log/iptraf
-rw-r--rw-  1 nobody nogroup 459638 2012-11-12 20:29 /var/log/iptraf/tcp_udp_services-eth0.log

I may have tried to change owner/group to nobody to be able to read them, without luck.
I STRONGLY REPEAT MY WARNING THAT WHAT YOU ARE DOING IS LIKELY TO MAKE PRIVATE DATA VISIBLE TO THE WORLD!

To get back to a sane state you need to restore the owner and group of /var/log/iptraf and /var/log/iptraf/tcp_udp_services-eth0.log and then (if you really don't mind being sued for disclosing private data) add search permission for owner, group, and other to /var/log/iptraf. You also NEED to remove write permission for class other from /var/log/iptraf/tcp_udp_services-eth0.log.

Although I can't tell what permissions were originally granted the various classes of users by the designers of your system, it is obvious that you did change the owner, group, and permissions on /var/log/iptraf/tcp_udp_services-eth0.log and /var/log/iptraf. If there are any daemons running on your system not running with "all privileges", it is highly likely that with your current settings, you have completely disabled adding log entries to all files in /var/log/iptraf by those daemons unless they had (and still have) the log file open before you changed permissions on /var/log/iptraf.
# 7  
Old 11-12-2012
I did restore owner by re installing iptraf. Did not help:
Code:
root@server2 /var/log #ls -ld /var/log/iptraf/tcp_udp_services-eth0.log /var/log/iptraf /var/log /var
drwxr-xr-x 18 root root 4096 2012-09-18 10:13 /var
drwxr-xr-x 15 root root 4096 2012-11-12 22:22 /var/log
drwx---r--  2 root root 4096 2012-11-12 22:27 /var/log/iptraf
-rw-r--r--  1 root root   76 2012-11-12 22:27 /var/log/iptraf/tcp_udp_services-eth0.log

Still error:
Code:
awk: cmd. line:1: fatal: cannot open file `/var/log/iptraf/tcp_udp_services-eth0.log' for reading (Permission denied)

I do now a lot about security.
This is a monitor only server. No user than me will ever log in.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Ubuntu

Permission denied

Trying to get date into the txt file. It says Permission denied. echo $(date +%I:%M:%S_%D) >> /tmp/systemd_suspend_test_err.txt exec 2>> /tmp/systemd_suspend_test_err.txt if ; then # Do the thing you want before suspend here echo "we are suspending $(date +%I:%M:%S_%D)." elif ;... (5 Replies)
Discussion started by: drew77
5 Replies

2. Shell Programming and Scripting

Permission denied

I created a user so that when he logs in he will be directed to a menu /etc/passwd user1:x:115:1:Support -SysAd:/export/home/user1:/export/home/suppotrmenu/script.sh However when I logged in remotely from another server by ssh user1@1.1.1.1 , it saysexport/home/suppotrmenu/script.sh:... (4 Replies)
Discussion started by: lhareigh890
4 Replies

3. Red Hat

Permission denied

Hi guys im new to this db i have a small prob while installing websphereportal6.1i think i was installed succesfully but the error im getting is while starting server. check this out # ./serverStatus.sh -all Error loading: /usr/wps61/AppServer/java/jre/bin/classic/libjvm.so: cannot... (1 Reply)
Discussion started by: varma917989
1 Replies

4. UNIX for Dummies Questions & Answers

changing password with sudo user " permission denied"

HI All, I am using solaris i created a user adam and updated his permissions in vi sudoers file as follows adam ALL=(ALL) NOPASSWORD: ALL ........... when i create user by logging as sudo user . $ sudo useradd -d /home/kalyan -m -s /bin/sh kalyan sudo: not found ... (6 Replies)
Discussion started by: kalyankalyan
6 Replies

5. UNIX for Advanced & Expert Users

Permission denied, but user is owner and has group ownership too

Folks, I have a problem with a particular file, that seems to have some kind of lock on it, that takes around 1 hour approx to timeout. I have used lsof and nothing has an open file handle on it, yet I cannot open it. My user/group owns the file and I can create edit/delete files in... (6 Replies)
Discussion started by: scottrus
6 Replies

6. UNIX for Dummies Questions & Answers

Permission denied

I would like to copy data from local mechine to cluster. Basically, I typed scp -r DVD/ acount@cluster:/ it shows Permission denied. Could anyone please give me a clue to write permission on cluster, please? The poperty of where on cluster I'd like to put is drwxr-xr-x Any idea would... (1 Reply)
Discussion started by: su_in99
1 Replies

7. UNIX for Dummies Questions & Answers

Why do I keep getting .:Permission denied?

I'll start off by saying that I know very little about Unix - however, I do know that I have a .profile file in my home directory, and that I should be able to invoke it by typing . profile. However, when I do this for ANY .filename, I get ".: Permission denied". I'm pretty sure that there is... (12 Replies)
Discussion started by: bbersani
12 Replies

8. UNIX for Advanced & Expert Users

Permission denied

Hi, I can not execute a .env file $ . /Data/oracle/d03/mydbora/8.0.6/MYDB.env -bash: /Data/oracle/d03/mydbora/8.0.6/MYDB.env: Permission denied Even if : -rwxrwxrwx 1 oracle dba 2903 Mar 5 2007 /Data/oracle/d03/mydbora/8.0.6/MYDB.env Please help. Many thanks. (1 Reply)
Discussion started by: big123456
1 Replies

9. UNIX for Dummies Questions & Answers

./ Permission Denied.

Could someone tell me why I am getting a permission denied message when I attempt to run this on an out file? Thanks! (8 Replies)
Discussion started by: trouscaillon
8 Replies

10. UNIX for Dummies Questions & Answers

permission denied??

i'm trying to set up my internet connection and i was told i need to edit the file /etc/ppp/pap-secrets but i get a permission denied message...why?? (6 Replies)
Discussion started by: justchillin
6 Replies
Login or Register to Ask a Question