starred/LinuxGSM

Fork 0

mirror of https://github.com/GameServerManagers/LinuxGSM.git synced 2026-04-25 06:05:57 +03:00

[GH-ISSUE #899] Permissions #719

New issue

Closed

opened 2026-02-27 02:03:20 +03:00 by kerem · 25 comments

kerem commented

2026-02-27 02:03:20 +03:00

Owner

Originally created by @JimTR on GitHub (Jun 24, 2016).
Original GitHub issue: https://github.com/GameServerManagers/LinuxGSM/issues/899

I am perhaps trying to do something the script is not capable of :-
on reflection of the fastdl module I setup a standard apache install on Ubuntu
added a folder to var/www/html via a user other than the default www-data and installed the game server there ... so the path is /var/www/html/gmod and the user is gamer with a group of gamer all works ok until you actually try to run the script as www-data (apache user) ... the script returns

`Current script owner: gamer
current user is www-data
we are going to do st
Please Wait starting server
[K[[0;31m FAIL [0m] Starting gmod-server: Oops ! Ownership issue...

Current - www-data - user or its group(s) - www-data gamer hv test - does not own "gmodserver"
To check the owner and allowed groups, run ls -l "gmodserver"`

as you can see the script indicates an ownership issue even though the executing user belongs to the script owner group (in this case user 'www-data' is in the group 'gamer') should this user be able to run the script as the user belongs to a valid group or does the script only run as the respective user and the error message should not show or imply that only a group is required to run the script ?

Originally created by @JimTR on GitHub (Jun 24, 2016). Original GitHub issue: https://github.com/GameServerManagers/LinuxGSM/issues/899 I am perhaps trying to do something the script is not capable of :- on reflection of the fastdl module I setup a standard apache install on Ubuntu added a folder to var/www/html via a user other than the default www-data and installed the game server there ... so the path is /var/www/html/gmod and the user is gamer with a group of gamer all works ok until you actually try to run the script as www-data (apache user) ... the script returns `Current script owner: gamer current user is **www-data** we are going to do st Please Wait starting server [K[[0;31m FAIL [0m] Starting gmod-server: Oops ! Ownership issue... - Current - www-data - user or its group(s) - www-data **gamer** hv test - does not own "gmodserver" - To check the owner and allowed groups, run ls -l "gmodserver"` as you can see the script indicates an ownership issue even though the executing user belongs to the script owner group (in this case user 'www-data' is in the group 'gamer') should this user be able to run the script as the user belongs to a valid group or does the script only run as the respective user and the error message should not show or imply that only a group is required to run the script ?

kerem

2026-02-27 02:03:20 +03:00

closed this issue
added the
type: feature
label

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@UltimateByte commented on GitHub (Jun 25, 2016):

For now, the script wants the user to be the owner as this is how the script is intended to be used in the first place. Maybe that rule should be more relaxed for more fancy uses. :o))

@UltimateByte commented on GitHub (Jun 25, 2016): For now, the script wants the user to be the owner as this is how the script is intended to be used in the first place. Maybe that rule should be more relaxed for more fancy uses. :o))

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@dgibbs64 commented on GitHub (Jun 25, 2016):

I need to review this code as teh function doesnt fully comply with how I want the permissions checker to be. @UltimateByte dont worry its a decent function. Im just very fussy.

@dgibbs64 commented on GitHub (Jun 25, 2016): I need to review this code as teh function doesnt fully comply with how I want the permissions checker to be. @UltimateByte dont worry its a decent function. Im just very fussy.

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@UltimateByte commented on GitHub (Jun 25, 2016):

@dgibbs64 I don't feel offended, it for sure can be improved. ^^

@UltimateByte commented on GitHub (Jun 25, 2016): @dgibbs64 I don't feel offended, it for sure can be improved. ^^

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@jaredballou commented on GitHub (Jun 27, 2016):

The way I handle this on my managed servers is as such:

Create a shared FastDL location for my game servers, like /opt/fastdl
Set the permissions via ACL so that game server manager can write
Run sync script to move non-standard maps to this location, and symlink each file back to ~/serverfiles/$GAME/maps/
Have an Apache conf.d snippet that creates an alias and sets permissions for users to read and download those files, with indexes.

This way I don't have to do any weird things like give gameserver users www-data group access, or deal with duplicate files. I also don't need to give www-data any permissions to my game server users' files, which is my biggest concern. The primary use of these servers is games, so I worry more about a compromised Apache screwing up game servers than game servers screwing up Apache.

