为什么这个用户不能删除这个文件?

If I do:

如果我做的事:

ls -al /usr/local/bin/kill-all-sales-apps

I see:

我明白了:

-r-xr-xr--  1 jenkins root   68 Aug  4 12:10 kill-all-sales-apps

If I sudo to root and then su to jenkins, I should be able to delete this, yes?

如果我对root用户做sudo，然后对jenkins用户做su，我应该可以删除这个，对吗?

Other relevant information about the directory and its parent:

drwxr-xr-x  2 root    root 4096 Aug  4 12:11 .
drwxr-xr-x 10 root    root 4096 May  7 17:20 ..

If I do:

如果我做的事:

groups jenkins

then I see than the user "jenkins" has been added to the "root" group:

然后我看到用户“jenkins”被添加到“根”组:

jenkins : jenkins root run-server-software

But if I:

但是如果我:

 rm /usr/local/bin/kill-all-sales-apps

I get:

我得到:

rm: remove write-protected regular file ‘/usr/local/bin/kill-all-sales-apps’? y
rm: cannot remove ‘/usr/local/bin/kill-all-sales-apps’: Permission denied

Why is permission denied?

为什么没有权限?

1 个解决方案

#1

As to why the jenkins user can't delete, the jenkins user needs write permissions on the parent folder of the file you're looking to delete. This is because you're actually removing directory entries from the parent folder.

至于为什么jenkins用户不能删除，jenkins用户需要在你要删除的文件的父文件夹上写权限。这是因为您实际上正在从父文件夹中删除目录项。

Usually, on most filesystems, deleting a file requires write permission on the parent directory (and execute permission, in order to enter the directory in the first place). (Note that, confusingly for beginners, permissions on the file itself are irrelevant. However, GNU rm asks for confirmation if a write-protected file is to be deleted, unless the -f option is used.)

通常，在大多数文件系统中，删除文件需要父目录上的写权限(并执行权限，以便首先输入目录)。(请注意，对初学者来说很困惑的是，文件本身的权限是不相关的。但是，如果要删除一个写保护的文件，则GNU rm要求确认，除非使用-f选项。

Source: Wikipedia - Rm_(Unix)

资料来源:*- Rm_(Unix)

So try running...

所以尝试运行…

ls -ld /usr/local/bin

And make sure the jenkins user has write permissions on /usr/local/bin

并确保jenkins用户对/usr/local/bin具有写权限

Another way to do it is to modify sudoers to give jenkins user sudo permissions to rm only that file via sudo. Here's an example giving the user joe the explicit permission to sudo rm the file /usr/local/src/noperms/hi.txt from a directory he does not have write permissions to. But limiting him from deleting anything else in that directory.

另一种方法是修改sudoers文件，只允许jenkins用户通过sudo访问这个文件。这里有一个例子，给用户joe显式的权限来sudo rm文件/usr/local/src/ noperms/hi。一个目录中的txt没有写入权限。但是限制他删除目录中的其他内容。

For example:

例如:

[root@joeyoung.io ~]# mkdir -p /usr/local/src/noperms
[root@joeyoung.io ~]# chmod -R 455 /usr/local/src/noperms
[root@joeyoung.io ~]# touch /usr/local/src/noperms/hi.txt
[root@joeyoung.io ~]# echo "hi" >> /usr/local/src/noperms/hi.txt
[root@joeyoung.io ~]# chmod 455 /usr/local/src/noperms/hi.txt
[root@joeyoung.io ~]# su - joe
[joe@joeyoung.io ~]$ cat /usr/local/src/noperms/hi.txt
hi
[joe@joeyoung.io ~]$ rm /usr/local/src/noperms/hi.txt
rm: remove write-protected regular file `/usr/local/src/noperms/hi.txt'? y
rm: cannot remove `/usr/local/src/noperms/hi.txt': Permission denied
[joe@joeyoung.io ~]$ exit
[root@joeyoung.io ~]# visudo
[root@joeyoung.io ~]# diff -Nur /tmp/sudoers.orig /etc/sudoers
--- /tmp/sudoers.orig   2015-08-04 17:17:24.020781442 +0200
+++ /etc/sudoers        2015-08-04 17:24:21.258274163 +0200
@@ -101,6 +101,7 @@
 ##
 ## Allow root to run any commands anywhere
 root            ALL=(ALL)       ALL
+joe        ALL=(root)      NOPASSWD: /bin/rm /usr/local/src/noperms/hi.txt

 ## Allows members of the 'sys' group to run networking, software,
 ## service management apps and more.
[root@joeyoung.io ~]# su - joe
[joe@joeyoung.io ~]$ sudo /bin/rm /usr/local/src/noperms/hi.txt
[joe@joeyoung.io ~]$ exit
[root@joeyoung.io ~]# ls -al /usr/local/src/noperms/hi.txt
ls: cannot access /usr/local/src/noperms/hi.txt: No such file or directory
[root@joeyoung.io ~]# ls -al /usr/local/src/noperms/

#1