...making Linux just a little more fun!

Many thanks for your bash permission article

Ben Okopnik [ben at okopnik.com]

Fri, 11 Mar 2011 00:02:07 -0500

[cc'd to the Answer Gang]

Hi, Long -

On Thu, Mar 10, 2011 at 10:54:18AM -0800, Long Chow wrote:

> Hello Ben Okopnik,
> Yesterday I bumped into a su (substitute user) permission error similar
> to your Apr. 2000 article, "Cannot execute /bin/bash: Permission denied".
> I was attempting to run an expect script in non-root user mode on Fedora 8:
>   su netter -c "expect try.exp"
> and it failed:
>   couldn't read file "try.exp": permission denied
> No problem if I run:
>   su root -c "expect try.exp"
>   expect try.exp
> I pored over permission related avenues for the whole day and failed.
> It was around midnight when I googled upon your article that my hope was
> rekindled.
> So the first thing coming into work today...
> Using your approach (especially strace), I found the execution bit for others
> for /root
> was not set.  After setting it, my non-root mode command string started to
> work!

That's actually not a good solution; the correct permissions for /root are 0700. Setting it to 0701, as you have, allows other users to enter that directory - a really bad idea!

ben@Jotunheim:~$ ls -ld /root
drwx------ 11 root root 4096 2011-03-10 21:14 /root
ben@Jotunheim:~$ head -n 1 /root/.bashrc
head: cannot open `/root/.bashrc' for reading: Permission denied

OK, this is what's supposed to happen. But here's what happens when I change the permissions as you specified:

ben@Jotunheim:~$ sudo chmod 0701 /root
[sudo] password for ben: 
ben@Jotunheim:~$ head -n 1 /root/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.


I suspect that the right solution for you would be to put 'try.exp' somewhere other than /root; then you won't have to do anything with those permissions (other than hopefully set them back as quickly as possible.)


                       OKOPNIK CONSULTING
        Custom Computing Solutions For Your Business
Expert-led Training | Dynamic, vital websites | Custom programming
  443-250-7895   http://okopnik.com   http://twitter.com/okopnik

Top    Back

Ben Okopnik [ben at linuxgazette.net]

Sat, 12 Mar 2011 17:42:29 -0500

On Fri, Mar 11, 2011 at 08:55:49AM -0800, Long Chow wrote:

> Hi Ben,
> Thanks for pointing out the security concern.
> It is a development host used only by me for cross compiling ARM based
> embedded system target.
> We are still in the "stone age" and have not migrated out of root account to
> non-root.

Hmm, it looked like you were using the 'netter' account instead of root, which is why you were having the problem. But operating as root by default isn't just a security concern - it's also a good way to accidentally destroy your system with a single typing mistake.

# rm -rf /tmp/foo           # No problem
# rm -rf / tmp/foo          # BIG problem!

...and many, many other easy ways to do lots of damage.

> Again I am very grateful for your bash permission article.

You're certainly welcome - glad you found it of use!

* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

Top    Back