(I'm not sure exactly what SE site my question belongs, I hesitated between stackoverflow, serverfault and superuser. Feel free to give suggestions about this in the comments.) Here is my problem: I have two users on my linux computer, bli and pquarato. bli installed python3.6 locally (compiling from source with ./configure --prefix=${HOME}). The binary is installed in /home/bli/bin, pip3.6 installs things in /home/bli/.local/lib/python3.6/site-packages. For instance, numpy is installed there: (bli) $ pip3.6 install numpy Requirement already satisfied: numpy in /home/bli/.local/lib/python3.6/site-packages I want pquarato to be able to use bli's python installation. bli did chmod -R a+rx on /home/bli/bin and /home/bli/.local. pquarato can use bli's python3.6 binary, but it is not able to import modules installed with pip3.6: (pquarato) $ /home/bli/bin/python3.6 -c 'import numpy' Traceback (most recent call last): File "", line 1, in ModuleNotFoundError: No module named 'numpy' The above works without errors for bli. What else should I do? ----- Note: I actually first ran into a problem when trying to get pquarato to use programs such as ipython3: (pquarato) $ /home/bli/.local/bin/ipython3 Traceback (most recent call last): File "/home/bli/.local/bin/ipython3", line 6, in from pkg_resources import load_entry_point File "/home/bli/lib/python3.6/site-packages/pkg_resources/__init__.py", line 3017, in @_call_aside File "/home/bli/lib/python3.6/site-packages/pkg_resources/__init__.py", line 3003, in _call_aside f(*args, **kwargs) File "/home/bli/lib/python3.6/site-packages/pkg_resources/__init__.py", line 3030, in _initialize_master_working_set working_set = WorkingSet._build_master() File "/home/bli/lib/python3.6/site-packages/pkg_resources/__init__.py", line 659, in _build_master ws.require(__requires__) File "/home/bli/lib/python3.6/site-packages/pkg_resources/__init__.py", line 967, in require needed = self.resolve(parse_requirements(requirements)) File "/home/bli/lib/python3.6/site-packages/pkg_resources/__init__.py", line 853, in resolve raise DistributionNotFound(req, requirers) pkg_resources.DistributionNotFound: The 'ipython==6.2.1' distribution was not found and is required by the application I hope that the same solution will solve both the ModuleNotFoundError and the above DistributionNotFound issue.

I am using Linux Mint and my workmates are using Windows. We've got a local, shared server (also Linux) for documentation files and a weird thing happened yesterday: a windows user created a file (.odm) and after I changed it, the ownership of the file changed to me and all the other users, including the one who created it, had permission only to read it, although, initially (before I edited it) everyone could read, write and execute. I don't know what information I need to give to make context clearer, but I'd like to understand how that happened. I mean, it seems very weird for a different user to be able to change permissions and ownership of a shared server's file. The server is running samba, and all the clients are using that to access the files.

I want to allow moving files to a specific directory on my server using rsync + ssh. However, I don't want to fully trust the users using that SSH user. One solution I found is to set the shell of the user to rssh which can be configured to only allow sftp, rsync etc. However, in this case, the user would still be able to pull any readable files from the server, such as configurations in /etc which I don't want. I'm currently hesitating to go over my full directory structure and revoking the access for "others". Is there a way to allow a user to use rsync via ssh but only from / to a specific directory? I've seen that it seems possible to jail the SFTP access of openssh:

Match Group sftponly
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no
  PasswordAuthentication no

However, I would prefer rsync, as this account is used to upload bigger data and the internet connections are somewhat unstable (rural area with bad internet). rsync has proven very effective with all its features of continuing cancelled uploads.

I'm on Manjaro Linux. I have texlive-most installed. I'm trying to make pdf files from md with pandoc. However, I keep getting Permission denied errors. I've tried using pdflatex and pdfroff. --- Run with the default --pdf-engine=pdflatex:

$ pandoc test.md -o test.pdf
warning: kpathsea: configuration file texmf.cnf not found in these directories: /usr/bin:/usr/bin/share/texmf-local/web2c:/usr/bin/share/texmf-dist/web2c:/usr/bin/share/texmf/web2c:/usr/bin/texmf-local/web2c:/usr/bin/texmf-dist/web2c:/usr/bin/texmf/web2c:/usr:/usr/share/texmf-local/web2c:/usr/share/texmf-dist/web2c:/usr/share/texmf/web2c:/usr/texmf-local/web2c:/usr/texmf-dist/web2c:/usr/texmf/web2c://texmf-local/web2c:/://share/texmf-local/web2c://share/texmf-dist/web2c://share/texmf/web2c://texmf-local/web2c://texmf-dist/web2c://texmf/web2c.

