User Permissions problem in CentOS 7: “Permission denied”

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I thought that I knew how to set up permissions in Linux. I apparently don't.



I have a user called "web3". This user was automatically created by ISPConfig (A server management application like CPannel).



I also have an application that I installed on the server called "Drush". I installed "Drush" while logged in as root. This application is located at:



/root/.composer/vendor/drush/drush/drush


This file and it's containing folder have the following permissions:



-rwxr-xr-x 1 root root
drwxr-xr-x 9 root root


Since the file allows read and execute permissions to everyone, how come every time I login as the "web3" user and try to run the aforementioned application I get the following error message:



/root/.composer/vendor/drush/drush/drush: Permission denied


I have faced this problem before but I resorted to giving sudo full root permissions to the user I was having problems with. On a local development environment, this is not a big deal. I am managing my own Dedicated Server now and this sledgehammer solution will not do.



What am I doing wrong?



I'd appreciate any help!






linux permissions







share|improve this question





















  • What is keeping you from installing "Drush" as the web3 user? It's best to only run applications as root if there is absolutely no alternative.
    – DopeGhoti
    May 25 '16 at 17:12










  • Can you use sudo when executing the script?
    – ryekayo
    May 25 '16 at 17:13














up vote
1
down vote

favorite












I thought that I knew how to set up permissions in Linux. I apparently don't.



I have a user called "web3". This user was automatically created by ISPConfig (A server management application like CPannel).



I also have an application that I installed on the server called "Drush". I installed "Drush" while logged in as root. This application is located at:



/root/.composer/vendor/drush/drush/drush


This file and it's containing folder have the following permissions:



-rwxr-xr-x 1 root root
drwxr-xr-x 9 root root


Since the file allows read and execute permissions to everyone, how come every time I login as the "web3" user and try to run the aforementioned application I get the following error message:



/root/.composer/vendor/drush/drush/drush: Permission denied


I have faced this problem before but I resorted to giving sudo full root permissions to the user I was having problems with. On a local development environment, this is not a big deal. I am managing my own Dedicated Server now and this sledgehammer solution will not do.



What am I doing wrong?



I'd appreciate any help!






linux permissions







share|improve this question





















  • What is keeping you from installing "Drush" as the web3 user? It's best to only run applications as root if there is absolutely no alternative.
    – DopeGhoti
    May 25 '16 at 17:12










  • Can you use sudo when executing the script?
    – ryekayo
    May 25 '16 at 17:13












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I thought that I knew how to set up permissions in Linux. I apparently don't.



I have a user called "web3". This user was automatically created by ISPConfig (A server management application like CPannel).



I also have an application that I installed on the server called "Drush". I installed "Drush" while logged in as root. This application is located at:



/root/.composer/vendor/drush/drush/drush


This file and it's containing folder have the following permissions:



-rwxr-xr-x 1 root root
drwxr-xr-x 9 root root


Since the file allows read and execute permissions to everyone, how come every time I login as the "web3" user and try to run the aforementioned application I get the following error message:



/root/.composer/vendor/drush/drush/drush: Permission denied


I have faced this problem before but I resorted to giving sudo full root permissions to the user I was having problems with. On a local development environment, this is not a big deal. I am managing my own Dedicated Server now and this sledgehammer solution will not do.



What am I doing wrong?



I'd appreciate any help!






linux permissions







share|improve this question













I thought that I knew how to set up permissions in Linux. I apparently don't.



I have a user called "web3". This user was automatically created by ISPConfig (A server management application like CPannel).



I also have an application that I installed on the server called "Drush". I installed "Drush" while logged in as root. This application is located at:



/root/.composer/vendor/drush/drush/drush


This file and it's containing folder have the following permissions:



-rwxr-xr-x 1 root root
drwxr-xr-x 9 root root


Since the file allows read and execute permissions to everyone, how come every time I login as the "web3" user and try to run the aforementioned application I get the following error message:



/root/.composer/vendor/drush/drush/drush: Permission denied


I have faced this problem before but I resorted to giving sudo full root permissions to the user I was having problems with. On a local development environment, this is not a big deal. I am managing my own Dedicated Server now and this sledgehammer solution will not do.



What am I doing wrong?



I'd appreciate any help!






linux permissions




linux permissions






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked May 25 '16 at 17:05









DrupalFever

11815




11815











  • What is keeping you from installing "Drush" as the web3 user? It's best to only run applications as root if there is absolutely no alternative.
    – DopeGhoti
    May 25 '16 at 17:12










  • Can you use sudo when executing the script?
    – ryekayo
    May 25 '16 at 17:13
















  • What is keeping you from installing "Drush" as the web3 user? It's best to only run applications as root if there is absolutely no alternative.
    – DopeGhoti
    May 25 '16 at 17:12










  • Can you use sudo when executing the script?
    – ryekayo
    May 25 '16 at 17:13















What is keeping you from installing "Drush" as the web3 user? It's best to only run applications as root if there is absolutely no alternative.
– DopeGhoti
May 25 '16 at 17:12




What is keeping you from installing "Drush" as the web3 user? It's best to only run applications as root if there is absolutely no alternative.
– DopeGhoti
May 25 '16 at 17:12












Can you use sudo when executing the script?
– ryekayo
May 25 '16 at 17:13




Can you use sudo when executing the script?
– ryekayo
May 25 '16 at 17:13










2 Answers
2






active

oldest

votes

















up vote
5
down vote



accepted










/root/ is root's home directory. The permissions on /root/ are hopefully 700, preventing anyone but root from traversing the entire directory tree below it.



You're being prevented from running the binary as a non-root user by permissions further up the directory tree.



Installing anything into /root/ is unusual, you would normally install executable code to be used by multiple users into /opt/ or another directory.



So those are the two main things that are 'wrong'. You need to find a better location to install the code, and to ensure the full path is accessible to the users you want to use it.



Lastly, as others have pointing out, while you often need to be root to complete an install, the resulting files should only be owned by root if absolutely necessary. In many cases, specific users are created (such as the www-data user, or an oracle user) which limits exposure if the code is compromised. I don't know your application, but it might be worth either installing it as the web3 user or installing it as root, but changing the permissions later to a non-privileged user created specifically for the task.



You should resist the urge to open up the permissions on /root/ to fix the issue, and sudo is a sticking plaster over the problem. The problem is that you should not install executable code into root's home directory.






share|improve this answer




















  • I used Composer (A tool for dependency management in PHP) to I installed "Drush". Since I was logged in as root when I installed Composer, Composer ended up being installed in the root's home folder. Now, every time I use Composer to install something, it installs that application in the root's home folder.
    – DrupalFever
    May 25 '16 at 18:29










  • What was puzzling to me was that I needed to have permissive permissions down the directory tree. I thought that, as long as the current folder had enough permissions, I should have access to the files/folders that I was trying to access. Is this a permission rule for the entire Linux environment or is it just some special characteristic of the root home folder?
    – DrupalFever
    May 25 '16 at 18:35










  • It's for the entire environment. You need permissions to descend into every level of the directory tree.
    – EightBitTony
    May 25 '16 at 21:38










  • If you feel the answer has resolved your query, feel free to mark it as 'answered' by clicking the tick next to the most appropriate answer.
    – EightBitTony
    May 27 '16 at 21:25

















up vote
0
down vote













Just checking the permissions of the containing folder will not be enough: you'll need to check the permissions of all the higher-level folders, up to the root directory. For example, like this: 



# ls -ld /root/.composer/vendor/drush/drush/drush 
 /root/.composer/vendor/drush/drush 
 /root/.composer/vendor/drush 
 /root/.composer/vendor 
 /root/.composer 
 /root 
 /


You may find that the /root directory has permissions 700 (or drwx------), and that is blocking the web3 user from proceeding any further on that path. It is not a good idea to let other users access the home directory of the root user, although you technically could give it permissions 711 (drwx--x--x) if you consider it absolutely necessary.



But it is possible that this won't help you either...



You're using CentOS 7, which has SELinux enabled by default.



RHEL/CentOS has a default SELinux configuration that usually has a pretty negligible effect on regular user accounts, but it can place some strict limits on system services - like a web server, for example.



Under SELinux, it is possible to restrict a process and all of its descendants from certain actions - independently from traditional Unix-style user/group/permissions system. Those restrictions can be configured to automatically "latch on" when certain binaries are executed, for certain system users, and on a multitude of other conditions.



