[SOLVED] Newbie file folder access rights

aboka · 08-08-2020, 09:57 AM

hi, i hv install Ubuntu 20.04 LTS on a vps and login as root(root@SHADOW:~#) by default. I use the command below to install & generate a certificate:

Code:

sudo apt install certbot python3-certbot-apache
sudo certbot --apache

but when i point my Shadowsocks to the path, it will give errors file cant be open. i hv confirm(by using ls), that the pem file is in there, and tried the full path below-
/etc/letsencrypt/archive/mydomain/fullchain1.pem
/etc/letsencrypt/live/mydomain/fullchain.pem

so jus to be sure its bcoz 'not authorize' issue, i copy the file into root, and it will give the same error. then i create a new folder and copy the file over to '/var/pp/fullchain1.pem' and it starts working. pls advice on how to fix this as this 'hack' is not proper way to run a program, especially when its updating the certificate

here is the rights of the folder/file:

Code:

/etc/letsencrypt/archive/mydomain/fullchain1.pem:
drwxr-xr-x  96 root root  4096 Aug  7 20:32 etc
drwxr-xr-x  9 root root       4096 Aug  7 10:10 letsencrypt
drwx------  3 root root 4096 Aug  6 16:13 archive
drwxr-xr-x 2 root root 4096 Aug  6 16:13 mydomain
-rw-r--r-- 1 root root 3542 Aug  6 16:13 fullchain1.pem

Code:

/etc/letsencrypt/live/mydomain/fullchain.pem:
drwxr-xr-x  96 root root  4096 Aug  7 20:32 etc
drwxr-xr-x  9 root root       4096 Aug  7 10:10 letsencrypt
drwx------  3 root root 4096 Aug  6 16:13 live
drwxr-xr-x 2 root root 4096 Aug  6 16:13 mydomain
lrwxrwxrwx 1 root root   38 Aug  6 16:13 fullchain.pem -> ../../archive/mudomain/fullchain1.pem

i hv chmod 755 on the fullchain.pem earlier. i suspect its bcoz the program is not running as root and has no rights to access them, but i hv no idea how to check....

here is the command i use to install SS - sudo apt install shadowsocks-libev

thank you,

pan64 · 08-08-2020, 10:31 AM

when you logged in as root you do not need to use sudo
would be nice to give more details (especially the exact error mesasge), because I could not really catch what's happened.
giving 755 is probably not the best idea.

aboka · 08-08-2020, 10:49 AM

hi, i hv change back to '/etc/letsencrypt/archive/domainname/fullchain1.pem' and then restart SS. below is the error:

Code:

root@SHADOW:~# sudo systemctl status shadowsocks-libev
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
     Loaded: loaded (/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sat 2020-08-08 23:46:10 +08; 5s ago
       Docs: man:shadowsocks-libev(8)
    Process: 3230 ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS (code=exited, status=255/EXCEPTION)
   Main PID: 3230 (code=exited, status=255/EXCEPTION)

Aug 08 23:46:10 SHADOW ss-server[3230]:  2020-08-08 23:46:10 INFO: tcp server listening at 127.0.0.1:57439
Aug 08 23:46:10 SHADOW ss-server[3231]: 2020/08/08 23:46:10 V2Ray 4.23.2 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.13.8 linux/amd64)
Aug 08 23:46:10 SHADOW ss-server[3231]: 2020/08/08 23:46:10 A unified platform for anti-censorship.
Aug 08 23:46:10 SHADOW ss-server[3231]: 2020/08/08 23:46:10 main: failed to parse config > main: failed to read cert > open /etc/letsencrypt/archive/domainname/fullchai>
Aug 08 23:46:10 SHADOW ss-server[3230]:  2020-08-08 23:46:10 INFO: udp server listening at [::1]:443
Aug 08 23:46:10 SHADOW ss-server[3230]:  2020-08-08 23:46:10 INFO: udp server listening at 0.0.0.0:443
Aug 08 23:46:10 SHADOW ss-server[3230]:  2020-08-08 23:46:10 ERROR: plugin service exit unexpectedly
Aug 08 23:46:10 SHADOW ss-server[3230]:  2020-08-08 23:46:10 INFO: error on terminating the plugin.
Aug 08 23:46:10 SHADOW systemd[1]: shadowsocks-libev.service: Main process exited, code=exited, status=255/EXCEPTION
Aug 08 23:46:10 SHADOW systemd[1]: shadowsocks-libev.service: Failed with result 'exit-code'.

p/s - what i like to accomplish is the program to access and work with the original certificate path, else it will stop working when the cert is automatically updated; until i copy the new cert to the other folder

thank you,

aboka · 08-08-2020, 11:28 AM

ok, it is working now. but pls let me know if this is the correct way to do it as i prefer not to use 'hack' and risk not working when something is updated or change in future -

i search online rgd this and somehow found out about this unit file for systemd, so further search and try test, i add 'User=root' to it and reboot the system, and voila, it is working with the full original path now. so is this 'ok'? please advice.

p/s - is it bcoz im using root for the installation? shld i create a sudo user and use that instead of root?

cheers,

pan64 · 08-08-2020, 12:27 PM

Quote:

Originally Posted by aboka

ok, it is working now. but pls let me know if this is the correct way to do it as i prefer not to use 'hack' and risk not working when something is updated or change in future -

i search online rgd this and somehow found out about this unit file for systemd, so further search and try test, i add 'User=root' to it and reboot the system, and voila, it is working with the full original path now. so is this 'ok'? please advice.

p/s - is it bcoz im using root for the installation? shld i create a sudo user and use that instead of root?

cheers,

I have no any idea about your activities, you did not tell us any detail (add user=root without context is just meaningless).
You need to use root for installation.

aboka · 08-08-2020, 12:48 PM

@pan64 - while reading the basics of Linux/Ubuntu, most will advice to create another sudo user and disable root account including its ssh for security reason. so you saying that is not necessary?

rgd this 'user rights' issue, i think it is ok since i hv make a mistake thinking certbot and ss is the same program so it should be able to read the path it created. i will try to ask in ss forum if there is another better option than adding the user into the unitfile

cheers,

pan64 · 08-10-2020, 01:58 AM

Quote:

Originally Posted by aboka

most will advice to create another sudo user and disable root account including its ssh for security reason. so you saying that is not necessary?

I still do not really understand your situation. Anyway general usage of root is not felicitous, better to use a regular user account and use root only when really needed.