kpathsea: Running mktexfmt pdflatex.fmt
mktexfmt: Permission denied
warning: kpathsea: configuration file texmf.cnf not found in these directories: /usr/bin:/usr/bin/share/texmf-local/web2c:/usr/bin/share/texmf-dist/web2c:/usr/bin/share/texmf/web2c:/usr/bin/texmf-local/web2c:/usr/bin/texmf-dist/web2c:/usr/bin/texmf/web2c:/usr:/usr/share/texmf-local/web2c:/usr/share/texmf-dist/web2c:/usr/share/texmf/web2c:/usr/texmf-local/web2c:/usr/texmf-dist/web2c:/usr/texmf/web2c://texmf-local/web2c:/://share/texmf-local/web2c://share/texmf-dist/web2c://share/texmf/web2c://texmf-local/web2c://texmf-dist/web2c://texmf/web2c.

kpathsea: Running mktexfmt pdflatex.fmt
mktexfmt: Permission denied
Error producing PDF.
This is pdfTeX, Version 3.14159265-2.6-1.40.20 (TeX Live 2019/Arch Linux) (preloaded format=pdflatex)
I can't find the format file `pdflatex.fmt'!

Quick investigation:

$ ll /usr/bin/mktexfmt
lrwxrwxrwx 1 root root 7 Nov  1  2019 /usr/bin/mktexfmt -> fmtutil

$ ll /usr/bin/fmtutil
lrwxrwxrwx 1 root root 48 Nov  1  2019 /usr/bin/fmtutil -> /usr/share/texmf-dist/scripts/texlive/fmtutil.pl

$ ll /usr/share/texmf-dist/scripts/texlive/fmtutil.pl
-rwxr-xr-x 1 root root 49K Nov  1  2019 /usr/share/texmf-dist/scripts/texlive/fmtutil.pl

$ locate pdflatex.fmt
/var/lib/texmf/web2c/pdftex/pdflatex.fmt

$ ll /var/lib/texmf/web2c/pdftex/pdflatex.fmt
-rw-r--r-- 1 root root 7.7M Jun  5 09:27 /var/lib/texmf/web2c/pdftex/pdflatex.fmt

--- Run with --pdf-engine=pdfroff:

$ pandoc --pdf-engine=pdfroff test.md -o test.pdf
pandoc: pdfroff: createProcess: runInteractiveProcess: exec: permission denied (Permission denied)

--- Running pandoc with sudo works but I'd rather not have to use sudo to generate pdfs. I see that mktexfmt has execute permission and pdflatex.fmt has read permission for everyone. I'd also like to use the default pdflatex instead of another engine. How should I fix this Permission denied problem?

I tried running the script as instructed in https://docs.docker.com/engine/security/rootless/ : $ curl -fsSL https://get.docker.com/rootless | sh But the script crashed in the following line: curl -L -o docker.tgz "$STATIC_RELEASE_URL" With the message: Warning: Failed to create the file docker.tgz: Permission denied curl: (23) Failure writing output to destination I narrowed down the problem to curl trying to write to the tmp folder created by mktemp -d, but I don't understand why it fails. Some context: $ whoami thiago $ uname -a Linux thiago-acer 5.8.0-55-generic #62~20.04.1-Ubuntu SMP Wed Jun 2 08:55:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ mktemp -d /tmp/tmp.U1nPTN5dlS $ cd /tmp/tmp.U1nPTN5dlS $ ls -la total 8 drwx------ 2 thiago thiago 4096 Jun 17 18:20 . drwxrwxrwt 25 root root 4096 Jun 17 18:20 .. After running the commands above, I tried: # this fails with the same message as above curl https://download.docker.com/linux/static/stable/x86_64/docker-20.10.7.tgz -O # this works just fine curl https://download.docker.com/linux/static/stable/x86_64/docker-20.10.7.tgz -o - > docker-20.10.7.tgz # this also works wget https://download.docker.com/linux/static/stable/x86_64/docker-20.10.7.tgz The curl -O command also works if I try it on some other folder, like my home folder. Any help is appreciated.

I have a Samba server with ROLE_DOMAIN_MEMBER in the Active Directory. My main aim is to make a different permissions on share sub-folders on every single share. It can be done using Linux acl or Windows permissions GUI, but I prefer a Windows GUI. In this case users can do this by themselves. I already tried to change permissions using chmod, chown, acl, Windows GUI and Windows console GUI, and I can change permissions to sub-folder but it seems that it doesn't work and only groups added to samba-share worked for me and also for sub-folders valid users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" admin users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" I print here all my smb.cfg and a single test share: [global] # No .tld workgroup = DOMAIN netbios name = samba4 server string = %h server (Samba, Ubuntu) # Active Directory System security = ads # With .tld realm = DOMAIN.LOCAL # Just a member server domain master = no local master = no preferred master = no dns proxy = no # Disable printing error log messages when CUPS is not installed. printcap name = /dev/null load printers = no printcap cache time = 0 #additional section obey pam restrictions = yes map to guest = bad user dns proxy = no vfs objects = acl_xattr map acl inherit = yes nt acl support = yes acl map full control = yes #acl compatibility = auto store dos attributes = yes map archive = no map hidden = no map read only = no map system = no # Works both in samba 3.2 and 3.6. #idmap backend = tdb # no .tld idmap config * : backend = tdb idmap config * : range = 10000-99999 winbind enum users = yes winbind enum groups = yes # This way users log in with username instead of username@example.com winbind use default domain = yes # Inherit groups in groups winbind nested groups = yes winbind refresh tickets = yes winbind offline logon = true #winbind separator = \ # Becomes /home/example/username template homedir = /home/%D/%U #logon drive = H: #logon home = \\smb\%U # No shell access template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes #password server = dc01.domain.local, dc02.domain.local password server = * encrypt passwords = yes unix password sync = yes pam password change = yes smb passwd file = /etc/samba/smbpasswd os level = 20 restrict anonymous = 2 log file = /var/log/samba/samba.log log level = 3 #logging = syslog@1 /var/log/samba/log.%m vfs objects = full_audit full_audit:success = mkdir rmdir unlink pwrite full_audit:prefix = %u|%I|%m|%S full_audit:failure = none full_audit:facility = local5 full_audit:priority = notice recycle:repository = /home/recycle/ recycle:keeptree = yes recycle:versions = yes max log size = 100000 panic action = /usr/share/samba/panic-action %d guest ok = yes [test$] path = /FS/test$ browseable = yes read only = no inherit acls = yes inherit permissions = yes create mask = 700 directory mask = 700 valid users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" admin users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" ┌─[root@samba4]─[/FS] └──╼ #ls -ld test\$/ drwxrwx---+ 6 root root 4096 Jun 25 15:44 test$/ ACL configuration: cat /boot/config-4.4.0-87-generic | grep _ACL CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_JFS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_F2FS_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_HFSPLUS_FS_POSIX_ACL=y CONFIG_JFFS2_FS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m CONFIG_CEPH_FS_POSIX_ACL=y CONFIG_CIFS_ACL=y CONFIG_9P_FS_POSIX_ACL=y My fstab: UUID=4ec48dfe-c45d-124b-8145-09fe59cfad9b /FS ext4 relatime,acl,user_xattr,errors=remount-ro 0 1 In samba.log I see a problem with acl permissions while I try to change permissions to test directory. set_nt_acl: failed to set file acl on file test (Operation not permitted). Also I change permission on test directory to 777 and delete options "create mask", "directory mask", "admin users". Now I can't even add a new user to file permission.

today to my surprise I have noticed that I may delete a file that was created by a user with UID 100024 while being logged to my normal user (UID 1000) shell. The UID 100024 is a subuid, it is how the user inside the rootless podman container looks in top processes, also in ls -l output. The cat /etc/subuid out is myuser:100000:65536, same for the subgid. The sudo sysctl kernel.unprivileged_userns_clone out is kernel.unprivileged_userns_clone = 1 the getfacl /the/file shows

user::rw-
group::r--
other::r--

The grep CONFIG_USER_NS /boot/config-$(uname -r) out is CONFIG_USER_NS=y. To even a bigger surprise, I was able to edit a file created by UID 1000 user in the volume mapped folder, from inside the container! The file had 644 permissions and was owned by nobody:nogroup. I'm pretty sure I could not do these operations in the past. Anything has happened to my 6.1.0-32-amd64 Debian? The filesystem is xfs. ls -hal for the directory returns:

drwxrwxr-x+ 12 pod_yt      root        4.0K Jul 19 17:09 name_of_the_dir

and the getfacl for the dir returns

user::rwx user:myuser:rwx 
user:name_of_the_user_for_uid_100024:rwx 
group::r-x mask::rwx other::r-x

First let me describe my system. It's Mint 19.0 (Tara). Mint itself isn't the problem, but it's upgrade mechanism seem to have triggered the issue. It came after upgrading from Mint 18.3 to 19.0. I did post a question on Mint's forums, but then I did not know what was broken, and in the process of finding that out I kind of "overloaded" my issue report there. So I try to be concise here. PolicyKit has some problem authorizing priviledge escalation. I am the owner of the system, and previously there were only my account and a guest account. After upgrading, I could no longer launch Synaptic via the menu (which calls synaptic-pkexec) and all other programs that need priviledge escalation also won't start, leaving a fail message in auth.log. No dialog pops up asking for my password. Launching synaptic-pkexec from command line simply yields Error executing command as another user: Not authorized This incident has been reported. Quote from auth.log: Jul 15 12:07:42 MYMACHINE polkit-agent-helper-1: pam_unix(polkit-1:auth): conversation failed Jul 15 12:07:42 MYMACHINE polkitd(authority=local): Unregistered Authentication Agent for unix-session:c2 (system bus name :1.61, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8) (disconnected from bus) Jul 15 12:07:42 MYMACHINE polkitd(authority=local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action com.ubuntu.pkexec.synaptic for unix-process:9863:4513929 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:MYUSERACCOUNT) Jul 15 12:07:42 MYMACHINE pkexec: MYUSERACCOUNT: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/MYHOMEDIR] [COMMAND=/usr/sbin/synaptic] Jul 15 12:07:42 MYMACHINE polkit-agent-helper-1: pam_unix(polkit-1:auth): auth could not identify password for [MYUSERACCOUNT] Jul 15 12:07:42 MYMACHINE polkitd(authority=local): Registered Authentication Agent for unix-session:c2 (system bus name :1.220 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8) My guest account, however, can do everything. It is asked for the password, and then Synaptic, Upgrade Manager, just everything works as intended. Also, when I create new users (regardless whether they are created as admins or as users, and added to sudo group) they also can to everything. So I figure it is somehow connected to the user ID. Another observation: I know GUI programs shouldn't be launched via sudo. But when I issue sudo synaptic-pkexec - Synaptic starts... I have already checked that 1. PolKit Daemon is running via Autostart 2. PolKit Agent for Gnome is running via Autostart 3. file permissions for the user home directory are set correctly I also did

apt-get install --reinstall

on everything PolKit related. Everything else besides PolKit runs just fine... I can add inxi statement, if that helps.

In the Ubuntu 24.04LTS release, all users (including those not in the sudoers group) who log in and use commands such as whoami, id - un, and view UID will be displayed as root users with root privileges, even if the username displayed after logging in is a normal regular username. Therefore, ordinary users are able to write files as root in restricted directories (such as system folders or other user directories). This completely confuses the permissions of the entire system. Here's an example user:

getent passwd fsy
fsy:x:1001:1001:,,,:/home/fsy:/bin/bash

Does anyone know how to solve this problem ...

From a bash shell script, I am creating a folder and storing the mysqldump there. I am sure that there is no command related to permissions in my script. To allow an other user to access these files, I have used ACL, but when he tried to access the file, he got permission denied issue, and issue is with effective permissions of ACL. The owner of the directory is ola and new user who is trying to access the folder is uber and folder is gettaxi ### Permissions of Parent directory [/omega/olabooktmp]# getfacl . # file: . # owner: ola # group: ola user::rwx user:uber:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:uber:rwx default:group::r-x default:mask::rwx default:other::r-x ### Permissions of Child directory [/omega/olabooktemp]# getfacl gettaxi/ # file: gettaxi/ # owner: ola # group: ola user::rwx user:uber:rwx #effective:--- group::r-x #effective:--- mask::--- other::--- default:user::rwx default:user:uber:rwx default:group::r-x default:mask::rwx default:other::r-x I see like for new directory gettaxi mask permissions are mask::---, so I think this is causing issue, but I am unable to understand completely and how to solve this issue. Any suggestions greatly appreicated. Thank you.

I am trying to SSH onto my server with the command

-i key.pem ec2-user@ip_address

as I did with no issues last week but this week it is giving me an error of only

-user@ip_address:Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

which I got before that led me to connecting to wrong server / having key in wrong file but I fixed that so I know that isn't the problem. This is the error message I am receiving when trying to connect.

-vvv -i key1.pem ec2-user@34.255.97.122
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "34.255.97.122" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 34.255.97.122 [34.255.97.122] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file key1.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file key1.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 34.255.97.122:22 as 'ec2-user'
debug3: hostkeys_foreach: reading file "/home/ubuntu/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/ubuntu/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys from 34.255.97.122
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:  compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:  compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:KcJCcNrItmtT7CwXIEndRD42wLyphxOtQR540TzFbSk
debug3: hostkeys_foreach: reading file "/home/ubuntu/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/ubuntu/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys from 34.255.97.130
debug1: Host '34.255.97.130' is known and matches the ECDSA host key.
debug1: Found key in /home/ubuntu/.ssh/known_hosts:7
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: key1.pem ((nil)), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: key1.pem
debug3: sign_and_send_pubkey: RSA SHA256:ROAQ4zFxWIgz+DlQwSwqivDbjdPsFEh1LCmRYMc/iss
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
ec2-user@34.255.97.130: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Any help would be appreciated as my only solution is from more experienced people.

I have 2 OSs on my laptop: Windows 7 on its own NTFS partition and Debian Jessie on its own ext4 partition. I also have a separate NTFS partition for my data which is shared between OSs. In Debian my data partition is mounted automatically after boot using this line in /etc/fstab: UUID=4E2831122830FA93 /media/data ntfs defaults,permissions 0 0 I need "permissions" here to be able to grant ownership of some folders and files to my user account (which doesn't have administrator's rights). Note that some time ago it was with "ntfs-3g", not "ntfs". I made this change hoping to solve the problem, but it didn't helped. So, the problem is: When I open Windows, I do not have permissions to use any file in the folder for which I have changed permissions from root to my account in Debian. I always get "access denied". Note that my account on Windows have administrator's rights. In the properties of the folder I have troubles with, I can see that it is set to deny access for everyone. I tried to remove this setting and got "access denied" again. And I still can't access my files from Windows. I also see the setting to allow full control to "S-1-5-21-3141592653-589793238-462843383-12000". And the owner of the folder is "Account Unknown(S-1-5-21-3141592653-589793238-462843383-12000)" I need to find a way to give the proper rights to my Windows account. How can I tell Debian that my accounts on Windows and Linux are of the same person and the two accounts are both owners? I would be very happy to get help. Thank you in advance!

I'm having an issue with using Jenkins to create a folder on a remote host. The remote host in this case is a stock Ubuntu 20.04 AMI EC2 server with the default ubuntu user. I am connecting with the ubuntu user to the remote server with the code below:

sshagent(credentials : [branchConfig.SSH_CREDENTIALS_NAME]) {
    sh 'ssh -o StrictHostKeyChecking=no ' + branchConfig.SSH_USER + '@' + branchConfig.DOCKER_HOST + ' "echo \"running whoami\" && whoami && echo \"running groups\" && groups && install --directory --mode 0755 --owner ' + branchConfig.SSH_USER + ' --group ' + branchConfig.SSH_USER + ' ~/importengine"'
}

This outputs the following error: + ssh -o StrictHostKeyChecking=no ubuntu@x.x.x.x echo running whoami && whoami && echo running groups && groups && install --directory --mode 0755 --owner ubuntu --group ubuntu ~/importengine Warning: Permanently added 'x.x.x.x' (ECDSA) to the list of known hosts. running whoami ubuntu running groups ubuntu docker install: cannot change owner and permissions of ���/home/ubuntu/importengine���: Operation not permitted I can see that the folder gets created, but it has the following permissons:

drwxr-xr-x 2 root   root   4.0K Oct 13 11:12 importengine

If I delete the folder and run the following command (when logged in as ubuntu):

install --directory --mode 0755 --owner ubuntu --group ubuntu ~/importengine

...then the folder gets created with the following permissions:

drwxr-xr-x 2 ubuntu ubuntu 4.0K Oct 13 11:24 importengine

### Question **Why is the folder getting created as owned by root in the first place?** After all, I can clearly see that whoami outputs as ubuntu, and not root in the error output so it should be creating the folder as if the ubuntu user.

My machine is home desktop(personal) running Debian Buster with i3 window manager. I recently installed firejail with apt install firejail* firetools and also downloaded the new Firefox 83 browser from Firefox official website. I can run the firefox binary as a non-firejail user, as in, navigating to the new firefox directory and running [user@debian]:$ ./firefox It works fine and all. However, if I try doing, firejail --noprofile --seccomp --private --nonewprivs /home/user/downloads/firefox/firefox it says, the file firefox isn't executable. Running ls -l on the executable returns that it is executable. Then I copied the whole new firefox directory to /tmp/ then opened a new firejail bash session with firejail --seccomp --private --nonewprivs bash, then started a sandboxed bash session. Then copied the firefox directory from /tmp/ to $HOME and tried running the firefox binary from there, and it says permission denied The file was executable, and was owned by same user. What am I doing wrong here.

