Cannot SSH After Changing Permissions In Root Folder

Hello, I have an embedded linux device. I can connect to the device and I can upload or download files. No problem with this. But, at first connection, I want to connect to "/" directory instead of "/root". In the device file system, there are files ssh_config and sshd_config under /etc/ssh directory. I think I have to do something with these files but I don't know what.

I don't exactly know what mean "/root" and "/" directories. I think that the real root directory is "/" directory which is empty but when I connect with filezilla, the "/root" directory is the default so I had to go back to / directory everytime.

There's something really weird happening with permissions on a directory in linux. I have the directory /dir

Code:

ls -ld /dir
drwxrwxrwx. 2 root root 4096 Jan  8 00:06 dir
chmod 2777 /dir [this sets the setgid bit on]
ls -ld /dir
drwxrwsrwx. 2 root root 4096 Jan  8 00:06 /dir

And this is what I expect it to do.
However, when I change it to setid (WITHOUT setgid), it simply doesn't work. Instead of overwriting, it cumulates:
Code:

chmod 4777 /dir [for setting setuid bit on]
drwsrwsrwx. 2 root root 4096 Jan  8 00:06 /dir

As you can see, the setgid bit is still on together with the setuid! However, if I run:
Code:

chmod -s /dir

then the file has a 0777 permission.

And then again, if I change its permission to 4777 (so setuid):
Code:

chmod 4777 /dir
drwsrwxrwx. 2 root root 4096 Jan  8 00:06 /dir

it acts normally. So the same chmod 4777 acts differently in two different contexts.

I really can't understand it. Basically, I cannot get rid of the setuid/setgid through binary permissions. The sticky bit works fine. Changing from 1777 to 0777 adds and removes "t" respectively. What am I to make of all this? This behaviour makes no sense to make especially given that we can change the permissions to 6777 (setuid + setgid).

I can't believe I wrote a looong message and it logged me out when I tried to submit it.

So anyway, in short lines:

- I have a network of sites where all sites share same "images" folder
- I have created /home/_images/entities and symlinked it from all websites
- It works great with Apache, when I open /images/ on any of the sites I get list of images and can view them

The problem is suPHP which changes process ID of the PHP script to the file owner ID, so when I load site1.com, all scripts are executed as user1 (and files/folders created with those scripts belong to user1:user1). When I load site2.com, all scripts are executed as user2 (and files/folders created with those scripts belong to user2:user2). All these users do NOT belong to the same group, and I wouldn't like to change that as it is cPanel/WHM server so I'm afraid I'll screw something up if I change (primary?) group of all users.

Therefore I need to set it up in such way that all newly created folders and files under /home/_images/entities (owned by root) have read/write permissions for everyone.

Here's the command I used:

Code:

setfacl -Rdm o::rwx /home/_images/entities

To check it:
Code:

root@server1 [~]# getfacl /home/_images/entities/
getfacl: Removing leading '/' from absolute path names
# file: home/_images/entities/
# owner: root
# group: root
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx

This looks fine, however when I try upload an image via site1.com it looks like this:

Code:

root@server1 [/home/_images/entities]# ls -l
total 24
drwxrwxrwx+ 5 root    root    4096 Jan 14 06:25 ./
drwxrwxrwx  5 root    root    4096 Jan 12 13:08 ../
drwxrwxr-x+ 3 user1   user1   4096 Jan 14 06:25 1/

And in folder "1" is the image (and thumbs folder):

Code:

root@server1 [/home/_images/entities/1]# ls -l
total 236
drwxrwxr-x+ 3 user1   user1     4096 Jan 14 06:25 ./
drwxrwxrwx+ 5 root    root      4096 Jan 14 06:25 ../
-rw-rw-rw-  1 user1   user1   225569 Jan 14 06:25 689048f221ab7c556f4d482a9d92b2d6.jpg
drwxrwxr-x+ 2 user1   user1   4096 Jan 14 06:25 thumbs/

My questions:

1) Why newly created folders do not have "write" permissions for everyone else [not user and/or group]? If I upload first image from site1.com, then I can't upload other images from any other site, while all sites can display them.

2) What is the + at the end of permissions list? (drwxrwxr-x+)

3) Why newly created files have only "rw" permissions for user, group AND everyone else, and not execute permissions? I don't actually need execute flag set here, but from my command you can see I've set "o::rwx" so it should be there (or not?)

Actually the real problem is #1 - other users can't write to this folder so users can't upload images from other sites nor other sites can create (missing) thumbnails.

I am using debian 7.7 stable and when I open the root terminal it asks for the password.

But if I open it again, I get the message: 'Granted permissions without asking for password. The /usr/bin/x-terminal-emulator program was started with the privileges of the root user without the need to ask for a password, due to your system's authentication mechanism setup'.

Oh, really? Because I don't remember setting up any 'authentication mechanism setup'.
How can I change this so the root terminal always asks for the password?
Do I have a trojan already? Because I installed the OS just a few days ago.

Thanks very much.

Directory /media/data/torrents/ has permissions 775, user yzt, group transmission

yzt and debian-transmission are members of the group transmission.

transmission-daemon is run by debian-transmission, and the new files it downloads have permissions 644, owner debian-transmission, group transmission. This is a problem, because I can't later move the files as my user, yzt, and need to be switching to root to change the permissions/ownership to be able to do so.

Using sticky bit I could copy it to anywhere else, but I'm interested on actually moving the file, not just copying it. I could run transmission-daemon as yzt and problem solved, but I rather have that internet facing service running by a limited user, just in case some vulnerability is found on Transmission.

