I have trouble with ACL in my docker container.
As you can see below, I set read/write permissions for user "ts" on "/opt/transfer_station/webapp/logs". This works for the folder "/opt/transfer_station/webapp/logs" but not for the file /opt/transfer_station/webapp/logs/debug.log in it. Why does it not work?
[root#lx-ts logs]# setfacl -Rdm u:ts:rw,g:ts:rw /opt/transfer_station/webapp/logs
[root#lx-ts logs]# echo $?
0
[root#lx-ts logs]# getfacl /opt/transfer_station/webapp/logs
getfacl: Removing leading '/' from absolute path names
# file: opt/transfer_station/webapp/logs
# owner: apache
# group: apache
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rw-
default:user:ts:rw-
default:group::r-x
default:group:apache:rw-
default:group:ts:rw-
default:mask::rwx
default:other::r-x
[root#lx-ts logs]# getfacl /opt/transfer_station/webapp/logs/debug.log
getfacl: Removing leading '/' from absolute path names
# file: opt/transfer_station/webapp/logs/debug.log
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root#lx-ts logs]# whoami
root
Btw. I tried it with docker option OPTIONS='--storage-driver=devicemapper' and without it. SELinux is in permissive mode and does therefore not block anything.
If I attach to the container, create a test file in the folder, the ACLs are inherited as I expect:
[root#lx-ts transfer_station]# touch webapp/logs/test
[root#lx-ts transfer_station]# getfacl webapp/logs/test
# file: webapp/logs/test
# owner: root
# group: root
user::rw-
user:apache:rw-
user:ts:rw-
group::r-x #effective:r--
group:apache:rw-
group:ts:rw-
mask::rw-
other::r--
I am running Centos 7.1 and Docker version 1.7.1, build 446ad9b/1.7.1.
I have also added the CAP_FOWNER to the container (using --cap-add=FOWNER) but that does not solve the problem neither.
Any ideas?
Got it:
setfacl -Rm u:ts:rw,g:ts:rw /opt/transfer_station/webapp/logs
setfacl -d is for directories only. I had to remove it to make it work :/
I just rooted my Nexus 5 using this method: http://www.phonearena.com/news/How-to-root-Google-Nexus-5_id49014
I also enabled USB debugging in the developer options.
Then I tried to pull a database file from my device using this command:
adb pull /data/data/path.to.package/databases/data /sdcard/test
I get permission denied error.
I don't have the debugged flag set in that app I tried to access. Is that the reason I can't access that file? If yes, are there any workarounds to access an apps files?
You can use run-as shell command to access private application data.
If you only want to copy database you can use this snippet, provided in
https://stackoverflow.com/a/31504263/998157
adb -d shell "run-as com.example.test cat /data/data/com.example.test/databases/data.db" > data.db
I had the same problem. My work around is to use adb shell and su. Next, copy the file to /sdcard/Download
Then, I can use adb pull to get the file.
Did you try adb remount after giving adb root?
This generic solution should work on all rooted devices:
adb shell "su -c cat /data/data/com.android.providers.contacts/databases/contacts2.db" > contacts2.d
The command connects as shell, then executes cat as root and collects the output into a local file.
In opposite to #guest-418 s solution, one does not have to dig for the user in question.
Plus If you get greedy and want all the db's at once (eg. for backup)
for i in `adb shell "su -c find /data -name '*.db'"`; do
mkdir -p ".`dirname $i`"
adb shell "su -c cat $i" > ".$i"
done
This adds a mysteryous question mark to the end of the filename, but it is still readable.
If you get could not copy and permissions are right disable selinux.
Check if selinux is enabled.
$ adb shell
$su
# getenforce
Enforcing
Selinux is enabled and blocking/enforcing.
Disable selinux
# setenforce 0
do your stuff and set selinux to enforcing.
# setenforce 1
I had just the same problem, here's how to deal with it:
adb shell to the device
su
ls -l and check current access rights on the file you need. You'll need that later.
go to the file needed and: chmod 777 file.ext. Note: now you have a temporary security issue. You've just allowed all the rights to everyone! Consider adding just R for users.
open another console and: adb pull /path/to/file.ext c:\pc\path\to\file.exe
Important: after you're done, revert the access rights back to the previous value (point 3)
Someone mentioned something similar earlier.
Thanks for the comments below.
This answer ended up working for me: https://stackoverflow.com/a/15559278/53001
Backup to a file, pull the backup, and then convert it to a tarball and extract it.
adb backup -f myAndroidBackup.ab com.corp.appName
dd if=myAndroidBackup.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" | tar -xvf -
$ adb shell
$su
# getenforce
Enforcing
now try
adb shell
su
chmod 777 /path/to/yout_file
exit from shell
open new CMD and try adb pull /path/to/yout_file
It will work fine now.
you'll have security problems because of this any application will be able to access your database.
#guest-418 tips works well:
adb -d shell "run-as com.example.test cat /data/data/com.example.test/databases/data.db" > data.db
However, if you want to use a GUI, use Android Studio's Device File Explorer.
Launch Android Studio
Click on Device File Explorer at bottom right-side
Navigate to your app's file:
/data/data/path.to.package/databases/data
Right-mouse click select Save As and save to a local folder
I have been having Android Monitor hang on me lately on macOS. Device File Explorer works well for this purpose.
Create a folder in sdcard :
adb shell "su 0 mkdir /sdcard/com.test"
Move your files to the new folder :
adb shell "su 0 mv -F /data/data/com.test/files/ /sdcard/com.test/"
You can now use adb pull :
adb pull /sdcard/com.test
When executing adb commands, by default, a limited privileges user is used, the same kind of limited privilege user that is assigned to an app, and you have requested for all privelages to use all features of the device.
This kind of limited user helps protect your phone from malware, by restricting the access between apps, and the system. This is the reason you are unable to access app data and system data on an unrooted phone. The act of rooting means becoming user 0, the super user of the system, capable of any action, and is the highest privilege. Your apps however, are still secure in that they can not talk to eachother.
Now when accessing secure files, note that you do not want to change the permissions of the file when you access it, which may allow for vulnerabilities.
An option that you could use instead, is to make a copy of the file on the sdcard as root, modify that as a standard user, and then move it back into the filesystem as root, while preserving the file permissions of the original file.
Since I've updated to Android Oreo, I had to use this script to fix 'permission denied' issue.
This script on Mac OS X will copy your db file to Desktop. Just change it to match your ADB_PATH, DESTINATION_PATH and PACKAGE NAME.
#!/bin/sh
ADB_PATH="/Users/xyz/Library/Android/sdk/platform-tools"
PACKAGE_NAME="com.example.android"
DB_NAME="default.realm"
DESTINATION_PATH="/Users/xyz/Desktop/${DB_NAME}"
NOT_PRESENT="List of devices attached"
ADB_FOUND=`${ADB_PATH}/adb devices | tail -2 | head -1 | cut -f 1 | sed 's/ *$//g'`
if [[ ${ADB_FOUND} == ${NOT_PRESENT} ]]; then
echo "Make sure a device is connected"
else
${ADB_PATH}/adb exec-out run-as ${PACKAGE_NAME} cat files/${DB_NAME} > ${DESTINATION_PATH}
fi
This is a bit late, but installing adbd Insecure worked for me. It makes adb run in root mode on production ("secure") devices, which is what you likely have.
A paid version is also available on Google Play if you want to support the developer.
I had a similar problem to yours on windows as the following.
D:\ProgramFiles\Android> adb pull /data/local/tmp/com.packagename_dumped_1766.dex D:\ProgramFiles\Android\com.packagename_dumped_1766.dex
adb: error: failed to copy '/data/local/tmp/com.packagename_dumped_1766.dex' to 'D:\ProgramFiles\Android\com.packagename_dumped_1766.dex': remote Permission denied
My solution:
At first I also made an attempt to use cat as ansi_lumen answered, but I got into trouble about CR and LR (\r\n) characters.
And then I just had to change those file permisions by chmod and pulled again to this problem was solved without introducing other problems. After that, may
we need to restore their original permissions as Goran Devs answered.
So just pay a little attention.
TL;DR
My story:
Firstly, I used the cat to download all files from android to my windows,
#echo off
cd /d %~dp0
:: %~dp0 = D:\ProgramFiles\Android\
SET ThisBatDir=%~dp0
:: adb shell ls /data/local/tmp/com.packagename_dumped_* > %~dp0\dump_file_list.txt
FOR /f "delims=" %%a in ('adb shell ls /data/local/tmp/com.packagename_dumped_*') do call :processline %%a %%~nxa
goto :eof
:: https://stackoverflow.com/questions/232651/why-the-system-cannot-find-the-batch-label-specified-is-thrown-even-if-label-e
:processline
SET RemoteFullPath=%1
set FileName=%2
:: echo "%RemoteFullPath%|%ThisBatDir%|%FileName%"
call adb shell su -c cat %RemoteFullPath% > %ThisBatDir%%FileName%
goto :eof
:eof
However, those downloaded dex files were broken because of CR and LR (\r\n) characters on windows.