I have a file access problem in a self developed daemon process after a setuid() system call. I already post this question to SO but the impression is that the problem is not C++ related but Linux related and so maybe there is someone here who could help me solving it. My daemon program cannot access a configuration file after a setuid(iUid) systemcall even though iUid is owner of the configuration file. Why? I am writing a controller daemon in C++ for home automation which finally will run on an raspberry pi with Raspberry Pi OS. It is started with root permissions as after start it should read an SSL certifacate which only root is granted read access. After the SSL certifacte is read the daemon should switch to user 'pvmonitor' as root permissions are no longer needed. This is done by setuid( iUid ); and I have checked with ps that the process runs as user 'pvmonitor'. The configuration file for this daemon is located at /etc/SmartHome/converd.conf and is owned by user pvmonitor. ls -la /etc/SmartHome/ total 24 drwxrwx---+ 2 pvmonitor www-data 4096 Jul 17 20:07 . drwxr-xr-x+ 107 root root 4096 Jul 17 20:07 .. -rw-r-----+ 1 pvmonitor www-data 705 Jul 17 20:07 coverd.conf The raspberry pi is booted from network and the file system is mounted from a NAS which provides an ACL. Also ACL grants access permission to user pvmonitor: getfacl /etc/ getfacl: Removing leading '/' from absolute path names # file: etc/ # owner: root # group: root user::rwx [...] group::--- group:users:rwx #effective:r-x group:www-data:r-x mask::r-x other::r-x [...] getfacl /etc/SmartHome/ getfacl: Removing leading '/' from absolute path names # file: etc/SmartHome/ # owner: pvmonitor # group: www-data user::rwx [...] user:pvmonitor:rwx [...] group::--- [...] group:www-data:r-x mask::rwx other::--- [...] getfacl /etc/SmartHome/coverd.conf getfacl: Removing leading '/' from absolute path names # file: etc/SmartHome/coverd.conf # owner: pvmonitor # group: www-data user::rw- [...] user:pvmonitor:rwx #effective:r-- [...] group::--- [...] group:www-data:r-x #effective:r-- mask::r-- other::--- In addition the output of stat: stat /etc File: /etc Size: 4096 Blocks: 16 IO Block: 4096 directory Device: 0,22 Inode: 74579976 Links: 107 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2024-12-03 22:14:03.809660810 +0100 Modify: 2025-07-17 20:07:13.645754180 +0200 Change: 2025-07-17 20:07:13.645754180 +0200 Birth: - stat /etc/SmartHome/ File: /etc/SmartHome/ Size: 4096 Blocks: 16 IO Block: 4096 directory Device: 0,22 Inode: 74581572 Links: 2 Access: (0770/drwxrwx---) Uid: ( 1004/pvmonitor) Gid: ( 133/www-data) Access: 2025-07-17 20:06:03.525754180 +0200 Modify: 2025-07-17 20:07:08.395754180 +0200 Change: 2025-07-17 20:35:52.235754180 +0200 Birth: - stat /etc/SmartHome/coverd.conf File: /etc/SmartHome/coverd.conf Size: 705 Blocks: 16 IO Block: 131072 regular file Device: 0,22 Inode: 74581810 Links: 1 Access: (0640/-rw-r-----) Uid: ( 1004/pvmonitor) Gid: ( 133/www-data) Access: 2025-07-17 20:07:08.395754180 +0200 Modify: 2025-07-17 20:07:08.395754180 +0200 Change: 2025-07-18 09:33:38.783696180 +0200 Birth: - With sudo -u pvmonitor less /etc/SmartHome/coverd.conf I can read the configuration file without any problem. But when I try to open the configuration file in my daemon process after the setuid(); command I get an "permission denied" error. Here is a minimum reproducable example which is based on excerpts of my daemons code: #include #include #include #include const char *ptConfigFile = "/etc/SmartHome/coverd.conf"; void printConfig( void ) { std::cout << "Try to open file " << ptConfigFile << std::endl; FILE *ptfTest; ptfTest = fopen( ptConfigFile, "r" ); if (ptfTest != nullptr) { char sLine; while (!feof(ptfTest)) { fgets(sLine,1023,ptfTest); std::cout << sLine; } fclose( ptfTest ); } else perror( "Failed to open file" ); } int main(int argc, char **argv ) { int iUid = 1004; std::cout << "User id is now " << getuid() << std::endl; printConfig(); std::cout << "Switch to user id " << iUid << std::endl; if (iUid == 0 || setuid(iUid)== 0) { std::cout << "User id is now " << getuid() << std::endl; printConfig(); return 0; } std::cerr << "Could not switch user id." << std::endl; return -1; } 1004 is the user id of user pvmonitor. The output of this example is: sudo ./test User id is now 0 Try to open file /etc/SmartHome/coverd.conf CERTFILE=[...] [...] Switch to user id 1004 User id is now 1004 Try to open file /etc/SmartHome/coverd.conf Failed to open file: Permission denied In addition here is the output when I run the test program with strace: sudo strace ./test execve("./test", ["./test"], 0x7fc90538b0 /* 13 vars */) = 0 [...] setuid(1004) = 0 getuid() = 1004 write(1, "User id is now 1004\n", 20User id is now 1004 ) = 20 write(1, "Try to open file /etc/SmartHome/"..., 44Try to open file /etc/SmartHome/coverd.conf ) = 44 openat(AT_FDCWD, "/etc/SmartHome/coverd.conf", O_RDONLY) = -1 EACCES (Permission denied) dup(2) = 3 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) newfstatat(3, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x2), ...}, AT_EMPTY_PATH) = 0 write(3, "Failed to open file: Permission "..., 39Failed to open file: Permission denied ) = 39 close(3) = 0 exit_group(0) = ? What am I doing wrong?

