Verifying and setting file permissions

Verifying and setting file permissions

Non-root users performing installation and subsequent installation operations (SIOs) on the appserver product can verify whether they have the correct permissions to ensure that the installation operation can be completed successfully, without failure due to file permission errors. In addition to the function which verifies file permissions, we can set the ownership and permissions (with limitations) on all installed files.
SIOs include operations such as feature installations, edition upgrades, maintenance installations (such as fix packs or refresh packs), feature pack installations, and slip installations of custom installation packages (CIPs) created with IBM WebSphere Installation Factory. We can change file ownership and permissions after installation using the chutils command.

(Windows) Restriction: The verify and set permissions features are not currently available on Windows operating systems.

Verifying file permissions

When an appserver installation is initially performed, the resulting installation is owned by a single user and group. Certain SIOs can be performed by another user whether the user is root or non-root.
Use the verify permissions utility to determine whether a subsequent installation operation would fail due to insufficient file permissions. We can run this check as an optional function in the standard application server installer, CIPs, and the Update Installer. If the check fails, the installation operation is prevented until the error has been resolved. The installation operation is prevented in order to avoid corruption of installations caused by an incomplete subsequent installation operation. Without a successful installation permissions check, an unexpected file permission error could occur. This would cause the installation to fail and leave WAS in an indeterminate state.
The verify permissions utility is available in the installation wizard as a check box on the installation summary panel before you begin the actual installation process, or if we are installing silently, then we can run the utility by uncommenting the -OPT checkFilePermissions="true" option in the response file.
During the verify permissions check, the installer does not create or modify any product files. The permissions check only confirms whether the file operations would succeed based on file ownership and permissions. The target location is not modified as a result, and no configuration actions are run.
If the verify permissions check fails, then all file permission problems that occur during the simulation are written to a log in the user's home directory. Entries in the log files will indicate which files are not writable by the current user including file names, file operations, and specific permission issues. We can address file permission errors and rerun the verify permissions utility without exiting the installation wizard. The log file is located in...
<user_home>/waslogs/log.txt

Set file ownership and permissions with the chutils command

Use the chutils command to set the file ownership and permissions for an entire installation to an owner or group that differs from the user that performed the initial installation. The main benefit is the ability to have the initial install performed by one user and then have different users perform supported SIOs. The chutils command is located in the APP_ROOT/instutils directory. The command can be used for the following:

Add or remove the ability of other non-root users to update the installation
Transfer all file ownership of the installation to another user
Reestablish consistent file permissions for the entire installation

The command can edit the following ownership and permissions:

File owner
File group
Owner permissions
We can only change owner permissions to the default values set during installation through the -setmod=reset parameter.
Group permissions
We can elevate group permissions to match the owner permissions using the-setmod=grp2owner parameter.
Others permissions
We can only change others, or "world" permissions to the default values set during installation through the -setmod parameter.

Table 1. chutils command options and descriptions

Option Description
-installlocation=<install_home> Optional. The absolute path to the installation root directory. Defaults to the current install location, or APP_ROOT.
-setowner=<username> Sets the owner for each file and directory.
-setgroup=<groupname> Sets the group for each file and directory.
-setmod=[reset]|[grp2owner] Sets the permissions on the files and directories.

reset - Resets the owner, group and other permissions to the default values.
grp2owner - Sets the group's permission to match the owner's permissions.

-help Display the permission utility's help.
-debug Displays additional runtime information.

Considerations and limitations:

chutils is intended to be run by root.
chutils can be run with multiple options at once.
Cannot modify permissions for parent directories of APP_ROOT. For example, if APP_ROOT is in User A's home directory, and the root user uses chutils to change the ownership of APP_ROOT to User B, then APP_ROOT might still be inaccessible to User B since it is still a subdirectory of User A's home directory.
Cannot modify permissions for owner or world, although group permissions can be elevated to match owner permissions.

Troubleshooting

Directory existence errors If we have not yet created a profile after installing the appserver and you run the chutils command, then we might experience a profile-related directory error like the following:
INFO: (Jul 17, 2008 16:16:35) Initializing permission utility... INFO: (Jul 17, 2008 16:16:35) Executing commands... INFO: (Jul 17, 2008 16:16:47) The directory does not exist: /data/WebSphere/AppServer/instutils/../properties/fsdb INFO: (Jul 17, 2008 16:16:58) The permission utility has completed successfully.
Because the overall process is successful, this message can be safely ignored in this situation.
[AIX] [HP-UX] [Linux] [Solaris]
Menus and shortcuts on distributed operating systems Existing menus and shortcuts are not transferred after appserver-owning users or groups are modified with the chutils command. You must manually recreate the menu items and shortcuts for the new owner of the appserver installation. We might need to recreate the following menu items and shortcuts:

Profiles
Information Center
Migration wizard
Online support
Profile Management tool

Add additional features after using chutils
You cannot install additional features to an appserver using the installation wizard after an administrator modifies the owning user or group of the appserver installation using the chutils command. You must install the new feature or features silently.

Related concepts

Non-root installation

Option	Description
-installlocation=<install_home>	Optional. The absolute path to the installation root directory. Defaults to the current install location, or APP_ROOT.
-setowner=<username>	Sets the owner for each file and directory.
-setgroup=<groupname>	Sets the group for each file and directory.
-setmod=[reset]\|[grp2owner]	Sets the permissions on the files and directories. reset - Resets the owner, group and other permissions to the default values. grp2owner - Sets the group's permission to match the owner's permissions.
-help	Display the permission utility's help.
-debug	Displays additional runtime information.