We can use hexdump to inspect its content in Hex+ASCII form (or Notepad++ with "View > Show Symbol > Show All Characters" checked). Note, the 5th and 6th byte (0d 0a)).
ssfang#MONITO ~
$ hexdump -C -n32 /cygdrive/d/ProgramFiles/Android/com.packagename_dumped_1448.dex # a bad dex
00000000 64 65 78 0d 0d 0a 30 33 35 00 f7 8e e4 b5 03 c6 |dex...035.......|
00000010 29 22 98 55 21 e9 70 49 fe c8 e4 cc fa 94 cd 63 |)".U!.pI.......c|
00000020
ssfang#MONITO ~
$ hexdump -C -n32 /cygdrive/d/ProgramFiles/Android/classes.dex # a normal dex
00000000 64 65 78 0a 30 33 35 00 b5 73 03 3a 0b 9d a2 47 |dex.035..s.:...G|
00000010 a8 78 a4 f0 bb e1 64 3f e5 b9 cb a0 bd 1b e2 71 |.x....d?.......q|
00000020
Versions
adb version // to check adb client version in your desktop
adb shell adbd --version // to check adbd's version in your Android. Please note that some users reported error with this if executed without root access.
D:\ProgramFiles\Android>adb version
Android Debug Bridge version 1.0.41
Version 29.0.6-6198805
Installed as D:\ProgramFiles\Android\Sdk\platform-tools\adb.exe
D:\ProgramFiles\Android>adb shell adb version
Android Debug Bridge version 1.0.32
Even if restarting adbd as root, it was still the shell user after .
D:\ProgramFiles\Android> adb root
restarting adbd as root
D:\ProgramFiles\Android> adb shell id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
So I first viewed its file permision,
D:\ProgramFiles\Android> adb shell ls -l /data/local/tmp
-rwsr-sr-x shell shell 589588 2017-09-14 15:08 android_server
-rwsr-sr-x shell shell 1243456 2017-09-14 15:08 android_server64
-rw-rw-rw- shell shell 1536 2020-03-28 17:15 com.packagename.tar.gz
-rw-r----- root root 57344 2020-03-28 17:45 com.packagename_dumped_1766.dex
drwxrwxr-x shell shell 2018-08-12 09:48 device-explorer
-rwsrwsr-x shell shell 13592 2019-02-04 17:44 drizzleDumper
-rwxrwxrwx shell shell 5512504 2018-05-06 01:27 lldb-server
-rwxr-xr-x shell shell 12808 2020-03-26 22:16 mprop
then, changed its permision,
D:\ProgramFiles\Android> adb shell su -c chmod 777 /data/local/tmp/com.packagename_dumped_*
D:\ProgramFiles\Android> adb shell ls -l /data/local/tmp
-rwxrwxrwx root root 57344 2020-03-28 17:45 com.packagename_dumped_1766.dex
As a result, I made it.
D:\ProgramFiles\Android> adb pull /data/local/tmp/com.packagename_dumped_1766.dex D:\ProgramFiles\Android\com.packagename_dumped_1766.dex
/data/local/tmp/com.packagename_dumped_1766.de... 1 file pulled, 0 skipped. 3.6 MB/s (57344 bytes in 0.015s)
Now, jadx-gui-dev.exe or sh d2j-dex2jar.sh -f ~/path/to/apk_to_decompile.apk could properly enjoy them.
The pull command is:
adb pull source dest
When you write:
adb pull /data/data/path.to.package/databases/data /sdcard/test
It means that you'll pull from /data/data/path.to.package/databases/data and you'll copy it to /sdcard/test, but the destination MUST be a local directory. You may write C:\Users\YourName\temp instead.
For example:
adb pull /data/data/path.to.package/databases/data c:\Users\YourName\temp
I'm looking for some help in creating a shell script in Linux to perform a batch ownership change for certain folders in a Plesk environment where the owner:group is apache:apache.
I want to change the owner:group to :psacln.
The FTP user can be ascertained by looking at the owner of the httpdocs folder.
^this is the section I'm having trouble with.
If I was to set all owners to be the same, I could do a one-line:
find /var/www/vhosts/*/httpdocs -user apache -group apache -exec chown user:psacln {} \;
Can anyone help plug the user in to this command?