@jaredballou commented on GitHub (Jun 27, 2016): The way I handle this on my managed servers is as such: - Create a shared FastDL location for my game servers, like /opt/fastdl - Set the permissions via ACL so that game server manager can write - Run sync script to move non-standard maps to this location, and symlink each file back to ~/serverfiles/$GAME/maps/ - Have an Apache conf.d snippet that creates an alias and sets permissions for users to read and download those files, with indexes. This way I don't have to do any weird things like give gameserver users www-data group access, or deal with duplicate files. I also don't need to give www-data any permissions to my game server users' files, which is my biggest concern. The primary use of these servers is games, so I worry more about a compromised Apache screwing up game servers than game servers screwing up Apache.

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@JimTR commented on GitHub (Jun 27, 2016):

The issue here was the script indicated that the user group should be valid to run the script but it does not .. I am pointing out most game server installers don't want to mess about :- install & work thats all they want ...

@JimTR commented on GitHub (Jun 27, 2016): The issue here was the script indicated that the user group should be valid to run the script but it does not .. I am pointing out most game server installers don't want to mess about :- install & work thats all they want ...

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@UltimateByte commented on GitHub (Jun 28, 2016):

The function is here
https://github.com/dgibbs64/linuxgsm/blob/master/lgsm/functions/check_permissions.sh
Feel free to pull request something that would solve your issue and keep it working in the current LGSM :)

@UltimateByte commented on GitHub (Jun 28, 2016): The function is here https://github.com/dgibbs64/linuxgsm/blob/master/lgsm/functions/check_permissions.sh Feel free to pull request something that would solve your issue and keep it working in the current LGSM :)

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@twinsuns commented on GitHub (Jul 16, 2016):

I have a similar problem and now can't start my server. I run a web control panel on my box and it auto adds the folders 'conf' and 'mail' to the home dir of every user it creates. These folders have root ownership which I can't change and therefore the server fails to start.

Is there a way we can add files and folders to be excluded from the permissions check?

@twinsuns commented on GitHub (Jul 16, 2016): I have a similar problem and now can't start my server. I run a web control panel on my box and it auto adds the folders 'conf' and 'mail' to the home dir of every user it creates. These folders have root ownership which I can't change and therefore the server fails to start. Is there a way we can add files and folders to be excluded from the permissions check?

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@dgibbs64 commented on GitHub (Jul 16, 2016):

I will take a look at this for you

@dgibbs64 commented on GitHub (Jul 16, 2016): I will take a look at this for you

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@dgibbs64 commented on GitHub (Jul 16, 2016):

@twinsuns please create a new issue as this is not related to your problem also update your functions. I have just make a change that should resolve your issue

@dgibbs64 commented on GitHub (Jul 16, 2016): @twinsuns please create a new issue as this is not related to your problem also update your functions. I have just make a change that should resolve your issue

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@UltimateByte commented on GitHub (Aug 27, 2016):

This should be solved now, as there is now a selective permission check.
Re-open if needed, but i don't think so. :)

@UltimateByte commented on GitHub (Aug 27, 2016): This should be solved now, as there is now a selective permission check. Re-open if needed, but i don't think so. :)

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@hitmany commented on GitHub (Oct 10, 2016):

Hello, where I can select to disable checking ownership?

@hitmany commented on GitHub (Oct 10, 2016): Hello, where I can select to disable checking ownership?

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@UltimateByte commented on GitHub (Oct 10, 2016):

@hitmany What for ?

@UltimateByte commented on GitHub (Oct 10, 2016): @hitmany What for ?

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@hitmany commented on GitHub (Oct 11, 2016):

@UltimateByte Its frustrating me))) srly, I have a lot of servers in 1 dedic server(each game server using different user) and when I uploading new files to game server directory I cant start/stop/watch console - all commands throws ownership error
Hate it)

@hitmany commented on GitHub (Oct 11, 2016): @UltimateByte Its frustrating me))) srly, I have a lot of servers in 1 dedic server(each game server using different user) and when I uploading new files to game server directory I cant start/stop/watch console - all commands throws ownership error Hate it)

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@UltimateByte commented on GitHub (Oct 11, 2016):

@hitmany this is not a valid reason, learn how to manage your files properly

https://github.com/GameServerManagers/LinuxGSM/wiki/File-Ownership
https://github.com/GameServerManagers/LinuxGSM/wiki/FTP-SCP

Don't use ftp, use sftp, and more than anything else, use it as the user you're working on not as root, ever. Don't do that ever again. If you need to edit root files use ssh as anyone rational. That said, use ssh to edit files rather than an sftp, use sftp only to upload files.

@UltimateByte commented on GitHub (Oct 11, 2016): @hitmany this is not a valid reason, learn how to manage your files properly https://github.com/GameServerManagers/LinuxGSM/wiki/File-Ownership https://github.com/GameServerManagers/LinuxGSM/wiki/FTP-SCP Don't use ftp, use sftp, and more than anything else, use it as the user you're working on not as root, ever. Don't do that ever again. If you need to edit root files use ssh as anyone rational. That said, use ssh to edit files rather than an sftp, use sftp only to upload files.

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@hitmany commented on GitHub (Oct 11, 2016):

@UltimateByte I am using SFTP only, but for each server I must use different users
For example:
I have 5 servers on LGSM, each server has own user(user1,user2,user3,user4)
I must update servers extension in one time, what I must do to prevent your ownership errors:

login as user1 and upload extensions to server1
reconnect WinSCP and login as user2 and upload extensions to server2
))))

@hitmany commented on GitHub (Oct 11, 2016): @UltimateByte I am using SFTP only, but for each server I must use different users For example: I have 5 servers on LGSM, each server has own user(user1,user2,user3,user4) I must update servers extension in one time, what I must do to prevent your ownership errors: 1) login as user1 and upload extensions to server1 2) reconnect WinSCP and login as user2 and upload extensions to server2 ))))

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@UltimateByte commented on GitHub (Oct 11, 2016):

I use filezilla and save users credentials, problem solved. Filezilla supports sftp.
Otherwise it try to download and edit from the user directly with su - user then nano, wget, unzip, cp, mv... Problem solved again.

@UltimateByte commented on GitHub (Oct 11, 2016): I use filezilla and save users credentials, problem solved. Filezilla supports sftp. Otherwise it try to download and edit from the user directly with su - user then nano, wget, unzip, cp, mv... Problem solved again.

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@hitmany commented on GitHub (Oct 11, 2016):

@UltimateByte okay if you wont to add this feature its not problem

@hitmany commented on GitHub (Oct 11, 2016): @UltimateByte okay if you wont to add this feature its not problem

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@JimTR commented on GitHub (Oct 11, 2016):

I totally understand
I have 5 servers on LGSM, each server has own user(user1,user2,user3,user4)
I must update servers extension in one time, what I must do to prevent your ownership errors:

login as user1 and upload extensions to server1
reconnect WinSCP and login as user2 and upload extensions to server2
I really don't see why this is not possible

@JimTR commented on GitHub (Oct 11, 2016): I totally understand I have 5 servers on LGSM, each server has own user(user1,user2,user3,user4) I must update servers extension in one time, what I must do to prevent your ownership errors: 1) login as user1 and upload extensions to server1 2) reconnect WinSCP and login as user2 and upload extensions to server2 I really don't see why this is not possible

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@hitmany commented on GitHub (Oct 11, 2016):

Guys I am not forcing you to do a new feature if its difficult to add a few lines of code
Thank you for great LGSM

@hitmany commented on GitHub (Oct 11, 2016): Guys I am not forcing you to do a new feature if its difficult to add a few lines of code Thank you for great LGSM

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@JimTR commented on GitHub (Oct 11, 2016):

I have nothing to do with the project .. I just interjected that your issue is valid and should be addressed

@JimTR commented on GitHub (Oct 11, 2016): I have nothing to do with the project .. I just interjected that your issue is valid and should be addressed

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@dgibbs64 commented on GitHub (Oct 11, 2016):

@hitmany You can use one username if you like. As long as its not a root user. something like /home/csgoserver/server1``/home/csgoserver/server2

@dgibbs64 commented on GitHub (Oct 11, 2016): @hitmany You can use one username if you like. As long as its not a root user. something like `/home/csgoserver/server1``/home/csgoserver/server2`

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@JimTR commented on GitHub (Oct 11, 2016):

@dgibbs64 read: -
I must update servers extension in one time, what I must do to prevent your ownership errors:
I guess the OP is using pooled data to use across servers in order to conserve disk space which I guess is the smart way to go if you are running multiple servers of the same type perhaps there should be a data 'pool' for multiple servers (symlinks) rather than just multiple installs of the same files

@JimTR commented on GitHub (Oct 11, 2016): @dgibbs64 read: - I must update servers extension in one time, what I must do to prevent your ownership errors: I guess the OP is using pooled data to use across servers in order to conserve disk space which I guess is the smart way to go if you are running multiple servers of the same type perhaps there should be a data 'pool' for multiple servers (symlinks) rather than just multiple installs of the same files

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@cedarlug commented on GitHub (Oct 12, 2016):

Why not use rsync? It's the tool made for this purpose. Set up ssh key access for root on one server to have key-based (without-password setting in sshd.conf) access to your other servers (the default in Debian now).

