How to: Linux reset the permissions of the installed rpm packages with –setperms option

Posted on in Categories CentOS, File system, Howto, Linux, RedHat/Fedora Linux, Security, Shell scripting, Suse Linux, Sys admin, Tips, Troubleshooting last updated June 2, 2017

Sometimes by mistakes, all package file permissions get changed, and you need to restore file permission. For example, a shell script or some sort of corruption could alter the permissions for packages installed files, it may be necessary to reset them.

For example a long time ago my shell script ran chmod and chown commands on /usr and changed the permission. Luckily rpm command can reset package permission. Sun Solaris pkg command and IBM AIX can also reset permissions.

Please note that this troubleshooting tip is about resetting the permission of the installed package files and not about end users files stored in /home directory.

RPM syntax to fix permission

To reset permissions of files in a package, run the following rpm command:
rpm --setperms {packagename}

RPM syntax to fix file ownership

To set user/group ownership of files in a package, enter:

rpm --setugids {packagename}

List installed package

You can list all installed package with rpm -qa command:
rpm -qa
Sample outputs:

basesystem-10.0-4.el6.noarch
tzdata-2017b-1.el6.noarch
ncurses-libs-5.7-4.20090207.el6.x86_64
zlib-1.2.3-29.el6.x86_64
libacl-2.2.49-7.el6.x86_64
libsepol-2.0.41-4.el6.x86_64
libcom_err-1.41.12-23.el6.x86_64
libstdc++-4.4.7-18.el6.x86_64
libidn-1.18-2.el6.x86_64
xz-libs-4.999.9-0.5.beta.20091007git.el6.x86_64
libxml2-2.7.6-21.el6_8.1.x86_64
libuuid-2.17.2-12.28.el6.x86_64
p11-kit-trust-0.18.5-2.el6_5.2.x86_64
gmp-4.3.1-12.el6.x86_64
findutils-4.4.2-9.el6.x86_64
libselinux-utils-2.0.94-7.el6.x86_64
binutils-2.20.51.0.2-5.47.el6_9.1.x86_64
groff-1.18.1.4-21.el6.x86_64
cracklib-2.8.16-4.el6.x86_64
module-init-tools-3.9-26.el6.x86_64
ca-certificates-2016.2.10-65.4.el6.noarch
krb5-libs-1.10.3-65.el6.x86_64
rpm-libs-4.8.0-55.el6.x86_64
gnupg2-2.0.14-8.el6.x86_64
.....
..
...

List individual package file permission

You can list individual installed package file permission using following shell for loop (for example list file permission for zip package):
for f in $(rpm -ql zip); do ls -l $f; done
Sample outputs:

-rwxr-xr-x 1 root root 212048 Nov 10  2015 /usr/bin/zip
-rwxr-xr-x 1 root root 107104 Nov 10  2015 /usr/bin/zipcloak
-rwxr-xr-x 1 root root 98584 Nov 10  2015 /usr/bin/zipnote
-rwxr-xr-x 1 root root 102680 Nov 10  2015 /usr/bin/zipsplit
total 155
-rw-r--r-- 1 root root 210354 Jul  5  2008 CHANGES
-rw-r--r-- 1 root root   3412 Mar  3  2007 LICENSE
-rw-r--r-- 1 root root  12748 Jun 26  2008 README
-rw-r--r-- 1 root root   6430 Mar 26  2008 README.CR
-rw-r--r-- 1 root root   6675 Jun 12  2008 TODO
-rw-r--r-- 1 root root  15731 Jul  1  2008 WHATSNEW
-rw-r--r-- 1 root root  13167 Jun 12  2008 WHERE
-rw-r--r-- 1 root root   3395 Dec 13  1996 algorith.txt
-rw-r--r-- 1 root root 210354 Jul  5  2008 /usr/share/doc/zip-3.0/CHANGES
-rw-r--r-- 1 root root 3412 Mar  3  2007 /usr/share/doc/zip-3.0/LICENSE
-rw-r--r-- 1 root root 12748 Jun 26  2008 /usr/share/doc/zip-3.0/README
-rw-r--r-- 1 root root 6430 Mar 26  2008 /usr/share/doc/zip-3.0/README.CR
-rw-r--r-- 1 root root 6675 Jun 12  2008 /usr/share/doc/zip-3.0/TODO
-rw-r--r-- 1 root root 15731 Jul  1  2008 /usr/share/doc/zip-3.0/WHATSNEW
-rw-r--r-- 1 root root 13167 Jun 12  2008 /usr/share/doc/zip-3.0/WHERE
-rw-r--r-- 1 root root 3395 Dec 13  1996 /usr/share/doc/zip-3.0/algorith.txt
-rw-r--r-- 1 root root 28496 Jun 16  2008 /usr/share/man/man1/zip.1.gz
-rw-r--r-- 1 root root 951 May  8  2008 /usr/share/man/man1/zipcloak.1.gz
-rw-r--r-- 1 root root 793 May  8  2008 /usr/share/man/man1/zipnote.1.gz
-rw-r--r-- 1 root root 596 May  8  2008 /usr/share/man/man1/zipsplit.1.gz

