LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   ssh could not chdir to home directory (http://www.linuxquestions.org/questions/linux-general-1/ssh-could-not-chdir-to-home-directory-649534/)

pccdrussell 06-15-2008 11:48 PM

ssh could not chdir to home directory
 
Hello all, Im seeking a little help on a weird issue. I have a server with about 20 or so users on it. It is SUSE Enterprise Server 10. It's been in production for about 2 years. All of the sudden, one of my users says he is unable to log in. So I checked it out, I logged in as root and tried sshing and su-ing to this user and this is what I get....

Code:

Could not chdir to home directory /home/user1: Permission denied
-bash: /home/user1/.bash_profile: Permission denied

Permissions in/on this users home directory are good "drwx------" and owned by the user. I checked /etc/passwd to make sure nothing got screwy in there... Im not sure what else to look at, and not sure what the heck would have changed. Please let me know if I can provide any more output that would help narrow it down. Any help would greatly be appreciated!
Thanks

paranoidx 06-16-2008 01:14 AM

Quote:

Originally Posted by pccdrussell
one of my users says he is unable to log in.

raises suspicion about the permissions and home of this user. but since the info u provided is rather limited:

can the other 19 users ssh?

does /home/user1 exists? (case sensitive)

check the permission on /home to make sure its owned by root 755

check to make user is not in a block list.
Code:

/etc/ssh/sshd_config
DenyUsers user1@somewhere user1
DenyGroups group1

did u install some new packages for security?

possible quick fix:
make a new user and ssh localhost then thru the wan. if all works simply transfer files over to the new user1 home and chown it.

hope this helps.

CSIG 06-16-2008 01:23 AM

puzzling
 
Just to narrow the possibilities:

Is this problem unique to that single user, or do the others (or at least a few others) also have this problem?

Is it possible to login at the location of the server into the problematic user account?

Is it the same problem for all login alternatives like SSH, FTP, Telnet, etc.?

If permissions are correct, then the application that provides access is accessing that home directory with the wrong account information. A file system check is probably also a good idea.

pccdrussell 06-16-2008 10:04 AM

Hello, yeah, I guess I wasn't specific enough. Yes it is limited to just this one user. Everyone else can log in just fine. Nothing to "my knowledge" has been installed. The problem is for all login methods for this one user, I used ssh to provide me with output. Like I said in my original post, the permissions are fine for /home (everyone else is able to do their work) and this particular users permissions are fine on his particular directory, 0700 and owned by him.

I realize I could just make a new home dir or recreate the user entirely and restore the data to his directory, but I was hoping to try and fix this and figure out why it happens. Thanks for your replies.

paranoidx 08-02-2008 07:30 AM

Quote:

Originally Posted by pccdrussell
It's been in production for about 2 years.

since this is a production box, i would not experiment with it too much but get to quickest solution. you can still keep a copy of the /home/user1 for later experiments.

Code:

Could not chdir to home directory /home/user1: Permission denied
-bash: /home/user1/.bash_profile: Permission denied

obviously points to permission.

Quote:

Originally Posted by pccdrussell
but I was hoping to try and fix this and figure out why it happens

the most immediate test is simply to set 777 to /home/user1 then as root su - user1. if there is still probs, then there is either a block or user1 name/home directory mismatch.

check whether the home directory is correct.
- /etc/passwd
- bashrc and/or any other file your shell sources
strace the ssh

the fact this is an isolated case (according to your info). I would sus whether this user has been tampering with the files provided the user never had this problem before. check the log both user/root during the time before the error occurred from the user1 machine.

hope this helps.

rhaag71 09-28-2008 03:01 AM

Hi all...

I found this post because I had the same issue just now. I have a server here at home, I was setting up samba (on my desktop) to auto mount the shared on the server. Server is centos, btw. Desktop is Ubuntu hardy, not that it matters much. On the server, I have disabled root login too. This is the same or similar weird issue...

The share is not mounting, another story though, so I went to ssh into the centos box (actually clarkconnect, but Ive jacked it around quite a bit), anyhow it gave me the same error/issue, but it gave me a bash prompt I have not seen before. The whole thing looked like this after an 'ssh me@host'...

Code:

[USER]@192.xxx.x.x's password:
Last login: Sun Sep 28 02:26:20 2008 from 192.xxx.x.xxx
Could not chdir to home directory /home/[ME]: Permission denied
-bash: /home/[ME]/.bash_profile: Permission denied
-bash-3.00$

Notice the odd prompt, or at least to me its odd. I actually figured that it was because bash had no profile to go by.

So, I tried a 'su', and it prompted me for the password and let me log in as root, I probably should look a little further in that actually.

Anyhow, It turned out that my permission on my home folder was screwed with. I am quite sure that it was because I used the web admin tool to turn on my /homes in samba. Heres the before and after...

Code:

[root@[MYSERVER] home]# ls -la
total 6
drwxr-xr-x  4 root  root  1024 Sep 25 17:01 .
drwxr-xr-x  22 root  root  1024 Sep 18 21:39 ..
drwx------  5  1000 [ME]    3072 Sep 21 03:59 [ME]
drwxrwxr-x  3 nobody nobody 1024 Sep 27 15:04 shared

call me paranoid, I replace my name with [ME] in case you haven't figured that out :), anyway note the permission on [ME]

next...
Code:

sudo chmod 755 /home/[ME]
then...
Code:

[root@[MYSERVER] home]# ls -la
total 6
drwxr-xr-x  4 root  root  1024 Sep 25 17:01 .
drwxr-xr-x  22 root  root  1024 Sep 18 21:39 ..
drwxr-xr-x  5  1000 [ME]  3072 Sep 21 03:59 [ME]
drwxrwxr-x  3 nobody nobody 1024 Sep 27 15:04 shared

Now everything is back to normal, or at least the way I had it...

Just some info, I look at the .bash_profile and .bashrc right away and nothing was added or taken. I am blaming either samba, or the scripts that was associated with the webmin app. I actually prefer to do this stuff by hand, partly for this reason.

billymayday 09-28-2008 03:08 AM

But /home/[me] should have 700 permissions, and be owned by either [me]:[me] or [me]:[users] in CentOS.

rhaag71 09-28-2008 03:10 AM

was repeat post probably something I did...

rhaag71 09-28-2008 03:30 AM

Dang it...thats one reason I posted this morning. I will change my permissions....hold please...

Well, when I change my home dir to 700, I get the origianl issue. When I chmod it to 755, it acts fine. Now I need to figure this one out...

But wait a minute, what I keep finding on the net is that default home permissions for CentOS is 755, If I don't figure this out soon, I will bring it up at the next LUG, one of the CentOS team leaders is a member here. Even still, I want to know more...:)

billymayday 09-28-2008 03:34 AM

Mine are all 700, and frankly, why would you want other users being able to read your home dir?

Your issue is ownership though, as I posted above.

Edit. I just added a new user under CentOS, and permissions are 700, ownership username:username

rhaag71 09-28-2008 03:48 AM

I agree, and I found more info where CentOS's default home directory permissions are in fact 700. And your right, I don't want others reading my directory either...And, And, I agree also (with you) it is an ownership issue. Somehow it set my ownership to my GID I think... lets fix it and see... (the 1000 did look a little out of place when I was posting earlier)

Ok...and Thank you...

I did a chmod 700 to my home and then a chown [ME] [ME] and all is well.

Keen eye billymayday, and thanks. This is one reason I love LQ, so I can learn.

rhaag71 09-28-2008 03:50 AM

oh yeah, so this means that one of my actions, messing with samba, had changed my ownership though...and I wonder if this was way off from the origianl poster then.

billymayday 09-28-2008 03:51 AM

Glad to help

livewire98801 09-30-2008 02:37 PM

So there is a reference here, I ran into the same problem with a different solution.

I'm running Fedora 9 x86_64, and had the same issue. All of my file permisssions are good though. I disabled SELinux with sudo setenforce 0 and was able to log in. (this was messing with my ability to FTP, was otherwise just annoying)

Other people may want to elaborate on a fix, I'm just going to disable SELinux, since this is a personal machine. . .

Just my $0.02

billymayday 09-30-2008 04:43 PM

If this had been an SELinux issue, it would simply have meant that the contexts for the home directory had gotten messed up, and a simple restorecon would have fixed things up (or at least should).

For your ftp issue, I'll make two points.

The first is that setenforce is not persistent, so at very least you will either need to disable it permanently or re-enter seenforce 0 each time you boot. If you run gnome, there is a security setting program, otherwise the seting will be in /etc/selinux somewhere.

A better solution (if you like screwdriver solutions over sledgehammers) is to either set your own policies (you need to be reasonably keen here), or you can disable SELinux for sertain actions. Not sure of your directory structure, but here's what I have that looks relevant in /selinux/booleans:
Code:

allow_ftpd_anon_write  allow_ftpd_use_cifs  allow_tftp_anon_write  ftpd_is_daemon  httpd_enable_ftp_server
allow_ftpd_full_access  allow_ftpd_use_nfs  ftpd_disable_trans    ftp_home_dir    tftpd_disable_trans

The relative sledgehammer here is to "setsebool -P ftpd_disable_trans 1", but if your issue is just with working with home directories, setting ftp_home_dir may do it for you.

Not sure which ftp daemon you use or if will necessarily work for your situation. I use vsftpd, and here is what's set for me:
Code:

# for i in $(ls /selinux/booleans/*ftp*); do getsebool $i; done
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
ftp_home_dir --> on
httpd_enable_ftp_server --> on
tftpd_disable_trans --> off



All times are GMT -5. The time now is 11:21 AM.