I want to grant a group **"usera"** rwx permission to a directory. The directory is already owned by a user that belongs to this group **"usera".** The name of the username and group is same. **Current Permissions:** If I check the current permissions of that directory by running the following command: ls -la Following is the output: drwxrwsrwx 2 usera usera 4096 Jan 9 09:30 . Desired Output: drwxrwxrwx 2 usera usera 4096 Jan 9 09:30 . **Problem Statement:** The problem is that the above-mentioned **usera** doesn't have ssh access to the server. So, I have to login via another user with admin privileges. And I want to grant group **"usera"** rwx permissions on a particular directory /opt/test/abcd. But I am unable to figure out which command to run. I know we can grant permissions by using chmod command but how to apply it in this context

I am currently migrating from Ubuntu 20.04 to Fedora 34. Following backup script has worked fine so far:

rsync                        \
  -avixXEH                   \
  --stats                    \
  --delete                   \
  --numeric-ids              \
  --log-file="$LOG_FILE"     \
  --link-dest "$LATEST"      \
  --exclude '/some/exclude'  \
  admin@nas:/{a,b,c}         \ # source is remote nas (via ssh)
  "$TARGET"                  \ # $TARGET is ext. USB disk on fedora OS desktop

Unfortunately on Fedora, every copied path now results in a warning, polluting the log: > rsync_xal_set: lremovexattr("/my/path/file.zPXUj1","security.selinux") failed: Permission denied (13) ## Research This seems to be an issue with rsync wanting to preserve/erase extended attributes (-X) and SELinux. Recent quote from Michal Ruprich, Red Hat: > This was 'fixed' in RHEL5 by suppressing the error message so that it does not disrupt running systems. [...] > > "rsync-2.6 does not remove extended attribute of target file in the case that this attribute has been erased in the source file. Lets call it bug. > > rsync-3.0 correctly tries to remove erased extended attributes. > > If the selinux is present on the target system, rsync can't erase security context of file and it outputs mentioned error. The behaviour of 2.6 and 3.0 is therefore identical except the informational error message." Using rsync 3.2.3 with a non-SELinux source, my interpretation is - please correct me otherwise: Copying files from a source without SELinux to a target using this security feature is interpreted as deleting the extended "security.selinux" file attribute. And rsync cannot remove it due to SELinux security restrictions on the target. Which raises the question: ## How to suppress these warnings? I still would like to copy extended attributes with -X and *not* temporarily disable complete SELinux as suggested here . Also, stumbled over an alternative that suggests setsebool -P rsync_full_access 1 - not sure, what that does exactly. It really would be nice to solve the problem at its root only for this particular case: Given USB disk mount point /run/media/user/, is there some way to grant necessary permissions in SELinux just for this path or similar? Thanks in advance

