Thursday, December 12, 2024

umask and default file permission in Linux

You can find the umask value in your Linux account by typing "umask" on the command line:

$ umask
0077

The value on umask in a Linux server level is defined in file /etc/login.defs (or maybe in /etc/profile, /etc/bashrc or /etc/cshrc). Note contents of those files (and so umask value) may be changed in RHEL8 when OS got upgraded from RHEL7.

$ more /etc/login.defs
MAIL_DIR                /var/spool/mail
PASS_MAX_DAYS   90
PASS_MIN_DAYS    7 
PASS_WARN_AGE  7
PASS_MIN_LEN     8
UID_MIN               1000
UID_MAX              60000
GID_MIN              1000
GID_MAX             60000
CREATE_HOME     yes
UMASK                  077
USERGROUPS_ENAB yes
ENCRYPT_METHOD   sha512

$ egerp -i umask /etc/bashrc

Under 0077, any file you created will have "-rw-------" permission, which means only yourself can read and write it.

$ touch test1.del
$ ls -al test1.del
-rw-------. 1 userID Group 0 Feb 02 13:25 test1.del

But you can set up your own umask in .profile for your account. Sometimes, it is necessary for other users to read or modify a file created by a service account or you want others to read your files. To change the default from server level, add one line to the account's .profile:

$ vi $HOME/.profile
umask u=rwx,g=rwx,o=rx
or
umask  0002

After re-login, umask will change to 0002 in the account. Then, any file created by that account will get "-rw-rw-r--" permission. 

$ umask
0002
$ touch test2.del
$ ls -al test2.del
-rw-rw-r--. 1 userID Group 0 Feb 02 13:55 test2.del

Now, other users can read it.

If you put "umask u=rwx,g=rwx,o=rwx" or "umask  0000" in .profile, any new file will get "-rw-rw-rw-" permission (666). 

$ vi $HOME/.profile
umask u=rwx,g=rwx,o=rwx

$ umask
0000
$ touch test3.del
$ ls -al test3.del
-rw-rw-rw-. 1 userID Group 0 Feb 02 15:55 test3.del

If you have "umask  0022" in the profile, new file will get permission "-rw-r--r--".

Note that "x" in the .profile only applies to new folder creation. Linux allows only manually to grant executable to a file.
Posted by at No comments:

Tuesday, December 3, 2024

Connect to a remote server using the private key credential

When a 3rd party tool, such as PPM (Project and Portfolio Management) and Venafi (ssl cert tool), needs to access Oracle EBS server, we usually have to share the applMgr password to other teams. The good and efficient way is to provide them with the private key for them to log onto EBS server without entering the password. Steps to accomplish that on RHEL8 servers:

On Oracle EBS server ebs2d (local server):

1. Generate a pair of key files
$ hostname
ebs2d
$ echo $USER
applmgr

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/u06/app/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /u06/app/.ssh/id_rsa.
Your public key has been saved in /u06/app/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3y1+M95Js+4k383juI/qSsxxxxxxx   applmgr@ebs2d.domain.com
The key's randomart image is:
+---[RSA 2048]----+
|      .   .                   |
|     E +S+               |
|    o o =... .             |
|   + B  .o.oo..+       |
|  o.=++o. o. .@+  |
| .o+=++  .oooB@*|
+----[SHA256]-----+ 

$ cd .ssh
$ ls -alZ
-rw-------.  1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 1843 Jun  4 20:27 id_rsa
-rw-------.  1 applmgr grp unconfined_u:object_r:unlabeled_t:s0  409 Jun  4 20:27 id_rsa.pub
-rw-------.  1 applmgr grp system_u:object_r:unlabeled_t:s0     3563 Jan 16 11:35 known_hosts

2. Make file authorized_keys as a copy of public key file id_rsa.pub (or, add the key to file authorized_keys)
$ cat id_rsa.pub >> authorized_keys
$ chmod 600 authorized_keys       # <= right permission is important

3. Change the labels on file authorized_keys (in RHEL8 OS)
$ chcon -u system_u authorized_keys
$ chcon -t user_home_t authorized_keys

$ ls -alZ
-rw-------.  1 applmgr grp system_u:object_r:user_home_t:s0 409 Jun  4 20:27 authorized_keys
-rw-------.  1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 1843 Jun  4 20:27 id_rsa
-rw-------.  1 applmgr grp unconfined_u:object_r:unlabeled_t:s0  409 Jun  4 20:27 id_rsa.pub
-rw-------.  1 applmgr grp system_u:object_r:unlabeled_t:s0     3563 Jan 16 11:35 known_hosts

4. Copy private key id_rsa to remote server ppm1p and name it meaningfully. 
Or, send file id_rsa to other trusted teams.
$ scp -p id_rsa usr@ppm1p:/path/to/applmgr_ebs2d_PPM_key
Password:
id_rsa                                                              100% 1843   903.2KB/s   00:00

On remote server ppm1p (host of 3rd party tool):  

After received the private key, other team can set up their server to run scripts against Oracle EBS server without intervention.

$ cd /path/to
$ ls -alZ
-rw-------. 1 usr group unconfined_u:object_r:unlabeled_t:s0 1843 Jun  4 20:27 applmgr_ebs2d_PPM_key

Now, connect to EBS server using the private key credential (without entering applmgr's password!):
$ hostname 
ppm1p
$ echo $USER
usr

$ ssh -i /path/to/applmgr_ebs1d_PPM_key applmgr@ebs2d
Connected!

$ hostname
ebs2d
$ echo $USER
applmgr

My old post has more details on running ssh, sftp, scp between servers without a pasword.


Posted by at No comments:
Subscribe to: Posts (Atom)