One of the default SELinux restrictions for a webserver is that access to anything outside specifically enabled directories like /var/www is blocked, unless specifically enabled using a SELinux boolean, a kind of switchable option in SELinux ruleset. I think this might be another thing stopping the web3 user from accessing the Drush application.



If you want a web server (or any of its descendants, like a PHP interpreter) to access any content that is not under /var/www and is created by other users, you'll need to run this command:



# setsebool -P httpd_read_user_content 1


On RHEL/CentOS, each system service has an additional man page, named like <service name>_selinux, that contains information on SELinux restrictions and booleans for that specific service. Those man pages come in a RPM package named selinux-policy-doc: here's more information about that package. If you're using a system with SELinux enabled, you really should read those man pages for all the services you're planning to run: they make dealing with SELinux just so much easier.



Of course, you may find on the internet a lot of suggestions on how to disable SELinux, but if you are planning to run a secure server, that might not be the best option.






share|improve this answer




















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f285461%2fuser-permissions-problem-in-centos-7-permission-denied%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    5
    down vote



    accepted










    /root/ is root's home directory. The permissions on /root/ are hopefully 700, preventing anyone but root from traversing the entire directory tree below it.



    You're being prevented from running the binary as a non-root user by permissions further up the directory tree.



    Installing anything into /root/ is unusual, you would normally install executable code to be used by multiple users into /opt/ or another directory.



    So those are the two main things that are 'wrong'. You need to find a better location to install the code, and to ensure the full path is accessible to the users you want to use it.



    Lastly, as others have pointing out, while you often need to be root to complete an install, the resulting files should only be owned by root if absolutely necessary. In many cases, specific users are created (such as the www-data user, or an oracle user) which limits exposure if the code is compromised. I don't know your application, but it might be worth either installing it as the web3 user or installing it as root, but changing the permissions later to a non-privileged user created specifically for the task.



    You should resist the urge to open up the permissions on /root/ to fix the issue, and sudo is a sticking plaster over the problem. The problem is that you should not install executable code into root's home directory.






    share|improve this answer




















    • I used Composer (A tool for dependency management in PHP) to I installed "Drush". Since I was logged in as root when I installed Composer, Composer ended up being installed in the root's home folder. Now, every time I use Composer to install something, it installs that application in the root's home folder.
      – DrupalFever
      May 25 '16 at 18:29










    • What was puzzling to me was that I needed to have permissive permissions down the directory tree. I thought that, as long as the current folder had enough permissions, I should have access to the files/folders that I was trying to access. Is this a permission rule for the entire Linux environment or is it just some special characteristic of the root home folder?
      – DrupalFever
      May 25 '16 at 18:35










    • It's for the entire environment. You need permissions to descend into every level of the directory tree.
      – EightBitTony
      May 25 '16 at 21:38










    • If you feel the answer has resolved your query, feel free to mark it as 'answered' by clicking the tick next to the most appropriate answer.
      – EightBitTony
      May 27 '16 at 21:25














    up vote
    5
    down vote



    accepted










    /root/ is root's home directory. The permissions on /root/ are hopefully 700, preventing anyone but root from traversing the entire directory tree below it.



    You're being prevented from running the binary as a non-root user by permissions further up the directory tree.



    Installing anything into /root/ is unusual, you would normally install executable code to be used by multiple users into /opt/ or another directory.



    So those are the two main things that are 'wrong'. You need to find a better location to install the code, and to ensure the full path is accessible to the users you want to use it.



    Lastly, as others have pointing out, while you often need to be root to complete an install, the resulting files should only be owned by root if absolutely necessary. In many cases, specific users are created (such as the www-data user, or an oracle user) which limits exposure if the code is compromised. I don't know your application, but it might be worth either installing it as the web3 user or installing it as root, but changing the permissions later to a non-privileged user created specifically for the task.