So my question is, how can I set that every new file created under /media/data/torrents/ has permissions 775 like its parent directory?

Hi All,

Please can someone assist me on this, I enabled Selinux on Ubuntu 14.04 server and it's disabling ssh remote login for all users including root.

From the ssh terminal I get the following error:

ssh root@192.168.x.x
Last login: Wed Mar 25 12:39:02 2015 from 192.168.x.x
/bin/bash: Permission denied
Connection to 192.168.211.135 closed.


tail /var/log/auth.log

ubuntu sshd[1640]: Accepted password for root from 192.168.x.x port 51082 ssh2

ubuntu sshd[1642]: Accepted password for root from 192.168.x.x port 51089 ssh2

ubunt sshd[1640]: Received disconnect from 192.168.x.x: disconnected by user

audit2allow --all

sshd_t

This avc is a constraint violation. you would need to modify the attribute of either the source or target types to allow this access.

possible cause is the source user (system_u) and target user (unconfined_u) are different.

possible cause is the source role (system_r) and target role (unconfined_r) are different.

possible cause is the source level (s0) and target level (s0-s0:c0.c255) are different.

allow sshd_t unconfined_trocess transition.

Please how can I make this changes to take effect.

Thanks in advance.

Hi all,

I am slackware 14.0 user. Recently I face one problem. As a root i can change one of my normal user's (assuming Peter) password. However, when I login as Peter, and try to change the password, the system does not allow me to renew my password.


root@slackwa /etc# ls -la | grep shadow
-rw-r----- 1 root shadow 9 Nov 29 2013 gshadow
-rw------- 1 root root 0 Jun 20 2013 gshadow-
-rw-r----- 1 root shadow 2272 Apr 12 22:44 shadow
-rw------- 1 root root 2274 Apr 12 21:40 shadow-
root@slackwa /etc# ls -la | grep passwd
-rw-r--r-- 1 root root 2362 Apr 12 12:58 passwd
-rw------- 1 root root 2306 Jan 8 17:38 passwd-
-rw-r--r-- 1 root root 2305 Aug 11 2014 passwd~


peter@slackwa ~$ which passwd
/usr/bin/passwd
peter@slackwa ~$ ls -la /usr/bin/passwd
-rws--x--x 1 root root 68725 Sep 14 2012 /usr/bin/passwd*

peter@slackwa ~$ passwd
Changing password for peter
Old password:
Incorrect password for peter.
The password for peter is unchanged.

One thing I can assure is the password I input is correct. I have another slackware 14 running on Dell R410, but it does not has this problem.


Please kindly advice. Thank you.

Centos 6.5

I ran into an interesting problem (on reddit) that I figured I could solve, but I have not been able to. Its simple,.. I added 'exit 0' to /root/.bashrc, and now I am trying to log in via ssh.

Everytime I do, it immediately exits when it runs the .bash_profile, which sources .bashrc, (which is immediate upon 'logging in')

I've tried:

Code:

ssh root@192.168.1.50 -t vim
vim scp://192.168.1.50/.bashrc
vim scp://192.168.1.50/root/.bashrc
ssh root@192.168.1.50 bash --norc
ssh root@192.168.1.50 /bin/bash --norc --noprofile
ssh -T root@192.168.1.50 "mv /root/.bashrc /root/.bashRC"
scp .bashrc root@192.168.1.50:/root/
ssh root@192.168.1.50 /bin/bash --norc --noprofile -vvvvvvvvvv
ssh -vvvvvv root@192.168.1.50 /bin/bash --norc --noprofile
ssh -vvvvvv root@192.168.1.50 /bin/mv /root/.bashrc /root/.bashRC
ssh -t -t root@192.168.1.50 << EOF
mv /root/.bashrc /root/.bashRC
EOF
ssh -t -t root@192.168.1.50 --norc << EOF
echo HELLO > /root/.bashrc
EOF
ssh -tv root@192.168.1.50 rm .bashrc

So,.. I am unable to get back into the system (as root, no other users exist) after adding 'exit 0' to .bashrc

Anyone feel like explaining why all of these failed (aside from saying SSH interactive logins run the .bash_profile/.bashrc files) or, offering a suggestion that works? Seems like if you have the root password, you should be allowed to modify the login process... since... you know... you are root.

useradd -s /bin/bash -d /home/jaydul -m jaydul
[root@tuhin /]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0perator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
jaydul:x:1000:1000::/home/jaydul:/bin/bash
[root@tuhin /]# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)

jaydul:x:1000:1000::/home/jaydul:/bin/bash

Why 1000:1000: Group? it will be by default will be 500:500?
I was any mistake?
jaydul:x:500:500::/home/jaydul:/bin/bash

I've read quite a few articles on this now and I still don't seem to be able to do this so am hoping someone can tell me where I am going wrong...

Background:-
Centos v7 running in a VM
Cygwin installed on the desktop (fresh install)

I have amended the sshd_config on the VM to :-
X11Forwarding yes
X11UseLocalhost no
Disabled selinux and restarted the sshd daemon.

Within cygwin before making the connection I set:-
export DISPLAY=:0
Then run startxwin

Within Xwin.exe I run the following and get the error:-
$ ssh -XY root@192.168.246.130
root@192.168.247.131's password:
X11 forwarding request failed on channel 0
Last login: Tue Jun 2 20:40:44 2015 from 192.168.246.10

Is it something I'm missing?
I'll admit X11 is a weak area for me.