Reset the permissions of the all installed RPM packages

You need to use combination of rpm and a shell for loop command as follows:
for p in $(rpm -qa); do rpm --setperms $p; done
for p in $(rpm -qa); do rpm --setugids $p; done

Say if you mnaged to completely mess up file permissions for a given package named zip, try:
# rpm --setperms {package}
# rpm --setperms zip

To rest ownership run:
# rpm --setugids {package}
# rpm --setugids zip

Sample Session:

Fig.01: Reset file permissions and ownership of installed Package
Fig.01: Reset file permissions and ownership of installed Package

Above command, combinations should reset all the permissions to the default permissions under a CentOS / RHEL / Fedora Linux.

A note about Debian / Ubuntu Linux distributions

Only rpm command / Solaris pkg and AIX command support package file permission reset option. However, the apt command, dpkg or apt-get command doesn’t support this option.

Solaris Unix command example

Boot Solaris / OpenSolaris box in single user mode. Mount /usr and other filesystem:
mount / /a
mount /usr /a/usr
mount /var/ /a/var
mount /opt /a/opt

Login as the root, enter:
pkgchk -R /a -f
Please note that the pkgchk command does not restore setuid, setgid, and sticky bits. These must be set manually. Read the pkgchk command man page for more information:
man pkgchk

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

21 comment

  1. nice tip. Here is how I verified by changing tar packag perms to raj:raj and again restored back the same:

    f=`rpm -ql tar`
    for p in $f; do chmod raj:raj $p; done
    for p in $f; do ll $p; done
    for p in `rpm -qa`; do rpm --setugids $p; done

    “ are back-ticks not single quotes (look under the tidle (~) character.)

    babai!

  2. I would like to add another usefull related rpm option: Verify. The verify rpm option could tell you what file was changed since it was installed.
    For instance, rpm -qV openssh tells you what and how the files from openssh package are different from the original installation:

    [email protected]:~>rpm -qV openssh
    S.5....T c /etc/ssh/ssh_config
    S.5....T c /etc/ssh/sshd_config
    [email protected]:~>

    In this case, the c indicates a configuration file. The S indicates the size differs, the 5 indicates a MD5SUM differs, and the T indicates the mTime differs. Other characters, MDLUG, could indicates the Mode differs, the Device major/minor differs, a Link differs, and the User and/or Group differs.

  3. A HUGE thank you for saving me hours of time.

    Just finished installing a Centos 5.1 server, and stupidly executed a CHMOD -R 770 * in the / directory.

    You’d be amazed at how many things that will break! (well, I was).

    This article saved me doing a rebuild. THANK YOU!!

    -Adam

  4. You may want to flip the order in which you change mod and u/gid since setting a mode like 2755 will be undone if you change the u/gid.

    Run

    for p in $(rpm -qa); do rpm –setugids $p; done

    before

    for p in $(rpm -qa); do rpm –setperms $p; done

    1. …let’s change that to _definitely_ rather than “may”.

      You DEFINITELY want to flip the order in which you run these.

      Permissions corrections enacted by –setperms will get blown away by subsequent u/g corrections enacted by –setugids.

      Getting the order correct, and combining this into a one-liner, we have:

      for p in $(rpm -qa); do rpm รขโ‚ฌโ€œsetugids $p; rpm รขโ‚ฌโ€œsetperms $p; done

    2. yes this is absolutely necessary.
      keep in mind that not just chown but also chgrp drops both SUID and SGID bit although you change just the group and not the owner.
      note also, that this procedure does not affect files in directories like /var /tmp /dev /proc etc. Permissions in directories with variable data must be restored manually or may be restored by restarting the machine.

  5. Thanks for taking the time to put this solution together… I was on my CentOS VPS changing permissions to secure down a drupal install and forgot for a moment that “/” meant the root of the server not the directory i was cd’d to… I accidently started chmoding the entire server to 777 ๐Ÿ™ not good..

    SSH stopped working so i went onto the VPS web-based serial console and ran your commands… everything including ssh started working again!

    Nearing the end of 2011 and yet again you’ve saved a server ๐Ÿ™‚ thanks very much!

  6. I got a question for you then.. what if I do chmod -x /bin/chmod ??? None of the rpm –setperms commands you listed won’t work… My questions is how can I repair the permission of /bin/chmod with RPM ??

    PS: it’s a production server and I cannot go to rescue mode… I know the work around using perl but expecting an answer how to fix via RPM only..

  7. So both apt and dpkg don’t support this feature – Can I just install rpm on Ubuntu so that I can use it, or can it then only keep track of files I installed with rpm?

Leave a Comment