Any recover from sudo chmod 600 /

Question

I was configuring ssl certificate on server and while following documentation I accidentally pasted terminal command without checking.

sudo chmod 600 / usr/local/nginx/ssl/my-ssl.key

It immediately kicked me out of the server because I guess this result in changing permissions of ubuntu root folder. What can I do?

EDIT: I used chmod not chown command

You did NOT use -R? Then yes should be simple. 1 moment. and you are sure you did chown 600 and not chmod 600? — Rinzwind, Oct 04 '22 at 20:52
@Rinzwind I didn't use recursive -R flag and you are right I used chmod not chwon — Roko, Oct 04 '22 at 21:17
no problem :) see if my edit is good enough. You might need to fix some stuff in your / that I do not have. — Rinzwind, Oct 04 '22 at 21:28

Rinzwind · Accepted Answer · 2022-10-05T09:23:22.857

In case sudo does not work this needs to be done from a live session.

If this is a cloud instance you need to go to the cloud console, create a new instance, mount your disk in the new instance and then fix it on the mountpoint. After that re-attach the disk to boot from it.

Everything in / except for mountpoints is set to root so this will revert your command:

sudo chown root /

Then do a

sudo chown $USER {mountpoints}

for every mountpoint you have.

edit: When using chmod:

sudo chmod 777 /lib*/ /tmp/ /sbin/ /bin/
sudo chmod 770 /cdrom/ 
sudo chmod 750 /usr/ /sys/ /srv/ /snap/ /run/ /proc/ /opt/ /mnt/ 
sudo chmod 750 /media/ /home/ /etc/ /dev/ /boot/ 
sudo chmod 700 /root/ /lost+found/
sudo chmod 600 /swapfile

In case I missed anything this it what it should look like:

drwxr-xr-x  14 root     root           4096 mrt 30  2022 usr
drwxr-xr-x   2 root     root           4096 mrt 30  2022 srv
drwxr-xr-x   2 root     root           4096 mrt 30  2022 mnt
drwxr-xr-x  14 root     root           4096 mrt 30  2022 var
drwx------   2 root     root          16384 apr  3  2022 lost+found
-rw-------   1 root     root     1942548480 apr  3  2022 swapfile
lrwxrwxrwx   1 root     root              8 apr  3  2022 sbin -> usr/sbin
lrwxrwxrwx   1 root     root             10 apr  3  2022 libx32 -> usr/libx32
lrwxrwxrwx   1 root     root              9 apr  3  2022 lib64 -> usr/lib64
lrwxrwxrwx   1 root     root              9 apr  3  2022 lib32 -> usr/lib32
lrwxrwxrwx   1 root     root              7 apr  3  2022 lib -> usr/lib
lrwxrwxrwx   1 root     root              7 apr  3  2022 bin -> usr/bin
drwxrwxr-x   2 root     root           4096 apr  3  2022 cdrom
drwxr-xr-x   3 root     root           4096 apr  3  2022 home
drwxr-xr-x   3 root     root           4096 apr  8 20:29 media
drwxr-xr-x  14 root     root           4096 apr 18 08:35 snap
drwx------   7 root     root           4096 jul 18 20:33 root
drwxr-xr-x   4 root     root           4096 sep 21 06:36 boot
dr-xr-xr-x  13 root     root              0 okt  3 23:23 sys
dr-xr-xr-x 378 root     root              0 okt  3 23:23 proc
drwxr-xr-x  36 root     root            960 okt  4 17:29 run
drwxr-xr-x 143 root     root          12288 okt  4 17:30 etc
drwxr-xr-x   6 root     root           4096 okt  4 17:53 opt
drwxr-xr-x  19 root     root           4800 okt  4 18:49 dev
drwxrwxrwt  35 root     root           4096 okt  4 23:24 tmp

edit:

And you also need to do

sudo chmod 600 /usr/local/nginx/ssl/my-ssl.key

;)

But how can he even access /sbin/sudo (or whatever the path is) if he lacks execute rights to /? — Oskar Skog, Oct 05 '22 at 07:02
I am not going to test it on my machine ;-) so I added a live session option :D — Rinzwind, Oct 05 '22 at 07:06
@OskarSkog Nothing on the system is going to work unless running as root (overriding DAC), so you're right that sudo is not the answer (the chown effectively disabled all non-root users). This is where an actual root login would come in handy. Assuming OP can't just ssh in as root, it means rebooting and fixing it from initramfs, or init=/bin/sh, or just launching a shell as root if this is a container. — TooTea, Oct 05 '22 at 08:48
BTW, as OP didn't use -R, there's no point trying to fix permissions/ownership on mountpoints or essentially anything except for / (as nothing else got touched). The answer could thus be trimmed down considerably. — TooTea, Oct 05 '22 at 08:51
@Rinzwind Sorry, I don't understand that comment. My point is that OP only ran chmod 0600 /, which changes the permissions on the root directory / itself, not on anything contained in it. Reverting it is thus only about changing the permissions on that one directory. — TooTea, Oct 05 '22 at 09:48
@Rinzwind This would be true if he had used sudo chmod 600 /*. Indeed, it is only the one directory entry which represents /. You can try this out in a chroot. — glglgl, Oct 05 '22 at 11:05

Any recover from sudo chmod 600 /

1 Answers1