Permissions

Crontab Sudo Shenanigans

OK, here is a situation I haven’t seen in a while and it tripped me.  There I admitted it!

We have an application that requires a restart of Apache everyday (that is a different discussion).  Regardless I gave them sudo access so they could script the job to run with their process.  Obviously I thought nothing more of it, problem solved, more pressing things to do.  It worked like a charm until they put their script into cron.  They received the error:

sudo: sorry, you must have a tty to run sudo

I didn’t want to throw the baby out with the bathwater and enable tty for all of cron-dom, and I like command-line solutions over config files (less to maintain/remember).  So I tried this variation:

su --session-command="/usr/bin/sudo /sbin/service httpd restart" user_name

Slick huh?  Well of course it didn’t work because sudo is in control, pesky security controls keep me on the straight and narrow. This led me to one option, enable tty for the user (not everyone).  The solution for that is:

Defaults    requiretty
Defaults:%group_name !requiretty
Defaults:user_name !requiretty

In case that isn’t clear enough.  The first line requires TTY for all users and groups not expressly excluded from that requirement.  The second line exempts the group from the requirement and the the third line specifically exempts the user from the requirement.  The inclusion of the User_name and Group_name is redundant however this saves me revisiting the configuration file if we expand the group.

This ends the brain dump…

My MySQL Cheat Sheet

I know, man.  No, I mean I know I could use ‘man pages’!  Or I could just ‘google it’ but then it isn’t mine.  Since I do not have time for a complete brain-dump this MySql “cheat sheet” will grow over time.  Feel free to add your favorite MySql commands in the comments, if their really useful I’ll add them to the list!

If you don’t know what MySql is…look it up!  And, who are you?!  Seriously…

Create a DB & Assign to a User:

Create a New DB, Create a User and Grant them permissions to the New DB.

mysql> create database someDB_name;
Query OK, 1 row affected (0.13 sec)

mysql> create user 'someUser_name'@'localhost' IDENTIFIED BY 'some_password';
Query OK, 0 rows affected (0.13 sec)

mysql> GRANT ALL PRIVILEGES ON someDB_name.* to someUser_name@localhost;
Query OK, 0 rows affected (0.05 sec)

The above should be pretty self explanatory but for thoroughness sake…  The first line creates an empty database.  At that point only the root or admin user can use this database.  The Second command, creates a user account and assigns it a password.  This user account has NO privileges at this point.  The Third line is the most important.  When you grant permissions you can grant global permissions *.* meaning you can access ALL databases (not a good idea).  OR you can set Database permissions like I did above; database_name.*.  That .* after the database name means you have full privileges to that database only.  OR you can refine the permissions even further and grant permissions to a specific table in the database: database_name.some_table. Hope that clarifies things.  To state it in a more succinct way use this framework:

 GRANT [type of permission] ON [database_name].[table_name] TO ‘[username]’@'localhost’;

Once you have finalized the permissions that you want to set up for your new users, always be sure to reload all the privileges.

FLUSH PRIVILEGES;

Your changes will now be in effect.  I always like to test the account out before giving the account to the user.  To test out your new user, log out and log back in as the user:

mysql> quit 
mysql -u [username]-p

Revoke User Access or Delete a whole DB:

If you need to revoke a permission, the structure is almost identical to granting it:

 REVOKE [type of permission] ON [database name].[table name] TO ‘[username]’@‘localhost’;

You delete databases with DROP, you can also use DROP to delete a user altogether:

 DROP USER ‘demo’@‘localhost’;

 Recover Access when you have forgotten the root password:

Not that, that ever happens…

mysqld_safe --skip-grant-tables
mysql --user=root mysql

    update user set Password=PASSWORD('new-password') where user='root';
    flush privileges;
    exit;

That’s it for now.  More to follow…

Extended ACLs

To remove permanently ACL from a file:

# setfacl -bn file.txt

To remove permanently ACL from an entire directory:

# setfacl -b --remove-all directory.name

To overwrite permissions, setting them to rw for files and rwx for dirs

$ find . ( -type f -exec setfacl -m g:mygroup:rw '{}' ';' ) 
      -o ( -type d -exec setfacl -m g:mygroup:rwx '{}' ';' )

To set mygroup ACL permissions based on existing group permissions

$ find . ( -perm -g+x -exec setfacl -m g:mygroup:rw '{}' ';' ) 
      -o ( -exec setfacl -m g:mygroup:rwx '{}' ';' )

You’ll probably want to check that the group mask provides effective permissions. If not you can do it the old school way and run this too:

$ find . -type d -exec chmod g+rwX '{}' ';'

.

Fixing Authentication refused: bad ownership or modes for directory

When this error:

Authentication refused: bad ownership or modes for directory

Shows up in /var/log/messages

When trying to setup public key authenticated automatic logins, the problem is a permissions one.

You’ll need to perform the following commands on the user account you are trying to setup:

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys