78

When I try to run ./script.sh I got Permission denied but when I run bash script.sh everything is fine.

What did I do wrong?

Improve this question
1
  • Can you edit the question to include the contents of the shebang line and also the output of getfacl script.sh?
    – Anthony Geoghegan
    Commented May 14, 2015 at 12:05

4 Answers 4

Reset to default
76

Incorrect POSIX permissions

It means you don't have the execute permission bit set for script.sh. When running bash script.sh, you only need read permission for script.sh. See What is the difference between running “bash script.sh” and “./script.sh”? for more info.

You can verify this by running ls -l script.sh.

You may not even need to start a new Bash process. In many cases, you can simply run source script.sh or . script.sh to run the script commands in your current interactive shell. You would probably want to start a new Bash process if the script changes current directory or otherwise modifies the environment of the current process.

Access Control Lists

If the POSIX permission bits are set correctly, the Access Control List (ACL) may have been configured to prevent you or your group from executing the file. E.g. the POSIX permissions would indicate that the test shell script is executable.

$ ls -l t.sh
-rwxrwxrwx+ 1 root root 22 May 14 15:30 t.sh

However, attempting to execute the file results in:

$ ./t.sh
bash: ./t.sh: Permission denied

The getfacl command shows the reason why:

$ getfacl t.sh
# file: t.sh
# owner: root
# group: root
user::rwx
group::r--
group:domain\040users:rw-
mask::rwx
other::rwx

In this case, my primary group is domain users which has had execute permissions revoked by restricting the ACL with sudo setfacl -m 'g:domain\040users:rw-' t.sh. This restriction can be lifted by either of the following commands:

sudo setfacl -m 'g:domain\040users:rwx' t.sh
sudo setfacl -b t.sh

See:

Filesystem mounted with noexec option

Finally, the reason in this specific case for not being able to run the script is that the filesystem the script resides on was mounted with the noexec option. This option overrides POSIX permissions to prevent any file on that filesystem from being executed.

This can be checked by running mount to list all mounted filesystems; the mount options are listed in parentheses in the entry corresponding to the filesystem, e.g.

/dev/sda3 on /tmp type ext3 (rw,noexec)

You can either move the script to another mounted filesystem or remount the filesystem allowing execution:

sudo mount -o remount,exec /dev/sda3 /tmp

Note: I’ve used /tmp as an example here since there are good security reasons for keeping /tmp mounted with the noexec,nodev,nosuid set of options.

Improve this answer
1
  • 1
    I would like to add that it's also wise to check if the folder containing the script is "executable" or not (so it has the X flag or not). If it doesn't, then the script will be only executable by root user.
    – Letokteren
    Commented Feb 13, 2019 at 13:37
63

Try chmod +rx script.sh, this will give read and execute permissions to user, group and others.

Then try, ./script.sh.

Improve this answer
0
2

On my win7 with admin running cmd; I have .sh files associated with cygwin64/bin/bash, but it was blocked by cmd. None of the above suggestions helped (chmod, setfacl, mount).

The solution below worked, it is an admin sledge-hammer acl-fixer whenever folders/file become inaccessible to admin on win7, which is often):

  Start > run cmd as Admin
  c:\> script.sh
    Access is denied.

  cmd> chmod 0777 script.sh c:\cygwin64\bin\bash.exe
  cmd> script.sh
    Access is denied.

  > assoc .sh
  .sh=bash

  > ftype bash
  bash=C:\cygwin64\bin\bash.exe -- "%1" %*

  > bash
  $ FILE=c:/cygwin64/bin/bash.exe
  $ FILE=${FILE////\\} # s,/,\,g

  # Compare these permissions using accesschk by Mark Russinovich 2015
  $ accesschk.exe -lq  $FILE 
  $ accesschk.exe -lq c:/windows/system32/cmd.exe
  # [large output not shown]

  # === Solution: Change windows acl for bash ===
  $ takeown /F $FILE /A > /dev/null
  $ icacls $FILE /t /q /c /reset
  $ icacls $FILE /t /q /c /grant    :r Everyone:F
  $ icacls $FILE /t /q /c /setowner Administrators  
  # ====

  cmd> script.sh
    OK .. invokes bash
Improve this answer
1

If you still get Permission denied errors when you try to run your script in the docker's entrypoint, just try DO NOT use the shell form of the entrypoint:

Instead of: ENTRYPOINT ./bin/watcher write ENTRYPOINT ["./bin/watcher"]:

https://docs.docker.com/engine/reference/builder/#entrypoint

enter image description here

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .