群权限被拒绝 bash
[英]flock permission denied bash
问题描述
I have written a little test script to prevent running my script simultaneously with flock:
我编写了一个小测试脚本来防止与 flock 同时运行我的脚本:
#!/bin/bash
scriptname=$(basename $0)
lock="/var/run/${scriptname}"
umask 0002
exec 200>$lock
flock -n 200 || exit 1
## The code:
sleep 60
echo "Hello world"
When I run the script with my user and try to run the script with another user I got following error message with the lock file.当我与我的用户一起运行该脚本并尝试与另一个用户一起运行该脚本时,我收到以下带有锁定文件的错误消息。
/var/run/test.lock: Permission denied
Any idea?任何的想法?
Kind regards, Andreas亲切的问候, 安德烈亚斯
3 个解决方案
解决方案1
4 2014-05-05 15:48:38
In a comment, you mention that 在评论中,你提到了这一点
other user is in the same group.
-rw-r--r---rw-r--r--
In other words, only the first user has write permissions on the lock file. 换句话说,只有第一个用户对锁定文件具有写入权限。
However, your script does: 但是,您的脚本会:
exec 200>$lock
which attempts to open the lockfile for writing . 它试图打开锁文件进行写入 。 Hence the "permission denied" error. 因此“权限被拒绝”错误。
Opening the file for writing has the advantage that it won't fail if the file doesn't exist, but it also means that you can't easily predict who the owner of the file will be if your script is being run simultaneously by more than one user. 打开文件进行写入的优点是,如果文件不存在,它不会失败,但这也意味着如果您的脚本同时运行,您无法轻易预测该文件的所有者将是谁比一个用户。 [1] [1]
In most linux distributions, the umask will be set to 0022 , which causes newly-created files to have permissions rw-r--r-- , which means that only the user which creates the file will have write permissions. 在大多数Linux发行版中, umask将设置为0022 ,这会使新创建的文件具有权限rw-r--r-- ,这意味着只有创建该文件的用户才具有写权限。 That's sane security policy but it complicates using a lockfile shared between two or more users. 这是一个理智的安全策略,但它使用两个或多个用户之间共享的锁文件变得复杂。 If the users are in the same group, you could adjust your umask so that new files are created with group write permissions, remembering to set it back afterwards. 如果用户位于同一组中,则可以调整umask,以便使用组写权限创建新文件,并记住之后将其设置回来。 For example (untested): 例如(未经测试):
OLD_UMASK=$(umask)
umask 002
exec 200>"$lock"
umask $OLD_UMASK
Alternatively, you could apply the lock with only read permissions [2], taking care to ensure that the file is created first: 或者,您可以仅使用读取权限[2]来应用锁定,注意确保首先创建文件:
touch "$lock" 2>/dev/null # Don't care if it fails.
exec 200<"$lock" # Note: < instead of >
Notes: 笔记:
[1]: Another issue with exec 200>file is that it will truncate the file if it does exist, so it is only appropriate for empty files. [1]:与另一个问题exec 200>file是它会截断该文件,如果它确实存在,所以它仅适用于空文件。 In general, you should use >> unless you know for certain that the file contains no useful information. 通常,除非您确定该文件不包含任何有用信息,否则应使用>> 。
[2]: flock doesn't care what mode the file is open in. See man 1 flock for more information. [2]: flock不关心文件打开的模式。有关更多信息,请参阅man 1 flock 。
解决方案2
0 2014-05-05 09:46:12
通过sudo /path/script.sh而不是仅使用/path/script.sh运行整个脚本
解决方案3
0 2021-12-01 17:39:40
This changed I found in Ubuntu 20.04 from Ubuntu 19.10 due to an updated kernel.由于更新了内核,我在 Ubuntu 20.04 中从 Ubuntu 19.10 中发现了这一点。 You must be logged in as the user who owns the file, and not a user whose group matches the file permissions.您必须以拥有文件的用户身份登录,而不是其组与文件权限匹配的用户。 Even sudo -u will show 'permission denied' or 'This account is currently not available'.即使 sudo -u 也会显示“权限被拒绝”或“此帐户当前不可用”。 It affects fifo files like the ones used by the flock command.它会影响 fifo 文件,例如 flock 命令使用的文件。
The reason for the change is due to security vulnerabilities. 更改的原因是由于安全漏洞。
There is a workaround to get the older behaviour back in:有一种解决方法可以恢复旧行为:
create
/etc/sysctl.d/protect-links.confwith the contents:/etc/sysctl.d/protect-links.conf:fs.protected_regular = 0
Then restart procps:
sudo systemctl restart procps.service
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.