Help - Accidentally changed the permission on etc folder

HI, I was copying some files to and from my pi (openhabian) and used chmod 777 to grant permissions. When finished I used chmod 700 to deny permissions but without thinking I denied permission to the etc folder. I was accessing the pi using an SSH connection through my laptop. I assumed the permission only prevented access to that folder like that. I tried to connect direct to a screen and hold shift to enter recovery, but no luck. I am unable to use sudo, and get permission denied on most everything.

I have no name!@openhabian:~ $

So presumably it can’t access the profile data in /etc. Is there an easy way to enable access permissions again to this folder? If I type anything at the command line as it is it just says permission denied.

Many thanks in advance

That’s an ‘interesting’ problem. I would try creating a bootable USB stick and boot from that, then mount the regular drive and change the permissions back from there.

Thanks, will try that now.

–that worked, thanks

Just so future readers understand what happened because it’s an interesting behavior in Linux/Unix type systems and stems from the fact that everything is a file.

When you look at the permissions for a directory you will see that they have execute permissions.

rich@muninn:~ 🦅  ls -l
total 56
drwxr-xr-x 2 rich rich   4096 May  7 10:07 Bookshelf/
drwxrwsrwx 3 rich users  4096 Aug 10 13:31 data/
drwxr-xr-x 2 rich rich   4096 Aug 10 11:40 Desktop/
drwxr-xr-x 2 rich rich   4096 Aug 10 11:40 Documents/
drwxr-xr-x 2 rich rich   4096 Aug 25 11:27 Downloads/
-rw-r--r-- 1 rich rich  10111 Aug 12 11:34 haproxy.cfg
drwxr-xr-x 2 rich rich   4096 Aug 10 11:40 Music/
drwxr-xr-x 2 rich rich   4096 Aug 10 11:40 Pictures/
drwxr-xr-x 2 rich rich   4096 Aug 10 11:40 Public/
drwxr-xr-x 2 rich rich   4096 Aug 10 11:40 Templates/
drwxr-xr-x 2 rich rich   4096 Aug 10 11:40 Videos/

The d indicates that it is a directory. (The s is another interesting thing but we’ll ignore that here.) So why does a directory have execute permissions? That’s what lets you change directories to it. cd Documents is actually executing the Documents folder.

When you change the permissions on everything under /etc to 0700, you removed those execute permissions which means nothing can change to those folders any more meaning nothing can read from those folders any more except root. And since you can’t log in to root and sudo needs to read from those folders as your current user you’ve pretty much eliminated your ability to do much of anything on that machine.

Anders has the only real solution to get you back up and running short of rebuilding from scratch.

1 Like

Thank you Rich for the clear explanation. Just curious, what permission string would you use to get it back to default? Right now I went back to chmod 777, which opens it all up.

Look at the permissions on the /etc folder on the machine you use to recover the permissions. There isn’t a blanket set of permissions that is appropriate for all files and folders in the /etc folder. Each software that keeps files there may have their own requirements. As you’ve found out the hard way, blindly mucking with a system folder without care can cause a lot of damage to a system.

But in general most your folders should have read and execute, though not necessarily all of them. In general unless you mess with things yourself, the permissions on the files in /etc are configured with proper access controls by default. There’s no need to change them.

that adds read, write access to the world for /etc/passwd and /etc/shadow, too which invites everyone who has access to the system to create it’s own root account with full control over the system.
Assumed a user gets access to the system he would be able to get the system under full control.

I would go for 755, which removes write permissions for others than the owner (root in case of the etc directory). If you changed permissions recursively through the whole directory tree you’re in a bit bigger trouble since some directories should have even more limited permissions, but 755 should still offer reasonable protection.

Edit: for most regular files you should go with 644, removing execute permissions for all users.

thank you Anders