Uly.me

cloud engineer

permissions

AWS S3 Bucket Permission

I was getting this error when downloading a file from a S3 bucket.

fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

Turns out to be a permission issue. Use –acl bucket-owner-full-control.

# UPLOAD
aws s3 cp file.txt s3://bucket-name/dir/ --acl bucket-owner-full-control
upload: .\file.txt to s3://bucket-name/dir/fw.sh
# DOWNLOAD
aws s3 cp s3://bucket-name/dir/file.txt . --acl bucket-owner-full-control
download: s3://bucket-name/dir/file.txt to .\file.txt

You need to do for both upload and download.

AWS RDS Backup Permission

Here’s the IAM policy to allow RDS Backup or create a snapshot on AWS.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds:RestoreDBClusterFromSnapshot",
		"rds:DescribeDBSnapshots",
		"rds:CopyDBSnapshot",
		"rds:CopyDBClusterSnapshot",
		"rds:DeleteDBSnapshot",
		"rds:DeleteDBClusterSnapshot",
		"rds:CreateDBSnapshot",
		"rds:RestoreDBInstanceFromDBSnapshot",
		"rds:CreateDBInstance",
		"rds:DescribeDBClusterSnapshots",
		"rds:DescribeDBInstances",
		"rds:DescribeDBClusters",
		"rds:DeleteDBInstance",
		"rds:CreateDBClusterSnapshot",
		"rds:ModifyDBSnapshotAttribute",
		"rds:ModifyDBClusterSnapshotAttribute",
		"rds:ListTagsForResource",
		"rds:DeleteDBCluster",
		"ec2:DescribeSecurityGroups",
		"ec2:DescribeRegions",
		"ec2:DescribeAvailabilityZones",
		"ec2:DescribeVpcs",
		"ec2:DescribeAccountAttributes",
		"ec2:DescribeSubnets",
		"iam:GetUser",
		"iam:GetAccountAuthorizationDetails",
		"kms:ReEncrypt*",
		"kms:GenerateDataKey*",
		"kms:CreateGrant",
		"kms:DescribeKey*",
		"kms:ListKeys",
		"kms:ListAliases",
		"kms:Encrypt",
		"kms:Decrypt",
		"kms:GenerateDataKeyWithoutPlaintext",
		"kms:ListKeys",
		"kms:ListAliases",
		"kms:ListResourceTags"
            ],
            "Resource": "*"
        }
    ]
}

Copy Files Using Rsync

Here’s how to copy files from one directory to another.

rsync -arvz /dir1 /dir2 >> /tmp/rsync.log &

Format: rsynch –options source destination

Options

  • -a archive mode
  • -v verbose
  • -p keep permissions
  • -z zipped during transfer
  • -r recursive

Display Octal Permissions

If you’re working on the command line, listing a directory to display permissions of files is not always the most user-friendly. Here’s an example of listing the files in a directory using the ‘ls -al’ command.

$ ls -al
total 20
drwxrwsr-x  2 ulysses www-data 4096 Feb 26 13:31 .
drwxrwsr-x 10 ulysses www-data 4096 Feb 26 02:30 ..
-rw-rw-r--  1 ulysses www-data    0 Feb 26 13:31 display.txt
-rwxrwxr-x  1 ulysses ulysses   659 Dec  3 06:40 sync_com.sh
-rw-r--r--  1 ulysses ulysses   181 Feb 26 13:26 sync_db.sh
-rwxrwxr-x  1 ulysses ulysses   244 Feb 26 13:23 sync_s3.sh

There has to be a better way to display permissions?

Well, there is. It’s a command called “stat” that displays the detailed status about a file or file system. On one of the switches of the stat command, is an option that allows you to display the file status in human readable format. Here’s an example using the stat from the command line.

$ stat -c '%A %a %n' *
664 display.txt
775 sync_com.sh
644 sync_db.sh
775 sync_s3.sh

The result is a list of files in a directory with the file permissions in human readable format!

Fix WordPress Permissions

Here’s the recommended permissions for WordPress.

Permissions

Directories = 755
Files = 644

Install From Scratch

If you’re starting from scratch, follow the instructions below.

Assuming you’re logged in as normal user. Use sudo to execute commands as superuser.

cd /var/www/
sudo wget https://wordpress.org/latest.tar.gz
sudo tar -xzvf latest.tar.gz
sudo chown -R www-data:www-data wordpress

Fix Current

If your permissions are wrong, then perform the following.

sudo find /var/www/wordpress/ -type d -exec chmod 755 {} \
sudo find /var/www/wordpress/ -type f -exec chmod 644 {} \