LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-05-2015, 12:03 PM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Rep: Reputation: Disabled
Why can't I modify a file whose group I belong to?


I have a file with group write status which belongs to group "phped". I expected to be able to delete it with a user that belongs to the same group, but cannot do so. I later tried to edit it using vi, however, similarly was not able to do so.

Please explain what is happening.

Thank you

Code:
[Michael@devserver child_dir]$ pwd
/var/www/main/user_resources/documents/parent_dir/child_dir
[Michael@devserver child_dir]$ ls -l
total 4
-rwxrwxr-x. 1 phped phped 15 Jan  5 07:02 somefile.php
[Michael@devserver child_dir]$ rm somefile.php
rm: remove write-protected regular file `somefile.php'? y
rm: cannot remove `somefile.php': Permission denied
[Michael@devserver child_dir]$ groups Michael
Michael : Michael www phped
[Michael@devserver child_dir]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted
[Michael@devserver child_dir]$ cd ..
[Michael@devserver parent_dir]$ ls -l
total 4
drwxrwxr-x. 2 phped phped 4096 Jan  5 08:54 child_dir
[Michael@devserver parent_dir]$
 
Old 01-05-2015, 12:24 PM   #2
/dev/random
Member
 
Registered: Aug 2012
Location: Ontario, Canada
Distribution: Slackware 14.1, LFS-current, NetBSD 6.1.3
Posts: 261

Rep: Reputation: 101Reputation: 101
-rwxrwxr-x. the "." should be a good indaction... Its a SELinux ACL

To remove it run the following in the directory
Code:
find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux

Last edited by /dev/random; 01-05-2015 at 12:46 PM. Reason: spelling
 
Old 01-05-2015, 12:45 PM   #3
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by /dev/random View Post
-rwxrwxr-x. the "." should be a good indaction... Its a SELinux ACL

To remove it run the following is the directory
Code:
find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
Ah, so it is a selinux thing. Note my original post I showed how selinux is in permissive mode. Wouldn't this allow it to go through?

I tried your code, and no success.
Code:
[Michael@devserver child_dir]$ find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
[sudo] password for Michael:
Michael is not in the sudoers file.  This incident will be reported.
[sudo] password for Michael:

[Michael@devserver child_dir]$ su -
Password:
[root@devserver ~]# cd /var/www/main/user_resources/documents/parent_dir/child_dir
[root@devserver child_dir]# find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
setfattr: .: Permission denied
setfattr: ./somefile.php: Permission denied
[root@devserver child_dir]# ls -l
total 4
-rwxrwxr-x. 1 phped phped 15 Jan  5 07:02 somefile.php
[root@devserver child_dir]#
I am not as interested in removing it than I am in understanding what is happening. I looked at files and directories in other areas, and they all have that trailing dot. Meaning they all have selinux ACL?

I just looked at http://wiki.centos.org/HowTos/SELinux, and it appears to confirm that permissive mode should not enforce security policy. Still think it is a selinux issue?

Quote:
Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
Thanks!
 
Old 01-05-2015, 12:52 PM   #4
/dev/random
Member
 
Registered: Aug 2012
Location: Ontario, Canada
Distribution: Slackware 14.1, LFS-current, NetBSD 6.1.3
Posts: 261

Rep: Reputation: 101Reputation: 101
Quote:
Originally Posted by NotionCommotion View Post
Ah, so it is a selinux thing. Note my original post I showed how selinux is in permissive mode. Wouldn't this allow it to go through?

I tried your code, and no success.
Code:
[Michael@devserver child_dir]$ find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
[sudo] password for Michael:
Michael is not in the sudoers file.  This incident will be reported.
[sudo] password for Michael:

[Michael@devserver child_dir]$ su -
Password:
[root@devserver ~]# cd /var/www/main/user_resources/documents/parent_dir/child_dir
[root@devserver child_dir]# find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
setfattr: .: Permission denied
setfattr: ./somefile.php: Permission denied
[root@devserver child_dir]# ls -l
total 4
-rwxrwxr-x. 1 phped phped 15 Jan  5 07:02 somefile.php
[root@devserver child_dir]#
I am not as interested in removing it than I am in understanding what is happening. I looked at files and directories in other areas, and they all have that trailing dot. Meaning they all have selinux ACL?

I just looked at http://wiki.centos.org/HowTos/SELinux, and it appears to confirm that permissive mode should not enforce security policy. Still think it is a selinux issue?



Thanks!
Yes the trailing dot means SELINUX based ACL (where a + indcates a standard ACL)
Policy and SELINUX ACLS are different, you can't turn off SELINUX ACLS you can remove them from the permissions bits but their not no blaket remove all function.

What dictro are you running?

Last edited by /dev/random; 01-05-2015 at 12:54 PM. Reason: // adding a question to my answer
 
Old 01-05-2015, 01:00 PM   #5
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by /dev/random View Post
What dictro are you running?
Centos 6. I still don't understand why selinux would be enforcing if in permissive mode.
Code:
[root@devserver /]# cat /proc/version
Linux version 2.6.32-504.1.3.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Tue Nov 11 17:57:25 UTC 2014
[root@devserver /]# cat /etc/centos-release
CentOS release 6.6 (Final)
[root@devserver /]#
 
Old 01-05-2015, 02:02 PM   #6
/dev/random
Member
 
Registered: Aug 2012
Location: Ontario, Canada
Distribution: Slackware 14.1, LFS-current, NetBSD 6.1.3
Posts: 261

Rep: Reputation: 101Reputation: 101
Try this disable SELINUX entirely, now do a reboot and see if the permissions are fixed. (see if you can access your files r/w) if you can just get rid of SELINUX entirely, if you want the added nonsense of 'restorecon and all the other wonderful things SELINUX bringd to the table, I myself am not a fan of SELINUX and have often went with (in my opinion better) PaX/GreSecrity patches and tools.
 
Old 01-05-2015, 06:24 PM   #7
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Rep: Reputation: 48
Quote:
Originally Posted by /dev/random View Post
Yes the trailing dot means SELINUX based ACL (where a + indcates a standard ACL)
Policy and SELINUX ACLS are different, you can't turn off SELINUX ACLS you can remove them from the permissions bits but their not no blaket remove all function.

What dictro are you running?
Then how come I can edit files (on Centos 6.6) without having modified SELinux in any way and under the same circumstances? (group permissions and that dot at the end of the file when I list them with ls -l) Actually, when I write ls -l, ALL files have a dot at the end. What is that supposed to mean? I've never had any problems with permissions.

@NotionCommotion
I am going to ask you a stupid question: you did login in again, right? Whenever you add a user to a group, you need to relogin in order for /etc/group to be reread, otherwise you don't have the respective permissions.

P.S. My current SELinux mode is 'enforcing'

Last edited by vincix; 01-05-2015 at 06:25 PM.
 
1 members found this post helpful.
Old 01-05-2015, 06:57 PM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,602

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
ACLs are not a SELinux thing. They are a property of the filesystem that the kernel supports. And the "." indicates there is no ACL list.

One thing that can prevent your deletion of /var/www/main/user_resources/documents/parent_dir/child_dir is that you need write access to /var/www/main/user_resources/documents.

This is because you are removing a file name from the directory - and that means you must be able to write to it. You might check that the group permissions (as well as group ownership) of the documents directory permit read/write/search (the x on directories).
 
Old 01-05-2015, 10:54 PM   #9
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by vincix View Post
@NotionCommotion
I am going to ask you a stupid question: you did login in again, right? Whenever you add a user to a group, you need to relogin in order for /etc/group to be reread, otherwise you don't have the respective permissions.
I am going to request that they change the name of this forum from Newbie to Idiot. Thank you, I guess I never realized doing so was required, but I am certain I will never forget.
 
Old 01-05-2015, 11:10 PM   #10
grail
LQ Guru
 
Registered: Sep 2009
Location: Perth
Distribution: Manjaro
Posts: 9,246

Rep: Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684
Don't beat yourself up to badly ... I doubt there is anyone on this forum who has not made a similar oversight in the last couple of months

You are correct though ... you only have to make certain errors once and you have learnt them for a life time
 
Old 01-06-2015, 03:50 AM   #11
tomiii
LQ Newbie
 
Registered: Jan 2012
Location: Sunnyvale, CA
Posts: 2

Rep: Reputation: Disabled
This is not a selinux issue. Removing a file from a directory requires write permission on the directory itself. The permissions on the actual file to be removed are irrelevant. Conceptually, a directory is just a file that contains a list of other filenames. Adding or removing a file in a directory requires write permission to that list of filenames.
 
Old 01-06-2015, 05:18 AM   #12
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Rep: Reputation: 48
Quote:
Originally Posted by NotionCommotion View Post
I am going to request that they change the name of this forum from Newbie to Idiot. Thank you, I guess I never realized doing so was required, but I am certain I will never forget.
So was that it?

The reason I gave you that advice was because I myself have made that mistake and I've struggled in vain for a while until I realised that was the problem
 
Old 01-06-2015, 11:18 AM   #13
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by vincix View Post
So was that it?
Yup. I appreciate the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Modify group(%admin) with username in sudoers file smilemukul Linux - Newbie 5 06-08-2012 03:39 AM
how to change files group but only if they belong to specified group ? froff Linux - General 5 12-17-2011 02:51 PM
Setting a group to which all user should belong to. krzysiek Linux - Newbie 2 07-29-2008 06:32 AM
see which partitions belong to which volume group kpachopoulos Linux - General 1 03-10-2007 06:52 AM
Can a file belong to more than one group? lostboy Linux - General 2 11-08-2003 12:14 PM


All times are GMT -5. The time now is 06:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration