Amazon EC2 – How to Recover Access to Ubuntu Instance Locked Out Due to /home Permissions

amazon ec2file-permissionsUbuntu

I was showing my kids some basic things about directory permissions on an EC2 ubuntu instance, and did this

$ sudo chmod 700 /home

Then demonstrated that I could no longer cd to my home directory because permission was denied.

Then I inadvertantly disconnected from the EC2 instance. Now I cannot log back in because the sshd on the ubuntu side cannot access my /home/ubuntu/.ssh/authorized_keys file. I've tried to think about workarounds, but I'm out of ideas.

I am prepared to delete and recreate the entire instance, but would much rather salvage this one if possible. Any ideas?!

Best Answer

Following Tim's suggestion:

I clicked Launch Instance to create a new instance. I just took whatever the first AMI was listed (some Amazon version of Linux) and created it with defaults, using a keypair I had already on hand.

I then clicked on Volumes and detached the EBS volume from my hosed machine. This took about 30 secs. Then I selected Attach Volume and I attached it to the new instance as /dev/sdf. Then I sshed into the new instance.

In the new instance I typed

$ sudo mkdir /caribou
$ sudo mount /dev/sdf1 /caribou
$ cd /caribou
$ sudo chmod 755 home

That repaired the /home dir permissions.

I then went back to the EC2 console, detached the EBS volume from the Amazon instance and re-attached it to my original Ubuntu instance as /dev/sda1. Then I started the old instance and logged in, with everything fixed.

Took 30 mins including time to figure out all of the above. Thanks to Tim.

Default User Home Directory Permissions

So it seems that the default permissions on user home directories in Ubuntu 12.04 is 700. Nginx needs to have read permission the files that should be served AND have execute permission in each of the parent directories along the path from the root to the served files.

You can give your user directory these permissions by running

chmod 701 user_home

You may also use 755, which is the default permission setting on the home directory on many systems.

The directories/files in your web root can belong to the www-data user or your regular personal user as long as the user/group that nginx runs as (as defined in nginx.conf) has READ permission on all files to be served and execute permission on all web root directories.

I just set all directories in my web root to be owned by my user account and have permissions 755 and I set all files to be served from the web root to have permissions 664 since these were the defaults on my machine.

Note on Converting Permission numbers to String Rep.

Ex. drwxr-x--x becomes 751.

Ignore the first character (d for directory, - for file, etc). The remaining 9 characters form a binary triplet where any non-dash character is a 1 and a dash is a 0.

So drwxr-x--x becomes rwxr-x--x 
becomes 111 101 001 
which is converted to a decimal 751

I needed a refresher on this when I was dealing with permissions.

Best Answer

Related Solutions

Ssh – Ubuntu EC2 instance, changed root home directory and now unable to SSH in

Nginx 403 Forbidden Error hosting in User Home Directory

Default User Home Directory Permissions

Note on Converting Permission numbers to String Rep.

Related Topic