Recognizing Permission Problems

Recognizing Permission Problems

Ninety percent of day-to-day problems in running Unix systems are permissions- related . Most often, some process tries to write to a file or directory that it doesn't have permission to write to. Maybe it did yesterday , but someone accidentally or carelessly changed it, and then something stopped working.

Permission problems show up in so many ways that it is not reasonable to try to list them here, but there are a few rules you can follow to spot permission problems.

Often the first sign is an error message containing the words "Permission denied ." Sometimes it is accompanied by more informationfor example,

 /usr/local/bin/script.sh: permission  denied: /etc/foo [3] 

This is telling you that line 3 of the script /usr/local/bin/script.sh failed because it did not have enough permission to do something with /etc/foo . You have to look inside the script to see what exactly was going on, but you have a good place to start.

Some things to keep in mind:

1.
To create a new file, rename a file, delete a file, or change a file's permissions, the process must have write permission in the directory where the file is being created.

2.
To change an existing file, you must have write permission on the file.

3.
To cd into a directory, the process must have execute permission on the full path of the directory. So to cd into /Users/ vanilla /Sites/images/big_images , the processes doing the cd must have execute permission on the following:

 / /Users /Users/vanilla /Users/vanilla/Sites /Users/vanilla/Sites /images /Users/vanilla/Sites /images/big_images 

4.
To list the contents of a subdirectory, you must have read permission for it, as well as permission to cd into the directory where it's stored. So to list the contents of /Users/vanilla/Sites/images/big_images , you must be able to cd into /Users/vanilla/Sites/images and have read permission on big_images. You do not need to be able to cd into a directory to list its contents.

To correct a permission problem:

1.
Write down the permissions of the files or directories you think should change.

You might try redirecting the output of ls -l into a file, for example:

ls -l bad_file > permission_save

2.
Change the permissions to what you think will fix the problem.

3.
Test the fix.

If the fix doesn't work, change the permissions back to what they started as, and think through the problem again. Go back to step 2. Lather, rinse, repeat.

Using ACLs

Starting with version 10.4 Mac OS X supports a form of permissions called an Access Control List (ACL). ACLs are special files, normally hidden from view, that allow you to specify in excruciating detail the kinds of access that users have to a file or directory. For example, using an ACL, you can give permission to append to a file but not to delete it, or to delete or create a file, but not to alter an existing file. And you can give these permissions separately to each user or group in the ACL.

ACLs are not enabled by default in the regular version of Mac OS X, but they are enabled in Mac OS X Server (see www.apple.com/server/documentation). There is also an article on understanding ACLs at www.afp548.com/article.php?story=20050506085817850. Or, check out Apple Training Series: Mac OS X Server Essentials, soon to be published by Peachpit Press, for much more about ACLs than we are able to cover here.

To enable ACLs:

1.
sudo fsaclctl -a -e

Enter your password if asked for it.

You will see a line of output for each filesystem (volume, partition) you have mounted, with at least the root filesystem being listed:

ProcessVolume: processing /

Tips

  • You can learn more about ACLs from the man page for the chmod and ls commands. These describe how to set and read ACLs. For example, to set an ACL you might do

     chmod +a "admin allow write"   filename  

  • The folks at Ars Technica wrote an article that provides an excellent overview of the changes to Mac OS X that were introduced in version 10.4. The section on ACLs is http://arstechnica.com/reviews/os/macosx-10.4.ars/8.


To add an ACL entry:

  • Use the +a option to the chmod command.

    For example, the following would add an entry to the ACL for the file filename , allowing anyone in group dancers to append to the file (write data to the file but not overwrite any existing data in the file):

     chmod +a "dancers allow append"   filename  

    Table 8.9 lists ACL permission keywords, Table 8.10 lists the most common ACL-related options for the chmod command, and Figure 8.23 shows several examples of setting ACLs.

    Table 8.9. ACL Permissions

    K EYWORD

    D ESCRIPTION

    Permissions available for both files and directories :

    delete

    Deletes the object. You can delete an object if you have this permission or the delete_child permission on the immediate parent directory.

    readattr

    Reads the object's basic attributes (filename, size , and so on)

    writeattr

    Changes the normal Unix attributes of the object.

    readexattr

    Reads the object's extended attributesthese are the attributes used in Spotlight searches.

    writeexattr

    Alters the object's extended attributes.

    readsecurity

    Reads the object's ACL.

    writesecurity

    Writes an object's ACL.

    chown

    Changes the object's ownership.