Thanks
Figured it out... for those who may want to use it in the future:
for dir in /var/www/vhosts/*
do
dir=${dir%*/}
permissions=`stat -c '%U' ${dir##*/}/httpdocs`
find ${dir##*/}/httpdocs -user apache -group apache -exec chown $permissions {} \;
done
Since stat doesn't work on al unices in the same way, I thought I would share my script to set the ownership of all websites to the correct owners in Plesk (tested on Plesk 11, 11.5, 12 and 12.5):
cd /var/www/vhosts/
for f in *; do
if [[ -d "$f" && ! -L "$f" ]]; then
# Get necessary variables
FOLDERROOT="/var/www/vhosts/"
FOLDERPATH="/var/www/vhosts/$f/"
FTPUSER="$(ls -ld /var/www/vhosts/$f/ | awk '{print $3}')"
# Set correct rights for current website, if website has hosting!
cd $FOLDERPATH
if [ -d "$FOLDERPATH/httpdocs" ]; then
chown -R $FTPUSER:psacln httpdocs
chmod -R g+w httpdocs
find httpdocs -type d -exec chmod g+s {} \;
# Print success message
echo "Done... $FTPUSER is now correct owner of $FOLDERPATH."
fi
# Make sure we are back at the root, so we can continue looping
cd $FOLDERROOT
fi
done
\\\
Explanation of code:
Go to vhosts folder
Loop through websites
Store vhosts path, because we are using cdin a loop
If httpdocsfolders exists for the current website, than
set the correct rights of httpdocs and
all underlying folders
Show succes message
cd back to vhosts folder, so we can continue looping
\\\
i'm getting error when i run below command
nagios3 -v /etc/nagios3/nagios.cfg
Error in configuration file '/etc/nagios3/nagios.cfg' - Line 469 (Check result path is not a valid directory) Error processing main config file
So i looked ls -l /var/lib/nagios3/
drwxr-x--- 3 nagios nagios 1024 Mar 14 21:13 spool
In this case, why i'm getting error? Probably i think my /var/lib/nagios3/spool/checkresult/check2JcDx5 file contains wrong line. And when i run below command, i get this output.
#cat check2JcDx5
file_time=1363378360
host_name=localhost
service_description=HTTP
check_type=0
check_options=0
scheduled_check=1
reschedule_check=1
latency=0.122000
start_time=1363378360.122234
Disable SELinux:
# getenforce
# setenforce 0
Edit /etc/selinux/config. Set SELINUX=disabled.
You may be able to install the nagios-selinux package to add the policy to run nagios in an selinux environment. Better than disabling your existing security.
I'm trying to get Nagios to execute a custom java command but I always get error 126.
[1360324906] Warning: Return code of 126 for check of service 'Java Process Test' on host 'localhost' was out of bounds.Make sure the plugin you're trying to run is executable.
Now I've checked few things but as I'm a newbie here I probably missed something.
Here few information about the environment:
-rwxr-xr-x. 1 root root 2938 Aug 17 15:39 check_wave
drwxr-xr-x. 2 root root 4096 Jan 13 15:08 eventhandlers
drwxr-xr-x. 2 root root 4096 Feb 7 17:22 jars
-rwxr-xr-x. 1 root root 38696 Aug 17 15:39 negate
-rwxr-xr-x. 1 root root 886 Feb 8 12:47 test_java_plugin.sh
test_java_plugin.sh is my test script and "jars" is the current dir where the jar is located
Scripts is this:
#!/bin/bash
#This will get the output of process
output=$(/usr/java/latest/bin/java -cp .:/usr/lib64/nagios/plugins/jars/SimpleNagiosPlugin.jar it.nagios.SimpleTest)
#This will catch the result returned by last process that is our java command
java_result=$?
echo "$java_result: $output"
exit $java_result
and is working perfectly when launched manually at console
[root#bw plugins]# ./test_java_plugin.sh
0: This is an OK message
Forgot to add command definition:
# 'test_java_plugin' command definition
define command{
command_name test_java_plugin
command_line $USER1$/test_java_plugin.sh
}
Also as as per request into comment I'm adding also the current java code of my test class
public static void main(String[] args) {
System.out.println("This is an OK message");
System.exit(0);
}
Just launching the command from a shell I got still 0:
[root#bw plugins]# /usr/java/latest/bin/java -cp .:/usr/lib64/nagios/plugins/jars/SimpleNagiosPlugin.jar it.nagios.SimpleTest
This is an OK message
[root#bw plugins]# echo $?
0
What else should I check to determine what is going wrong here?
I faced a similar issue and found that SELinux was blocking me. The same can be checked in /var/log/audit/audit.log
If you get denied errors for nagios_t/nagios_system_plugin_t, add them to the permissive list of selinux using the below command rather than turning it off completely
semanage permissive -a nagios_t
you should try to run test_java_plugin.sh as nagios user, you can give nagios a shell (temporary) . Take into account that the root environment is different from the nagios environment . When running test_java_plugin.sh as nagios , you can add "env > env_log_file" to see what is the environment during the run time.
Good luck.
Error 126 Means that the plugin was found but not executable.
You can try 2 things.
Try running the plugin as nagios user and check for the error.
or
This did work out for one issue i had. Try it out. hopefully it may work
/bin.bash -l -c "/#{path to plugin}/test_java_plugin.sh"