This is certainly a niche use-case, so I ask you to bear with me. My goal is to run a proprietary application within Distrobox. I don't want to expose my local username (reused online) to said application, hence I'm trying to run this as a different local user. ### Starting point ### It's already possible to run application on host as different user, even if it's not the most secure method in the world, thanks to [this answer by Sam Mason](https://unix.stackexchange.com/a/791365/8305) . To summarize, assuming the secondary, non-session username is other, you need to do the following:

$ sudo chown :other "$XDG_RUNTIME_DIR" "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
$ chmod g+rwx "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY"
$ chmod g+x "$XDG_RUNTIME_DIR"
$ machinectl shell \
  --setenv=WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" \
  --setenv=XDG_SESSION_TYPE \
  other@

And with just that, you can run any Wayland application within the context of the other user in your current session. ### XWayland works too ### With a few additions to the above method, you can get X applications (such as Steam and myriad other Electron crapware) to run as the other user:

$ xhost +local:
$ machinectl shell \
  --setenv=WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" \
  --setenv=XDG_SESSION_TYPE \
  --setenv=DISPLAY \
  other@

**Disclaimer** I don't understand the security implications of xhost (or assigning those permissions to the $WAYLAND_DISPLAY) and if there are safer alternatives, whether better permissions or different method entirely. If you want to use this method, do so at your own risk. The xhost command is a suggestion from [this guide](https://www.siberoloji.com/how-to-use-distrobox-for-containerized-apps-on-arch-linux/#7-running-gui-applications-from-the-container) . ### The problem with Wayland in another user's Distrobox ### As I mentioned above, using this method applications run perfectly fine whether Wayland or XWayland. When it comes to Distrobox, however, only the X applications run fine. Any Wayland application within Distrobox (and running as different user) refuses to start and always crashes with some variant of unable to open display errors. How do I go about debugging this issue? How come passing DISPLAY work perfectly, but fail with WAYLAND_DISPLAY? Any hint would be appreciated. As I mentioned before, this is a niche edge case. I don't expect solutions outright, Just showing me potential path forward would be much appreciated. **PS** As an aside, theoretically there might be a way to accomplish my original goal (not exposing my local username to Distrobox) without going through such rigmarole. When initializing a Distrobox container, it [actually creates an user](https://distrobox.it/usage/distrobox-init/) within it with the same name as the local username and assigns the same UID and GID. If Distrobox would just let the username variable to be set manually, it'd probably do exactly what I want... It's as frustrating as you might imagine. I asked if there's anyway for me to modify it on [GitHub issues](https://github.com/89luca89/distrobox/issues/1783) , but I'm suffering in silence.

When a logical NTFS partition is mounted on Linux using NTFS-3g + "permission" mounting option + UserMapping, I often found that "execution" permission of the same file may be different on Windows or Linux. E.g. an binary executed by "Peng Cheng" on Linux will look like this on Windows: It appears that a blanket "Deny" permission was added by the NTFS-3g driver to block all execution, even by the owner of the file. This behaviour is triggered regardless of "acl" mounting option or other options What can I do to disable this behaviour?

Any ideas why the which command is unable to find the usermod command in rhel 7. Here is what I did (and corresponding output) [ec2-user@ip-10-0-4-109 ~]$ echo $PATH /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/ec2-user/.local/bin:/home/ec2-user/bin [ec2-user@ip-10-0-4-109 ~]$ which usermod /usr/bin/which: no usermod in (/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/ec2-user/.local/bin:/home/ec2-user/bin) [ec2-user@ip-10-0-4-109 ~]$ sudo su [root@ip-10-0-4-109 ec2-user]# which usermod /sbin/usermod [root@ip-10-0-4-109 ec2-user]# readlink -f /sbin/ /usr/sbin So the gist of the issue is that usermod is physically located in /usr/sbin/usermod. This directory /usr/sbin is in ec2-user search path. But for some reason which command is not returning it when I run it as ec2-user. Any ideas why this is happening on RHEL 7? I also have Ubuntu 14.04 and it works as expected (both root and regular user can see usermod in /usr/sbin). After initial post here is what else I found out: +++++++++++++++++++++++++++++++++++++++++ I found some addition information and I think this may have something to do with this: On RHEL 7 the permission bits for usermod -rwxr-x---. 1 root root 113800 Jun 28 2016 /usr/sbin/usermod On Ubuntu 14.04 the permission bits for usermod -rwxr-xr-x 1 root root 110296 May 16 19:37 /usr/sbin/usermod So I am guessing not having read permission for regular user on usermod maybe causing this?