LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Group permissions: user can't access 770 directory even though a member of group (http://www.linuxquestions.org/questions/linux-security-4/group-permissions-user-cant-access-770-directory-even-though-a-member-of-group-945322/)

jm34003 05-16-2012 10:54 AM

Group permissions: user can't access 770 directory even though a member of group
 
I have 3 users that belong to 3 corresponding groups:

user-russia belongs to group-russia
user-belarus belongs to group-belarus
user-ukraine belongs to group-ukraine.

I also have 3 directories: russia (belongs to “user-russia”), belarus (belongs to “user-belarus”), ukraine (belongs to “user-ukraine”). Each of these directories has permissions rwxrwx--- (full permissions to members of group).

So if I login as user-russia, I can access directory “russia”, but cannot access the other two, and so on.

THE PROBLEM:

I also created “user-all”, and made it a member of groups group-russia, group-belarus and group-ukraine. I expected this user to have access to all 3 directories, since it belongs to all these groups, and each directory has full permissions for members of user group. Meanwhile, whenever I try to access ANY of these directories as “user-all”, I get “Permission denied”.

Ideas?

pingu 05-16-2012 11:04 AM

That should work.
Did you log in as user-all before you added that user to the 3 groups?
That would explain it - group membership is read at login.
If so, log out & log in again.
If not, or if that doesn't help, return with info about distro, desktop manager, pam, SE-Linux...

pan64 05-16-2012 11:24 AM

a user may belong to several groups, but actually it is only member of a given one and he can change this group (from the list)
So there is an actual group selected from the list, by default it is the primary group. If you want to change it you need to use the command newgrp <another group>.
You can check the actual settings by the command id, or by creating a file.

jm34003 05-16-2012 11:40 AM

pingu,
No, I made that user a member of groups at the time of creation:

Code:

useradd -u 1100 -g group-russia -G group-belarus,group-ukraine -d /var/countries/ -s /bin/sh -m user-all
passwd user-all

Tried logging in and out, but no luck.

System info:

I am running a CentOS relase 5.8. It is actually a remote VPS and I only have console access.

jm34003 05-16-2012 12:19 PM

pan64,
When I run id as user-all, I get the following:

Code:

uid=1100(user-all) gid=500(group-russia) groups=500(group-russia),501(group-belarus),502(group-ukraine)
So, when I do "newgrp group-belarus", and then id again:

Code:

uid=1100(user-all) gid=501(group-belarus) groups=500(group-russia),501(group-belarus),502(group-ukraine)
The primary group did change, but no effect on permissions. Still get "Permission denied" when cd to any of these directories.

pan64 05-16-2012 12:32 PM

Is that possible the homes are mounted?

jm34003 05-16-2012 12:44 PM

pan64, no.
I tried creating another directory, which is not home to any user, gave membership to "user-russia" and set permissions to 770. But I still can't access it with user-all.

pan64 05-16-2012 01:01 PM

That sounds strange.
So please write all the commands you executed one by one, and also post the results.
including id <username>, pwd and ls -la

pingu 05-16-2012 01:12 PM

Try disabling SE-Linux, it might very well be the cause.
Never used it myself but here's a link that seems helpful: http://www.crypt.gen.nz/selinux/disable_selinux.html

jm34003 05-16-2012 01:35 PM

pingu, I tried doing what you advised, but it doesn't help.

Code:

[root@server selinux]# echo 0 >/selinux/enforce
[root@server selinux]# cat /selinux/enforce
0
[root@server selinux]# su - user-all
-sh-3.2$ cd /var/countries
-sh-3.2$ ls -la
total 20
drwxr-xr-x  5 root          root 4096 May 16 14:19 .
drwxr-xr-x 20 root          root 4096 May 16 10:03 ..
drwxrwx---  2 user-belarus  root 4096 May 16 12:44 belarus
drwxrwx---  2 user-russia  root 4096 May 16 12:44 russia
drwxrwx---  2 user-ukraine  root 4096 May 16 12:44 ukraine
-sh-3.2$ cd ukraine
-sh: cd: ukraine: Permission denied
-sh-3.2$ groups
group-russia group-belarus group-ukraine
-sh-3.2$


pan64 05-16-2012 01:47 PM

how is this /var/countries mounted?

pingu 05-16-2012 01:52 PM

Quote:

Originally Posted by jm34003 (Post 4680173)
Code:

-sh-3.2$ ls -la
total 20
drwxr-xr-x  5 root          root 4096 May 16 14:19 .
drwxr-xr-x 20 root          root 4096 May 16 10:03 ..
drwxrwx---  2 user-belarus  root 4096 May 16 12:44 belarus
drwxrwx---  2 user-russia  root 4096 May 16 12:44 russia
drwxrwx---  2 user-ukraine  root 4096 May 16 12:44 ukraine


Ha, look at that again: the 3 directories are group root!
They are owned by their respective user (user-belarus, user-russia & user-ukraine) but group is root!
So, "chgrp group-russia russia" etc and you're done!

jm34003 05-16-2012 02:00 PM

pingu, THANK YOU!!!
And that was so obvious, I need to get some sleep finally :-)

pingu 05-16-2012 02:03 PM

Glad to help!
Off to your beauty-sleep now, you deserve it! :-)


All times are GMT -5. The time now is 04:32 AM.