    Permissions available only for directories:

    list

    Lists the contents of the directory.

    search

    Looks up files by name .

    add_file

    Adds a file.

    add_subdirectory

    Adds a subdirectory.

    delete_child

    Deletes any object in the directory. (See also the delete permission, above.)

    file_inherit

    Causes files (not directories) to inherit ACL settings.

    directory_inherit

    Causes subdirectories (not files) to inherit ACL settings.

    limit_inherit

    Causes an inherited ACL entry to not be inherited any further down the hierarchyit stops here, so this one only applies to inherited entries.

    only_inherit

    The entry is inherited but has no effect.

    Permissions available only for non-directories:

    read

    Like the standard Unix read permissionallows reading the file contents.

    write

    Allows writing to the file.

    append

    Like write , but only allows writes into areas in the file that have not already been written.

    execute

    Like the standard Unix execute permission for a file.


    Table 8.10. ACL Options for the chmod Command

    O PTION

    D ESCRIPTION

    +a

    Set (add) an ACL entry.

    +a# n

    Add an entry at position n ( lowest number is 0)

    -a

    Remove an entry.

    -a# n

    Remove entry at position n (lowest position is 0)

    =a# n

    Rewrite an existing entry at position n .

    -E

    Read the ACL entries (separated by newlines) from STDIN, so you can redirect input from a file with chmod -E < acl_entries_file

    -i

    Removes the "inherited" setting from all entries in the named file(s)' ACLs. See the man page for chmod for more on complex inheritance possibilities of ACL entries.

    -I

    Removes all inherited entries from the named file(s)' ACLs.


    Figure 8.23. Examples of setting and changing ACLs.
       Adding an ACL entry to allow group "dancers" to write to a file:   root#  ls -le  total 8 -rw-r--r--  1 vanilla wheel     13 Jul 11 20:18 file1 root#  chmod +a "dancers allow write" file1  root#  ls -le  total 8 -rw-r--r-- + 1 vanilla          wheel     13 Jul 11 20:18 file1  0: group:dancers allow write   Adding an ACL entry on a directory to allow group dancers to add files to the     directory:   root#  ls -le  total 0 drwxr-xr-x  2 root   wheel     68 Jul 11 20:23 dropbox root#  chmod +a "dancers allow add_file" dropbox  root#  ls -le  total 0 drwxr-xr-x + 2 root  wheel     68 Jul 11 20:23 dropbox  0: group:dancers allow add_file   (Notice how the second use of   ls -le,   after adding an ACL entry, added a + to the     output of   ls   .)     Adding an ACL entry giving user "vanilla" three permissions (add_file, list, and     search) on the directory:   root#  chmod +a "vanilla allow add_file,list,search" dropbox  root#  ls -le  total 0 drwxr-xr-x + 2 root   wheel    68 Jul 11 20:29 dropbox  0: user:vanilla allow list,add_file,search  1: group:dancers allow add_file   Removing an ACL entry by position number:   root#  ls -le  total 0 drwxr-xr-x + 2 root   wheel    68 Jul 11 20:29 dropbox  0: user:vanilla allow list,add_file,search  1: group:dancers allow add_file root#  chmod -a# 1 dropbox  root#  ls -le  total 0 drwxr-xr-x + 2 root   wheel    68 Jul 11 20:29 dropbox  0: user:vanilla allow list,add_file,search 

    You can view the ACL for a file using the ls command:

    ls -le filename

    The e option ( extended ), when combined with the l option, will show the ACL for the specified file. See Figure 8.23 for some examples.

Tips

  • ACL entries normally get added to the "top" of the ACL list (in position 1 as shown by the ls -le command), but you can specify a position for a new ACL entry by using the +a# optionfor example:

     chmod +a# 3 "probies deny write"  inbox 

    would put the new ACL entry at position 3. If there was already an entry at position 3, it would now be at position 4.

  • ACLs support specifying (for directories only) how ACL settings are passed down to files and directories contained inside the directory. This is called inheritance . See the man page for chmod for details.


To remove an ACL entry:

  • Use the -a or -a# option to the chmod command.

    For example,

     chmod -a "probies deny write"   filename  

    will remove the (exactly matching) ACL entry. You can use the -a# option to remove an entry by its index number:

    chmod -a# 3 filename

    will remove the third ACL entry.

To alter an existing ACL entry:

  • Use the =a# option to the chmod command.

    For example, to replace the ACL entry in position 2:

     chmod =a# 2 "dancers allow read"   filename  



Unix for Mac OS X 10. 4 Tiger. Visual QuickPro Guide
Unix for Mac OS X 10.4 Tiger: Visual QuickPro Guide (2nd Edition)
ISBN: 0321246683
EAN: 2147483647
Year: 2004
Pages: 161
Authors: Matisse Enzer

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net