Sometimes by mistakes, all package file permissions get changed, and you need to restore file permission. For example, a shell script or some sort of corruption could alter the permissions for packages installed files, it may be necessary to reset them.
For example a long time ago my shell script ran chmod and chown commands on /usr and changed the permission. Luckily rpm command can reset package permission. Sun Solaris pkg command and IBM AIX can also reset permissions.
Please note that this troubleshooting tip is about resetting the permission of the installed package files and not about end users files stored in /home directory.
RPM syntax to fix permission
To reset permissions of files in a package, run the following rpm command:
rpm --setperms {packagename}
RPM syntax to fix file ownership
To set user/group ownership of files in a package, enter:
rpm --setugids {packagename}List installed package
You can list all installed package with rpm -qa command:
rpm -qa
Sample outputs:
basesystem-10.0-4.el6.noarch tzdata-2017b-1.el6.noarch ncurses-libs-5.7-4.20090207.el6.x86_64 zlib-1.2.3-29.el6.x86_64 libacl-2.2.49-7.el6.x86_64 libsepol-2.0.41-4.el6.x86_64 libcom_err-1.41.12-23.el6.x86_64 libstdc++-4.4.7-18.el6.x86_64 libidn-1.18-2.el6.x86_64 xz-libs-4.999.9-0.5.beta.20091007git.el6.x86_64 libxml2-2.7.6-21.el6_8.1.x86_64 libuuid-2.17.2-12.28.el6.x86_64 p11-kit-trust-0.18.5-2.el6_5.2.x86_64 gmp-4.3.1-12.el6.x86_64 findutils-4.4.2-9.el6.x86_64 libselinux-utils-2.0.94-7.el6.x86_64 binutils-2.20.51.0.2-5.47.el6_9.1.x86_64 groff-1.18.1.4-21.el6.x86_64 cracklib-2.8.16-4.el6.x86_64 module-init-tools-3.9-26.el6.x86_64 ca-certificates-2016.2.10-65.4.el6.noarch krb5-libs-1.10.3-65.el6.x86_64 rpm-libs-4.8.0-55.el6.x86_64 gnupg2-2.0.14-8.el6.x86_64 ..... .. ...
List individual package file permission
You can list individual installed package file permission using following shell for loop (for example list file permission for zip package):
for f in $(rpm -ql zip); do ls -l $f; done
Sample outputs:
-rwxr-xr-x 1 root root 212048 Nov 10 2015 /usr/bin/zip -rwxr-xr-x 1 root root 107104 Nov 10 2015 /usr/bin/zipcloak -rwxr-xr-x 1 root root 98584 Nov 10 2015 /usr/bin/zipnote -rwxr-xr-x 1 root root 102680 Nov 10 2015 /usr/bin/zipsplit total 155 -rw-r--r-- 1 root root 210354 Jul 5 2008 CHANGES -rw-r--r-- 1 root root 3412 Mar 3 2007 LICENSE -rw-r--r-- 1 root root 12748 Jun 26 2008 README -rw-r--r-- 1 root root 6430 Mar 26 2008 README.CR -rw-r--r-- 1 root root 6675 Jun 12 2008 TODO -rw-r--r-- 1 root root 15731 Jul 1 2008 WHATSNEW -rw-r--r-- 1 root root 13167 Jun 12 2008 WHERE -rw-r--r-- 1 root root 3395 Dec 13 1996 algorith.txt -rw-r--r-- 1 root root 210354 Jul 5 2008 /usr/share/doc/zip-3.0/CHANGES -rw-r--r-- 1 root root 3412 Mar 3 2007 /usr/share/doc/zip-3.0/LICENSE -rw-r--r-- 1 root root 12748 Jun 26 2008 /usr/share/doc/zip-3.0/README -rw-r--r-- 1 root root 6430 Mar 26 2008 /usr/share/doc/zip-3.0/README.CR -rw-r--r-- 1 root root 6675 Jun 12 2008 /usr/share/doc/zip-3.0/TODO -rw-r--r-- 1 root root 15731 Jul 1 2008 /usr/share/doc/zip-3.0/WHATSNEW -rw-r--r-- 1 root root 13167 Jun 12 2008 /usr/share/doc/zip-3.0/WHERE -rw-r--r-- 1 root root 3395 Dec 13 1996 /usr/share/doc/zip-3.0/algorith.txt -rw-r--r-- 1 root root 28496 Jun 16 2008 /usr/share/man/man1/zip.1.gz -rw-r--r-- 1 root root 951 May 8 2008 /usr/share/man/man1/zipcloak.1.gz -rw-r--r-- 1 root root 793 May 8 2008 /usr/share/man/man1/zipnote.1.gz -rw-r--r-- 1 root root 596 May 8 2008 /usr/share/man/man1/zipsplit.1.gz
Reset the permissions of the all installed RPM packages
You need to use combination of rpm and a shell for loop command as follows:
for p in $(rpm -qa); do rpm --setperms $p; done
for p in $(rpm -qa); do rpm --setugids $p; done
Say if you mnaged to completely mess up file permissions for a given package named zip, try:
# rpm --setperms {package}
# rpm --setperms zip
To rest ownership run:
# rpm --setugids {package}
# rpm --setugids zip
Sample Session:
Fig.01: Reset file permissions and ownership of installed Package
A note about Debian / Ubuntu Linux distributions
Only rpm command / Solaris pkg and AIX command support package file permission reset option. However, the apt command, dpkg or apt-get command doesn’t support this option.
Solaris Unix command example
Boot Solaris / OpenSolaris box in single user mode. Mount /usr and other filesystem:
mount / /a
mount /usr /a/usr
mount /var/ /a/var
mount /opt /a/opt
Login as the root, enter:
pkgchk -R /a -f
Please note that the pkgchk command does not restore setuid, setgid, and sticky bits. These must be set manually. Read the pkgchk command man page for more information:
man pkgchk
- RSS feed or Weekly email newsletter
- Share to Twitter • Facebook • 21 comments... add one ↓
Linux 25 PHP Security Best Practices For Sys Admins
40 Linux Server Hardening Security Tips [2019 edition]
Linux Commands For Shared Library Management & Debugging Problem
30 Best Sources For Linux / *BSD / Unix Documentation On the Web
How to keep a detailed audit trail of what's being done on your Linux systems
Top 25 Nginx Web Server Best Security Practices
21 Examples To Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
nice tip. Here is how I verified by changing tar packag perms to raj:raj and again restored back the same:
“ are back-ticks not single quotes (look under the tidle (~) character.)
babai!
I would like to add another usefull related rpm option: Verify. The verify rpm option could tell you what file was changed since it was installed.
For instance,
rpm -qV opensshtells you what and how the files from openssh package are different from the original installation:root@bigslam:~>rpm -qV openssh
S.5....T c /etc/ssh/ssh_config
S.5....T c /etc/ssh/sshd_config
root@bigslam:~>
In this case, the
cindicates a configuration file. TheSindicates the size differs, the5indicates a MD5SUM differs, and theTindicates the mTime differs. Other characters,MDLUG, could indicates the Mode differs, the Device major/minor differs, a Link differs, and the User and/or Group differs.@raj and Miguel,
Thanks for sharing your tips 🙂
Thanks for the tips. Will rpm –setperms`rpm -qa` work as well?
A HUGE thank you for saving me hours of time.
Just finished installing a Centos 5.1 server, and stupidly executed a CHMOD -R 770 * in the / directory.
You’d be amazed at how many things that will break! (well, I was).
This article saved me doing a rebuild. THANK YOU!!
-Adam
Thank you for publishing this information you saved me a bounch of hours of work 🙂
Thanks
You may want to flip the order in which you change mod and u/gid since setting a mode like 2755 will be undone if you change the u/gid.
Run
for p in $(rpm -qa); do rpm –setugids $p; done
before
for p in $(rpm -qa); do rpm –setperms $p; done
…let’s change that to _definitely_ rather than “may”.
You DEFINITELY want to flip the order in which you run these.
Permissions corrections enacted by –setperms will get blown away by subsequent u/g corrections enacted by –setugids.
Getting the order correct, and combining this into a one-liner, we have:
yes this is absolutely necessary.
keep in mind that not just chown but also chgrp drops both SUID and SGID bit although you change just the group and not the owner.
note also, that this procedure does not affect files in directories like /var /tmp /dev /proc etc. Permissions in directories with variable data must be restored manually or may be restored by restarting the machine.
I prefer “rpm –setperms -a” to restore permissions of ALL packaged files.
Thanks very much for this! Saved me a lot of time and effort!
Thank you so much, your post has saved my server!
Almost middle of 2011 and your effort is still saving servers.
Thank you Vivek.
Thanks for this article Vivek 😀 😀
As noted above, this saved me tonnes of time and a rebuild that I really didn’t want to take on today 😛
for p in $(rpm -qa); do rpm –setugids $p; done
saves my ass !
after a wrong “chmod 440 /” i was’nt able to ssh to the machine just root login works
this fix’d it.
Gr8 work !!
Could you pls let us know.. how the rpm command gets installed rpm’s files default permission details .. there must some rpm db which will having permission details ..
Thanks for taking the time to put this solution together… I was on my CentOS VPS changing permissions to secure down a drupal install and forgot for a moment that “/” meant the root of the server not the directory i was cd’d to… I accidently started chmoding the entire server to 777 🙁 not good..
SSH stopped working so i went onto the VPS web-based serial console and ran your commands… everything including ssh started working again!
Nearing the end of 2011 and yet again you’ve saved a server 🙂 thanks very much!
I got a question for you then.. what if I do chmod -x /bin/chmod ??? None of the rpm –setperms commands you listed won’t work… My questions is how can I repair the permission of /bin/chmod with RPM ??
PS: it’s a production server and I cannot go to rescue mode… I know the work around using perl but expecting an answer how to fix via RPM only..
So both apt and dpkg don’t support this feature – Can I just install rpm on Ubuntu so that I can use it, or can it then only keep track of files I installed with rpm?
permissions on Debian/Ubuntu can be fixed with “apt-get reinstall pkgname”
I love you so much!
Tks
XD