    You should resist the urge to open up the permissions on /root/ to fix the issue, and sudo is a sticking plaster over the problem. The problem is that you should not install executable code into root's home directory.






    share|improve this answer




















    • I used Composer (A tool for dependency management in PHP) to I installed "Drush". Since I was logged in as root when I installed Composer, Composer ended up being installed in the root's home folder. Now, every time I use Composer to install something, it installs that application in the root's home folder.
      – DrupalFever
      May 25 '16 at 18:29










    • What was puzzling to me was that I needed to have permissive permissions down the directory tree. I thought that, as long as the current folder had enough permissions, I should have access to the files/folders that I was trying to access. Is this a permission rule for the entire Linux environment or is it just some special characteristic of the root home folder?
      – DrupalFever
      May 25 '16 at 18:35










    • It's for the entire environment. You need permissions to descend into every level of the directory tree.
      – EightBitTony
      May 25 '16 at 21:38










    • If you feel the answer has resolved your query, feel free to mark it as 'answered' by clicking the tick next to the most appropriate answer.
      – EightBitTony
      May 27 '16 at 21:25












    up vote
    5
    down vote



    accepted







    up vote
    5
    down vote



    accepted






    /root/ is root's home directory. The permissions on /root/ are hopefully 700, preventing anyone but root from traversing the entire directory tree below it.



    You're being prevented from running the binary as a non-root user by permissions further up the directory tree.



    Installing anything into /root/ is unusual, you would normally install executable code to be used by multiple users into /opt/ or another directory.



    So those are the two main things that are 'wrong'. You need to find a better location to install the code, and to ensure the full path is accessible to the users you want to use it.



    Lastly, as others have pointing out, while you often need to be root to complete an install, the resulting files should only be owned by root if absolutely necessary. In many cases, specific users are created (such as the www-data user, or an oracle user) which limits exposure if the code is compromised. I don't know your application, but it might be worth either installing it as the web3 user or installing it as root, but changing the permissions later to a non-privileged user created specifically for the task.



    You should resist the urge to open up the permissions on /root/ to fix the issue, and sudo is a sticking plaster over the problem. The problem is that you should not install executable code into root's home directory.






    share|improve this answer












    /root/ is root's home directory. The permissions on /root/ are hopefully 700, preventing anyone but root from traversing the entire directory tree below it.



    You're being prevented from running the binary as a non-root user by permissions further up the directory tree.



    Installing anything into /root/ is unusual, you would normally install executable code to be used by multiple users into /opt/ or another directory.



    So those are the two main things that are 'wrong'. You need to find a better location to install the code, and to ensure the full path is accessible to the users you want to use it.



    Lastly, as others have pointing out, while you often need to be root to complete an install, the resulting files should only be owned by root if absolutely necessary. In many cases, specific users are created (such as the www-data user, or an oracle user) which limits exposure if the code is compromised. I don't know your application, but it might be worth either installing it as the web3 user or installing it as root, but changing the permissions later to a non-privileged user created specifically for the task.



    You should resist the urge to open up the permissions on /root/ to fix the issue, and sudo is a sticking plaster over the problem. The problem is that you should not install executable code into root's home directory.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered May 25 '16 at 17:23









    EightBitTony

    16k34454




    16k34454











    • I used Composer (A tool for dependency management in PHP) to I installed "Drush". Since I was logged in as root when I installed Composer, Composer ended up being installed in the root's home folder. Now, every time I use Composer to install something, it installs that application in the root's home folder.
      – DrupalFever
      May 25 '16 at 18:29










    • What was puzzling to me was that I needed to have permissive permissions down the directory tree. I thought that, as long as the current folder had enough permissions, I should have access to the files/folders that I was trying to access. Is this a permission rule for the entire Linux environment or is it just some special characteristic of the root home folder?
      – DrupalFever
      May 25 '16 at 18:35










    • It's for the entire environment. You need permissions to descend into every level of the directory tree.
      – EightBitTony
      May 25 '16 at 21:38










    • If you feel the answer has resolved your query, feel free to mark it as 'answered' by clicking the tick next to the most appropriate answer.
      – EightBitTony
      May 27 '16 at 21:25
















    • I used Composer (A tool for dependency management in PHP) to I installed "Drush". Since I was logged in as root when I installed Composer, Composer ended up being installed in the root's home folder. Now, every time I use Composer to install something, it installs that application in the root's home folder.
      – DrupalFever
      May 25 '16 at 18:29










    • What was puzzling to me was that I needed to have permissive permissions down the directory tree. I thought that, as long as the current folder had enough permissions, I should have access to the files/folders that I was trying to access. Is this a permission rule for the entire Linux environment or is it just some special characteristic of the root home folder?
      – DrupalFever
      May 25 '16 at 18:35










    • It's for the entire environment. You need permissions to descend into every level of the directory tree.
      – EightBitTony
      May 25 '16 at 21:38










    • If you feel the answer has resolved your query, feel free to mark it as 'answered' by clicking the tick next to the most appropriate answer.
      – EightBitTony
      May 27 '16 at 21:25















    I used Composer (A tool for dependency management in PHP) to I installed "Drush". Since I was logged in as root when I installed Composer, Composer ended up being installed in the root's home folder. Now, every time I use Composer to install something, it installs that application in the root's home folder.
    – DrupalFever
    May 25 '16 at 18:29




    I used Composer (A tool for dependency management in PHP) to I installed "Drush". Since I was logged in as root when I installed Composer, Composer ended up being installed in the root's home folder. Now, every time I use Composer to install something, it installs that application in the root's home folder.
    – DrupalFever
    May 25 '16 at 18:29












    What was puzzling to me was that I needed to have permissive permissions down the directory tree. I thought that, as long as the current folder had enough permissions, I should have access to the files/folders that I was trying to access. Is this a permission rule for the entire Linux environment or is it just some special characteristic of the root home folder?
    – DrupalFever
    May 25 '16 at 18:35




    What was puzzling to me was that I needed to have permissive permissions down the directory tree. I thought that, as long as the current folder had enough permissions, I should have access to the files/folders that I was trying to access. Is this a permission rule for the entire Linux environment or is it just some special characteristic of the root home folder?
    – DrupalFever
    May 25 '16 at 18:35












    It's for the entire environment. You need permissions to descend into every level of the directory tree.
    – EightBitTony
    May 25 '16 at 21:38




    It's for the entire environment. You need permissions to descend into every level of the directory tree.
    – EightBitTony
    May 25 '16 at 21:38












    If you feel the answer has resolved your query, feel free to mark it as 'answered' by clicking the tick next to the most appropriate answer.
    – EightBitTony
    May 27 '16 at 21:25




    If you feel the answer has resolved your query, feel free to mark it as 'answered' by clicking the tick next to the most appropriate answer.
    – EightBitTony
    May 27 '16 at 21:25












    up vote
    0
    down vote













    Just checking the permissions of the containing folder will not be enough: you'll need to check the permissions of all the higher-level folders, up to the root directory. For example, like this: 



    # ls -ld /root/.composer/vendor/drush/drush/drush 
     /root/.composer/vendor/drush/drush 
     /root/.composer/vendor/drush 
     /root/.composer/vendor 
     /root/.composer 
     /root 
     /


    You may find that the /root directory has permissions 700 (or drwx------), and that is blocking the web3 user from proceeding any further on that path. It is not a good idea to let other users access the home directory of the root user, although you technically could give it permissions 711 (drwx--x--x) if you consider it absolutely necessary.



    But it is possible that this won't help you either...



    You're using CentOS 7, which has SELinux enabled by default.



    RHEL/CentOS has a default SELinux configuration that usually has a pretty negligible effect on regular user accounts, but it can place some strict limits on system services - like a web server, for example.



    Under SELinux, it is possible to restrict a process and all of its descendants from certain actions - independently from traditional Unix-style user/group/permissions system. Those restrictions can be configured to automatically "latch on" when certain binaries are executed, for certain system users, and on a multitude of other conditions.



    One of the default SELinux restrictions for a webserver is that access to anything outside specifically enabled directories like /var/www is blocked, unless specifically enabled using a SELinux boolean, a kind of switchable option in SELinux ruleset. I think this might be another thing stopping the web3 user from accessing the Drush application.



    If you want a web server (or any of its descendants, like a PHP interpreter) to access any content that is not under /var/www and is created by other users, you'll need to run this command:



    # setsebool -P httpd_read_user_content 1


    On RHEL/CentOS, each system service has an additional man page, named like <service name>_selinux, that contains information on SELinux restrictions and booleans for that specific service. Those man pages come in a RPM package named selinux-policy-doc: here's more information about that package. If you're using a system with SELinux enabled, you really should read those man pages for all the services you're planning to run: they make dealing with SELinux just so much easier.



    Of course, you may find on the internet a lot of suggestions on how to disable SELinux, but if you are planning to run a secure server, that might not be the best option.






    share|improve this answer
























      up vote
      0
      down vote













      Just checking the permissions of the containing folder will not be enough: you'll need to check the permissions of all the higher-level folders, up to the root directory. For example, like this: 



      # ls -ld /root/.composer/vendor/drush/drush/drush 
       /root/.composer/vendor/drush/drush 
       /root/.composer/vendor/drush 
       /root/.composer/vendor 
       /root/.composer 
       /root 
       /


      You may find that the /root directory has permissions 700 (or drwx------), and that is blocking the web3 user from proceeding any further on that path. It is not a good idea to let other users access the home directory of the root user, although you technically could give it permissions 711 (drwx--x--x) if you consider it absolutely necessary.



      But it is possible that this won't help you either...



      You're using CentOS 7, which has SELinux enabled by default.



      RHEL/CentOS has a default SELinux configuration that usually has a pretty negligible effect on regular user accounts, but it can place some strict limits on system services - like a web server, for example.



      Under SELinux, it is possible to restrict a process and all of its descendants from certain actions - independently from traditional Unix-style user/group/permissions system. Those restrictions can be configured to automatically "latch on" when certain binaries are executed, for certain system users, and on a multitude of other conditions.



      One of the default SELinux restrictions for a webserver is that access to anything outside specifically enabled directories like /var/www is blocked, unless specifically enabled using a SELinux boolean, a kind of switchable option in SELinux ruleset. I think this might be another thing stopping the web3 user from accessing the Drush application.



      If you want a web server (or any of its descendants, like a PHP interpreter) to access any content that is not under /var/www and is created by other users, you'll need to run this command:



      # setsebool -P httpd_read_user_content 1


      On RHEL/CentOS, each system service has an additional man page, named like <service name>_selinux, that contains information on SELinux restrictions and booleans for that specific service. Those man pages come in a RPM package named selinux-policy-doc: here's more information about that package. If you're using a system with SELinux enabled, you really should read those man pages for all the services you're planning to run: they make dealing with SELinux just so much easier.



      Of course, you may find on the internet a lot of suggestions on how to disable SELinux, but if you are planning to run a secure server, that might not be the best option.






      share|improve this answer






















        up vote
        0
        down vote










        up vote
        0
        down vote









        Just checking the permissions of the containing folder will not be enough: you'll need to check the permissions of all the higher-level folders, up to the root directory. For example, like this: 



        # ls -ld /root/.composer/vendor/drush/drush/drush 
         /root/.composer/vendor/drush/drush 
         /root/.composer/vendor/drush 
         /root/.composer/vendor 
         /root/.composer 
         /root 
         /


        You may find that the /root directory has permissions 700 (or drwx------), and that is blocking the web3 user from proceeding any further on that path. It is not a good idea to let other users access the home directory of the root user, although you technically could give it permissions 711 (drwx--x--x) if you consider it absolutely necessary.



        But it is possible that this won't help you either...



        You're using CentOS 7, which has SELinux enabled by default.



        RHEL/CentOS has a default SELinux configuration that usually has a pretty negligible effect on regular user accounts, but it can place some strict limits on system services - like a web server, for example.



        Under SELinux, it is possible to restrict a process and all of its descendants from certain actions - independently from traditional Unix-style user/group/permissions system. Those restrictions can be configured to automatically "latch on" when certain binaries are executed, for certain system users, and on a multitude of other conditions.



        One of the default SELinux restrictions for a webserver is that access to anything outside specifically enabled directories like /var/www is blocked, unless specifically enabled using a SELinux boolean, a kind of switchable option in SELinux ruleset. I think this might be another thing stopping the web3 user from accessing the Drush application.



        If you want a web server (or any of its descendants, like a PHP interpreter) to access any content that is not under /var/www and is created by other users, you'll need to run this command:



        # setsebool -P httpd_read_user_content 1


        On RHEL/CentOS, each system service has an additional man page, named like <service name>_selinux, that contains information on SELinux restrictions and booleans for that specific service. Those man pages come in a RPM package named selinux-policy-doc: here's more information about that package. If you're using a system with SELinux enabled, you really should read those man pages for all the services you're planning to run: they make dealing with SELinux just so much easier.



