How to: Linux reset the permissions of the installed rpm packages with –setperms option

Sometimes by mistakes, all package file permissions get changed, and you need to restore file permission. For example, a shell script or some sort of corruption could alter the permissions for packages installed files, it may be necessary to reset them.

For example a long time ago my shell script ran chmod and chown commands on /usr and changed the permission. Luckily rpm command can reset package permission. Sun Solaris pkg command and IBM AIX can also reset permissions.

ADVERTISEMENTS

Please note that this troubleshooting tip is about resetting the permission of the installed package files and not about end users files stored in /home directory.

RPM syntax to fix permission

To reset permissions of files in a package, run the following rpm command:
rpm --setperms {packagename}

RPM syntax to fix file ownership

To set user/group ownership of files in a package, enter:

rpm --setugids {packagename}

List installed package

You can list all installed package with rpm -qa command:
rpm -qa
Sample outputs:

basesystem-10.0-4.el6.noarch
tzdata-2017b-1.el6.noarch
ncurses-libs-5.7-4.20090207.el6.x86_64
zlib-1.2.3-29.el6.x86_64
libacl-2.2.49-7.el6.x86_64
libsepol-2.0.41-4.el6.x86_64
libcom_err-1.41.12-23.el6.x86_64
libstdc++-4.4.7-18.el6.x86_64
libidn-1.18-2.el6.x86_64
xz-libs-4.999.9-0.5.beta.20091007git.el6.x86_64
libxml2-2.7.6-21.el6_8.1.x86_64
libuuid-2.17.2-12.28.el6.x86_64
p11-kit-trust-0.18.5-2.el6_5.2.x86_64
gmp-4.3.1-12.el6.x86_64
findutils-4.4.2-9.el6.x86_64
libselinux-utils-2.0.94-7.el6.x86_64
binutils-2.20.51.0.2-5.47.el6_9.1.x86_64
groff-1.18.1.4-21.el6.x86_64
cracklib-2.8.16-4.el6.x86_64
module-init-tools-3.9-26.el6.x86_64
ca-certificates-2016.2.10-65.4.el6.noarch
krb5-libs-1.10.3-65.el6.x86_64
rpm-libs-4.8.0-55.el6.x86_64
gnupg2-2.0.14-8.el6.x86_64
.....
..
...

List individual package file permission

You can list individual installed package file permission using following shell for loop (for example list file permission for zip package):
for f in $(rpm -ql zip); do ls -l $f; done
Sample outputs:

-rwxr-xr-x 1 root root 212048 Nov 10  2015 /usr/bin/zip
-rwxr-xr-x 1 root root 107104 Nov 10  2015 /usr/bin/zipcloak
-rwxr-xr-x 1 root root 98584 Nov 10  2015 /usr/bin/zipnote
-rwxr-xr-x 1 root root 102680 Nov 10  2015 /usr/bin/zipsplit
total 155
-rw-r--r-- 1 root root 210354 Jul  5  2008 CHANGES
-rw-r--r-- 1 root root   3412 Mar  3  2007 LICENSE
-rw-r--r-- 1 root root  12748 Jun 26  2008 README
-rw-r--r-- 1 root root   6430 Mar 26  2008 README.CR
-rw-r--r-- 1 root root   6675 Jun 12  2008 TODO
-rw-r--r-- 1 root root  15731 Jul  1  2008 WHATSNEW
-rw-r--r-- 1 root root  13167 Jun 12  2008 WHERE
-rw-r--r-- 1 root root   3395 Dec 13  1996 algorith.txt
-rw-r--r-- 1 root root 210354 Jul  5  2008 /usr/share/doc/zip-3.0/CHANGES
-rw-r--r-- 1 root root 3412 Mar  3  2007 /usr/share/doc/zip-3.0/LICENSE
-rw-r--r-- 1 root root 12748 Jun 26  2008 /usr/share/doc/zip-3.0/README
-rw-r--r-- 1 root root 6430 Mar 26  2008 /usr/share/doc/zip-3.0/README.CR
-rw-r--r-- 1 root root 6675 Jun 12  2008 /usr/share/doc/zip-3.0/TODO
-rw-r--r-- 1 root root 15731 Jul  1  2008 /usr/share/doc/zip-3.0/WHATSNEW
-rw-r--r-- 1 root root 13167 Jun 12  2008 /usr/share/doc/zip-3.0/WHERE
-rw-r--r-- 1 root root 3395 Dec 13  1996 /usr/share/doc/zip-3.0/algorith.txt
-rw-r--r-- 1 root root 28496 Jun 16  2008 /usr/share/man/man1/zip.1.gz
-rw-r--r-- 1 root root 951 May  8  2008 /usr/share/man/man1/zipcloak.1.gz
-rw-r--r-- 1 root root 793 May  8  2008 /usr/share/man/man1/zipnote.1.gz
-rw-r--r-- 1 root root 596 May  8  2008 /usr/share/man/man1/zipsplit.1.gz

Reset the permissions of the all installed RPM packages

You need to use combination of rpm and a shell for loop command as follows:
for p in $(rpm -qa); do rpm --setperms $p; done
for p in $(rpm -qa); do rpm --setugids $p; done

Say if you mnaged to completely mess up file permissions for a given package named zip, try:
# rpm --setperms {package}
# rpm --setperms zip

To rest ownership run:
# rpm --setugids {package}
# rpm --setugids zip

Sample Session:

Fig.01: Reset file permissions and ownership of installed Package

Fig.01: Reset file permissions and ownership of installed Package

Above command, combinations should reset all the permissions to the default permissions under a CentOS / RHEL / Fedora Linux.

A note about Debian / Ubuntu Linux distributions

Only rpm command / Solaris pkg and AIX command support package file permission reset option. However, the apt command, dpkg or apt-get command doesn’t support this option.

Solaris Unix command example

Boot Solaris / OpenSolaris box in single user mode. Mount /usr and other filesystem:
mount / /a
mount /usr /a/usr
mount /var/ /a/var
mount /opt /a/opt

Login as the root, enter:
pkgchk -R /a -f
Please note that the pkgchk command does not restore setuid, setgid, and sticky bits. These must be set manually. Read the pkgchk command man page for more information:
man pkgchk

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
21 comments… add one
  • raj Aug 28, 2007 @ 10:13

    nice tip. Here is how I verified by changing tar packag perms to raj:raj and again restored back the same:

    f=`rpm -ql tar`
    for p in $f; do chmod raj:raj $p; done
    for p in $f; do ll $p; done
    for p in `rpm -qa`; do rpm --setugids $p; done

    “ are back-ticks not single quotes (look under the tidle (~) character.)

    babai!

  • Miguel Rozsas Aug 29, 2007 @ 17:17

    I would like to add another usefull related rpm option: Verify. The verify rpm option could tell you what file was changed since it was installed.
    For instance, rpm -qV openssh tells you what and how the files from openssh package are different from the original installation:

    root@bigslam:~>rpm -qV openssh
    S.5....T c /etc/ssh/ssh_config
    S.5....T c /etc/ssh/sshd_config
    root@bigslam:~>

    In this case, the c indicates a configuration file. The S indicates the size differs, the 5 indicates a MD5SUM differs, and the T indicates the mTime differs. Other characters, MDLUG, could indicates the Mode differs, the Device major/minor differs, a Link differs, and the User and/or Group differs.

  • 🐧 nixCraft Aug 29, 2007 @ 17:48

    @raj and Miguel,

    Thanks for sharing your tips 🙂

  • Imran M Yousuf Nov 11, 2007 @ 10:44

    Thanks for the tips. Will rpm –setperms`rpm -qa` work as well?

  • Adam Apr 15, 2008 @ 0:29

    A HUGE thank you for saving me hours of time.

    Just finished installing a Centos 5.1 server, and stupidly executed a CHMOD -R 770 * in the / directory.

    You’d be amazed at how many things that will break! (well, I was).

    This article saved me doing a rebuild. THANK YOU!!

    -Adam

  • Magnus Dec 1, 2008 @ 14:13

    Thank you for publishing this information you saved me a bounch of hours of work 🙂

    Thanks

  • James Jan 14, 2009 @ 16:45

    You may want to flip the order in which you change mod and u/gid since setting a mode like 2755 will be undone if you change the u/gid.

    Run

    for p in $(rpm -qa); do rpm –setugids $p; done

    before

    for p in $(rpm -qa); do rpm –setperms $p; done

    • Paul Reiber Nov 23, 2011 @ 19:38

      …let’s change that to _definitely_ rather than “may”.

      You DEFINITELY want to flip the order in which you run these.

      Permissions corrections enacted by –setperms will get blown away by subsequent u/g corrections enacted by –setugids.

      Getting the order correct, and combining this into a one-liner, we have:

      for p in $(rpm -qa); do rpm –setugids $p; rpm –setperms $p; done

    • Jiri Feb 20, 2015 @ 6:04

      yes this is absolutely necessary.
      keep in mind that not just chown but also chgrp drops both SUID and SGID bit although you change just the group and not the owner.
      note also, that this procedure does not affect files in directories like /var /tmp /dev /proc etc. Permissions in directories with variable data must be restored manually or may be restored by restarting the machine.

  • Semi Apr 14, 2009 @ 5:30

    I prefer “rpm –setperms -a” to restore permissions of ALL packaged files.

  • Paul Mar 31, 2010 @ 4:06

    Thanks very much for this! Saved me a lot of time and effort!

  • Chris Aug 28, 2010 @ 11:14

    Thank you so much, your post has saved my server!

  • Pedro Sousa May 10, 2011 @ 9:23

    Almost middle of 2011 and your effort is still saving servers.

    Thank you Vivek.

  • Bryan Sutherland Jun 4, 2011 @ 23:32

    Thanks for this article Vivek 😀 😀
    As noted above, this saved me tonnes of time and a rebuild that I really didn’t want to take on today 😛

  • marc Sep 29, 2011 @ 20:44

    for p in $(rpm -qa); do rpm –setugids $p; done
    saves my ass !
    after a wrong “chmod 440 /” i was’nt able to ssh to the machine just root login works
    this fix’d it.

  • Tux Amit Nov 28, 2011 @ 10:36

    Gr8 work !!

    Could you pls let us know.. how the rpm command gets installed rpm’s files default permission details .. there must some rpm db which will having permission details ..

  • Kevin Andrews Dec 19, 2011 @ 22:02

    Thanks for taking the time to put this solution together… I was on my CentOS VPS changing permissions to secure down a drupal install and forgot for a moment that “/” meant the root of the server not the directory i was cd’d to… I accidently started chmoding the entire server to 777 🙁 not good..

    SSH stopped working so i went onto the VPS web-based serial console and ran your commands… everything including ssh started working again!

    Nearing the end of 2011 and yet again you’ve saved a server 🙂 thanks very much!

  • Maju Jul 27, 2012 @ 22:27

    I got a question for you then.. what if I do chmod -x /bin/chmod ??? None of the rpm –setperms commands you listed won’t work… My questions is how can I repair the permission of /bin/chmod with RPM ??

    PS: it’s a production server and I cannot go to rescue mode… I know the work around using perl but expecting an answer how to fix via RPM only..

  • Anonymous User Jan 13, 2014 @ 21:23

    So both apt and dpkg don’t support this feature – Can I just install rpm on Ubuntu so that I can use it, or can it then only keep track of files I installed with rpm?

  • Alastair Irvine Oct 23, 2015 @ 6:42

    permissions on Debian/Ubuntu can be fixed with “apt-get reinstall pkgname”

  • Victor Jun 1, 2017 @ 0:40

    I love you so much!
    Tks
    XD

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.