Why can't I modify a file whose group I belong to?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Why can't I modify a file whose group I belong to?
I have a file with group write status which belongs to group "phped". I expected to be able to delete it with a user that belongs to the same group, but cannot do so. I later tried to edit it using vi, however, similarly was not able to do so.
Please explain what is happening.
Thank you
Code:
[Michael@devserver child_dir]$ pwd
/var/www/main/user_resources/documents/parent_dir/child_dir
[Michael@devserver child_dir]$ ls -l
total 4
-rwxrwxr-x. 1 phped phped 15 Jan 5 07:02 somefile.php
[Michael@devserver child_dir]$ rm somefile.php
rm: remove write-protected regular file `somefile.php'? y
rm: cannot remove `somefile.php': Permission denied
[Michael@devserver child_dir]$ groups Michael
Michael : Michael www phped
[Michael@devserver child_dir]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
[Michael@devserver child_dir]$ cd ..
[Michael@devserver parent_dir]$ ls -l
total 4
drwxrwxr-x. 2 phped phped 4096 Jan 5 08:54 child_dir
[Michael@devserver parent_dir]$
Ah, so it is a selinux thing. Note my original post I showed how selinux is in permissive mode. Wouldn't this allow it to go through?
I tried your code, and no success.
Code:
[Michael@devserver child_dir]$ find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
[sudo] password for Michael:
Michael is not in the sudoers file. This incident will be reported.
[sudo] password for Michael:
[Michael@devserver child_dir]$ su -
Password:
[root@devserver ~]# cd /var/www/main/user_resources/documents/parent_dir/child_dir
[root@devserver child_dir]# find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
setfattr: .: Permission denied
setfattr: ./somefile.php: Permission denied
[root@devserver child_dir]# ls -l
total 4
-rwxrwxr-x. 1 phped phped 15 Jan 5 07:02 somefile.php
[root@devserver child_dir]#
I am not as interested in removing it than I am in understanding what is happening. I looked at files and directories in other areas, and they all have that trailing dot. Meaning they all have selinux ACL?
I just looked at http://wiki.centos.org/HowTos/SELinux, and it appears to confirm that permissive mode should not enforce security policy. Still think it is a selinux issue?
Quote:
Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
Ah, so it is a selinux thing. Note my original post I showed how selinux is in permissive mode. Wouldn't this allow it to go through?
I tried your code, and no success.
Code:
[Michael@devserver child_dir]$ find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
[sudo] password for Michael:
Michael is not in the sudoers file. This incident will be reported.
[sudo] password for Michael:
[Michael@devserver child_dir]$ su -
Password:
[root@devserver ~]# cd /var/www/main/user_resources/documents/parent_dir/child_dir
[root@devserver child_dir]# find . -print0 |xargs -0 -n 1 sudo setfattr -h -x security.selinux
setfattr: .: Permission denied
setfattr: ./somefile.php: Permission denied
[root@devserver child_dir]# ls -l
total 4
-rwxrwxr-x. 1 phped phped 15 Jan 5 07:02 somefile.php
[root@devserver child_dir]#
I am not as interested in removing it than I am in understanding what is happening. I looked at files and directories in other areas, and they all have that trailing dot. Meaning they all have selinux ACL?
I just looked at http://wiki.centos.org/HowTos/SELinux, and it appears to confirm that permissive mode should not enforce security policy. Still think it is a selinux issue?
Thanks!
Yes the trailing dot means SELINUX based ACL (where a + indcates a standard ACL)
Policy and SELINUX ACLS are different, you can't turn off SELINUX ACLS you can remove them from the permissions bits but their not no blaket remove all function.
What dictro are you running?
Last edited by /dev/random; 01-05-2015 at 11:54 AM.
Reason: // adding a question to my answer
Try this disable SELINUX entirely, now do a reboot and see if the permissions are fixed. (see if you can access your files r/w) if you can just get rid of SELINUX entirely, if you want the added nonsense of 'restorecon and all the other wonderful things SELINUX bringd to the table, I myself am not a fan of SELINUX and have often went with (in my opinion better) PaX/GreSecrity patches and tools.
Yes the trailing dot means SELINUX based ACL (where a + indcates a standard ACL)
Policy and SELINUX ACLS are different, you can't turn off SELINUX ACLS you can remove them from the permissions bits but their not no blaket remove all function.
What dictro are you running?
Then how come I can edit files (on Centos 6.6) without having modified SELinux in any way and under the same circumstances? (group permissions and that dot at the end of the file when I list them with ls -l) Actually, when I write ls -l, ALL files have a dot at the end. What is that supposed to mean? I've never had any problems with permissions.
@NotionCommotion
I am going to ask you a stupid question: you did login in again, right? Whenever you add a user to a group, you need to relogin in order for /etc/group to be reread, otherwise you don't have the respective permissions.
ACLs are not a SELinux thing. They are a property of the filesystem that the kernel supports. And the "." indicates there is no ACL list.
One thing that can prevent your deletion of /var/www/main/user_resources/documents/parent_dir/child_dir is that you need write access to /var/www/main/user_resources/documents.
This is because you are removing a file name from the directory - and that means you must be able to write to it. You might check that the group permissions (as well as group ownership) of the documents directory permit read/write/search (the x on directories).
@NotionCommotion
I am going to ask you a stupid question: you did login in again, right? Whenever you add a user to a group, you need to relogin in order for /etc/group to be reread, otherwise you don't have the respective permissions.
I am going to request that they change the name of this forum from Newbie to Idiot. Thank you, I guess I never realized doing so was required, but I am certain I will never forget.
This is not a selinux issue. Removing a file from a directory requires write permission on the directory itself. The permissions on the actual file to be removed are irrelevant. Conceptually, a directory is just a file that contains a list of other filenames. Adding or removing a file in a directory requires write permission to that list of filenames.
I am going to request that they change the name of this forum from Newbie to Idiot. Thank you, I guess I never realized doing so was required, but I am certain I will never forget.
So was that it?
The reason I gave you that advice was because I myself have made that mistake and I've struggled in vain for a while until I realised that was the problem
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.