        Of course, you may find on the internet a lot of suggestions on how to disable SELinux, but if you are planning to run a secure server, that might not be the best option.






        share|improve this answer












        Just checking the permissions of the containing folder will not be enough: you'll need to check the permissions of all the higher-level folders, up to the root directory. For example, like this: 



        # ls -ld /root/.composer/vendor/drush/drush/drush 
         /root/.composer/vendor/drush/drush 
         /root/.composer/vendor/drush 
         /root/.composer/vendor 
         /root/.composer 
         /root 
         /


        You may find that the /root directory has permissions 700 (or drwx------), and that is blocking the web3 user from proceeding any further on that path. It is not a good idea to let other users access the home directory of the root user, although you technically could give it permissions 711 (drwx--x--x) if you consider it absolutely necessary.



        But it is possible that this won't help you either...



        You're using CentOS 7, which has SELinux enabled by default.



        RHEL/CentOS has a default SELinux configuration that usually has a pretty negligible effect on regular user accounts, but it can place some strict limits on system services - like a web server, for example.



        Under SELinux, it is possible to restrict a process and all of its descendants from certain actions - independently from traditional Unix-style user/group/permissions system. Those restrictions can be configured to automatically "latch on" when certain binaries are executed, for certain system users, and on a multitude of other conditions.



        One of the default SELinux restrictions for a webserver is that access to anything outside specifically enabled directories like /var/www is blocked, unless specifically enabled using a SELinux boolean, a kind of switchable option in SELinux ruleset. I think this might be another thing stopping the web3 user from accessing the Drush application.



        If you want a web server (or any of its descendants, like a PHP interpreter) to access any content that is not under /var/www and is created by other users, you'll need to run this command:



        # setsebool -P httpd_read_user_content 1


        On RHEL/CentOS, each system service has an additional man page, named like <service name>_selinux, that contains information on SELinux restrictions and booleans for that specific service. Those man pages come in a RPM package named selinux-policy-doc: here's more information about that package. If you're using a system with SELinux enabled, you really should read those man pages for all the services you're planning to run: they make dealing with SELinux just so much easier.



        Of course, you may find on the internet a lot of suggestions on how to disable SELinux, but if you are planning to run a secure server, that might not be the best option.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 1 at 3:21









        telcoM

        15.3k12143




        15.3k12143



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f285461%2fuser-permissions-problem-in-centos-7-permission-denied%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            -

            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
            Read more

            Displaying single band from multi-band raster using QGIS

            Image
            Clash Royale CLAN TAG #URR8PPP 1 How can I extract a single band from multi-band raster in QGIS? I have an remote sensed image which has 6 bands (including NDVI band), I want to display each band separately, but have no idea how to do. I have seen some questions similar here but none worked for me. The original image (has 6 bands) is: I want to display the band 6 which should be like this: But I tried gdal_translate, and couldn't get the correct result. What I have got is: qgis raster multi-band share | improve this question edited Mar 5 at 0:53 Summer asked Mar 4 at 6:42 Summer Summer 23 6 Is this any help gis.stackexchange.com/questions/220658/… ? if not gis.stackexchange.com/questions/62133/… might help. – Michael Stimson Mar 4 at 6:46 Thanks for answering but when I used gdal_translate, qgis showed that 'Error 4: Kayena.tif: No such file or directory". Would you know how to fix it? –
            Read more

            How many registers does an x86_64 CPU actually have?

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite I am currently learning reverse engineering and am studying the flags register. I had in my mind that rflags was just another name for one of the 16 general purpose registers, for example rax or rbx . But it looks like rflags is actually an additional register. So that makes 17 registers in total... how many more could there be? I have spent at least an hour on this and found numerous different answers. The best answer so far is this, which says that there are 40 registers in total. 16 General Purpose Registers 2 Status Registers 6 Code Segment Registers 16 SSE Registers 8 FPU/MMX Registers But if I add that up, I get 48. Could anybody provide an official answer on how many registers an x86_64 CPU has (e.g. an Intel i7). Additionally, I have seen references to 'hardware' and 'architectural' registers. What are those registers and how many are there? register x86-64 share | improve this
            Read more