Shell在创建配置文件时抱怨文件权限

Question

I'm not completely sure if I should ask here, over at the Unix forums or somewhere completely different but, here we go.

I'm using Packer to create a set of images (running Debian 8) for AWS and GCE, and during this process I want to install HAProxy and set up a config file for it. The image building and package installation goes smooth, but I'm having problems with file permissions when I'm trying to either create the config file or overwrite the existing one.

My Packer Shell Provisioner runs a set of scripts as the user admin (as far as I know I can't SSH into this setup with root ), where as the one I'm having trouble with looks like this:

#!/bin/bash

# Install HAProxy
sudo apt-get update
sudo apt-get install -y haproxy

# Create backup of default config file
sudo mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak

# Write content over to new config file
OLDIFS=$IFS
IFS=''
sudo cat << EOF > /etc/haproxy/haproxy.cfg
# Content line 1
# Content line 2
# (...)
EOF
IFS=$OLDIFS

The log output gives me this error: /tmp/script_6508.sh: line 17: /etc/haproxy/haproxy.cfg: Permission denied

I've also thought of having a premade config file moved over to the newly created image, but I'm not sure how to do that. And that wouldn't work without writing permissions either, right?

So, does anyone know how I can set up my Shell script to fix this? Or if there is another viable solution?

Answer 1

The problem with the script is the line

sudo cat << EOF > /etc/haproxy/haproxy.cfg

The redirection to /etc/haproxy/haproxy.cfg happens before sudo is called, and thus requires that the file can be created and written to by whatever user is running the script.

Your idea of changing the permissions and ownership of that file solves this issue by making the file writable by the user running the script, but really, you seem to be executing every single line of the script as root in any case, so why not just drop all the sudo s altogether and run the whole thing as root ?

$ sudo myscript.sh   # executed by the 'admin' user

EDIT: Since this script isn't run on the target machine manually, there are two solutions:

1. Go with the chmod solution.
2. Write the config file to a temporary file and move it with sudo .

The second solution involves changing the line

sudo cat << EOF > /etc/haproxy/haproxy.cfg

to

cat <<EOF >/tmp/haproxy.cfg.tmp

and then after the EOF further down

sudo cp /tmp/haproxy.cfg.tmp /etc/haproxy/haproxy.cfg
rm -f /tmp/haproxy.cfg.tmp

This is arguably "cleaner" than messing around with file permissions.

Answer 2

As Kusalananda pointed out, the problem is that output redirection happens in the shell which calls sudo .

In such situations I generally use this simple trick:

TMPFILE=`tempfile`
cat << EOF > $TMPFILE
# Content line 1
# Content line 2
# (...)
EOF
sudo cp $TMPFILE /etc/haproxy/haproxy.cfg
rm $TMPFILE

I create a temp file and put content there (no need for sudo for that step). And then with sudo, copy the temp file to the final destination. Finally: delete the temp file. (I use the copy to make the file ownership to belong to the root; the move would keep the user/group of the calling user. Alternatively, one can use the chmod / chown to fix the permissions.)

Answer 3

The solution to this was quite simple, and 123's comment gave me the right answer: chown

By changing this

sudo mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak

to this

sudo chown admin /etc/haproxy/haproxy.cfg
sudo chmod 644 /etc/haproxy/haproxy.cfg
sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak

I now have both the permissions and ownership I need for my setup to work.

EDIT

Other users have provided better and more viable solutions, as well as answered some issues around my script.