Then:

rsync -larv -e "ssh -i ~/.ssh/gameserver-key" --usermap=gameserver1:gameserver2 --groupmap=gameserver1:gameserver2 --chmod=a+rwx,g+rwx,o-wrx /home/gameserver1/ root@server2.com:/home/gameserver2/

This also works to move files between server deployments on the same system - just skip the -e flag and omit the "root@server2.com:" prefix.

The usermap changes gameserver1-owned files to gameserver2-ownership on the target. The chmod option above represents 770 permission to be set on the target.

Edit: Needed the trailing slash on the source directory. Fixed Grammar-o.

@cedarlug commented on GitHub (Oct 12, 2016): Why not use rsync? It's the tool made for this purpose. Set up ssh key access for root on one server to have key-based (`without-password` setting in sshd.conf) access to your other servers (the default in Debian now). Then: ``` bash rsync -larv -e "ssh -i ~/.ssh/gameserver-key" --usermap=gameserver1:gameserver2 --groupmap=gameserver1:gameserver2 --chmod=a+rwx,g+rwx,o-wrx /home/gameserver1/ root@server2.com:/home/gameserver2/ ``` This also works to move files between server deployments on the same system - just skip the -e flag and omit the "root@server2.com:" prefix. The usermap changes gameserver1-owned files to gameserver2-ownership on the target. The chmod option above represents 770 permission to be set on the target. Edit: Needed the trailing slash on the source directory. Fixed Grammar-o.

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@UltimateByte commented on GitHub (Oct 12, 2016):

What we could do, is disable ownership checks on symlinked files in serverfiles, if it's not already the case.

However, disabling ownership checks would not discourage inexperienced users from bad practices, which is the main reason why we added this in the first place. Remember that wrong ownerships on logs can prevent log rotation, wrong ownerships on functions can prevent lgsm updates, wrong ownerships on server files can prevent server update or server backup... Many people underestimate those consequences of a bad ownership, and some people would even try to solve it with chmod 777... For all these reasons, i suggest not allowing the user to turn off ownership detection with an option because lazy people and newbies would then come back with their ownership issues, and i think we got better things to do than support this kind of stuff if the script can do kinda auto support.

The only thing that would need to be solved is the case of wrong positives, such as symlinks.

So my question is : does LGSM cause a positive ownership alert if a symlink of a file from another user is found ?

Ultimately, if you have addons to update and they are in a zip format, and you can overwrite any file from it, then you can use something like my simple zip updater and cronjob it instead.
https://github.com/UltimateByte/zip-updater
You can even add a /home/gameserver/gameserver fu at the end of it to do the server update right after, or better, stop the server before zip updating functions, then update, then start.

@UltimateByte commented on GitHub (Oct 12, 2016): What we could do, is disable ownership checks on symlinked files in serverfiles, if it's not already the case. However, disabling ownership checks would not discourage inexperienced users from bad practices, which is the main reason why we added this in the first place. Remember that wrong ownerships on logs can prevent log rotation, wrong ownerships on functions can prevent lgsm updates, wrong ownerships on server files can prevent server update or server backup... Many people underestimate those consequences of a bad ownership, and some people would even try to solve it with chmod 777... For all these reasons, i suggest not allowing the user to turn off ownership detection with an option because lazy people and newbies would then come back with their ownership issues, and i think we got better things to do than support this kind of stuff if the script can do kinda auto support. The only thing that would need to be solved is the case of wrong positives, such as symlinks. So my question is : does LGSM cause a positive ownership alert if a symlink of a file from another user is found ? Ultimately, if you have addons to update and they are in a zip format, and you can overwrite any file from it, then you can use something like my simple zip updater and cronjob it instead. https://github.com/UltimateByte/zip-updater You can even add a `/home/gameserver/gameserver fu` at the end of it to do the server update right after, or better, stop the server before zip updating functions, then update, then start.

kerem commented

2026-02-27 02:03:21 +03:00

Author

Owner

@lock[bot] commented on GitHub (Jul 19, 2018):

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock[bot] commented on GitHub (Jul 19, 2018): This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

kerem referenced this issue

2026-02-27 03:56:02 +03:00

[PR #2959] [MERGED] feat(steamcmd): refactor how SteamCMD server downloads are handled #3851