Monday, 11 February 2019

Bash - permissions say "Yes" but script no go

I saw this on Friday - bit of a learning curve for someone who thought he knew Unix :-)

I'd created a script: -

vi /tmp/sayHello.sh

#!/bin/bash
echo "Hello World!"

and made it executable: -

chmod +x /tmp/sayHello.sh

and validated it: -

 ls -al /tmp/sayHello.sh 

-rwxrwxr-x 1 daveh daveh 32 Feb 11 14:53 /tmp/sayHello.sh

but, when I tried to execute it: -

/tmp/sayHello.sh

-bash: /tmp/sayHello.sh: Permission denied

I even tried as root: -

su -

whoami

root

ls -al /tmp/sayHello.sh 

-rwxrwxr-x 1 daveh daveh 32 Feb 11 14:53 /tmp/sayHello.sh

/tmp/sayHello.sh

-bash: /tmp/sayHello.sh: Permission denied

It took me a while .... with the kind support of a colleague ... to realise where I was going wrong.

I had ASSUMED that there'd be no issue running a script from /tmp ......

You know what they say about assumptions, right ?

It transpired that, for this particular Ubuntu box, the /tmp file-system was mounted with the noexec bit set.

This was evidenced via the mount command, which returned: -

...
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=777)
...

I simulated the same situation with a RHEL box: -

mkdir /foobar

vi /foobar/sayHello.sh

#!/bin/bash
echo "Hello World!"

chmod +x /foobar/sayHello.sh

mkdir /snafu

mount -o bind /foobar /snafu

/snafu/sayHello.sh 

Hello World!

mount -o remount,noexec,nosuid,nodev,bind /foobar/ /snafu

/snafu/sayHello.sh 

-bash: /snafu/sayHello.sh: Permission denied

In this example, I'm using mount -o bind and mount -o remount to simulate the /tmp file-system on the Ubuntu boxen, rather than creating a new file-system.

However, the point remains the same - I did not know about the noexec ( and corresponding nosuid and nodev mount options - as evidenced here: -

/dev/mapper/rhel-root on /snafu type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)


No comments:

Following up ... defining K8S Services using YAML

As a fup to this: - Playing with Kubernetes deployments and NodePort services life is SO much easier if I choose to define the service...