LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-31-2012, 07:09 AM   #1
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Rep: Reputation: Disabled
Exclamation mkdir throws Permission Denied error in a directoy even with root ownership and 777 permission


I get permission denied error when I try to create a directory. Basically unable to write in a directory.

Though the directory permissions are 777 and root:root.
I am logged as root user.

Background is that this directory(where I am facing problem) with 777 and root ownership was created on a different linux machine. RHEL 6.1 Tikanga and I have copied this directory to RHEL 5.5 and 5.7.


Error got:
[root@<hostname>]# mkdir abc
mkdir: cannot create directory `abc': Permission denied

Any help is much appreciated.

Last edited by surajchalukya; 08-31-2012 at 07:11 AM.
 
Old 08-31-2012, 07:10 AM   #2
pan64
Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 5,035

Rep: Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338
is this a mounted dir or local?
 
Old 08-31-2012, 07:14 AM   #3
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
is this a mounted dir or local?
This directory is present on a mounted storage but it is local to that machine. I can write on other parts of the storage but not this directory

Last edited by surajchalukya; 08-31-2012 at 07:18 AM.
 
Old 08-31-2012, 07:15 AM   #4
pan64
Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 5,035

Rep: Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338
so probably you have mounted that dir readonly
can you check it?
 
Old 08-31-2012, 07:18 AM   #5
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
so probably you have mounted that dir readonly
can you check it?
This directory is present on a mounted storage but it is local to that machine. I can write on other parts of the storage but not this directory
 
Old 08-31-2012, 07:23 AM   #6
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by surajchalukya View Post
This directory is present on a mounted storage but it is local to that machine. I can write on other parts of the storage but not this directory
The problematic directory is not mounted. It is an independent directory just present on a storage.
 
Old 08-31-2012, 07:25 AM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
What is the filesystem for the partition that contains the directory.
Double check the permissions of the directory, or whether it's a symbolic link to another directory.
If the directory is an NFS mount, rootsquash can prevent writing by root.

Check for attributes (lsattr). Check for ACLs (getfacl). Check for selinux restrictions. (ls -Z)

If the filesystem is corrupt, it might be initially mounted RW but when you try to write to a bad area, change to RO.

Last edited by jschiwal; 08-31-2012 at 07:28 AM.
 
Old 08-31-2012, 08:23 AM   #8
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jschiwal View Post
What is the filesystem for the partition that contains the directory.
Double check the permissions of the directory, or whether it's a symbolic link to another directory.
If the directory is an NFS mount, rootsquash can prevent writing by root.

Check for attributes (lsattr). Check for ACLs (getfacl). Check for selinux restrictions. (ls -Z)

If the filesystem is corrupt, it might be initially mounted RW but when you try to write to a bad area, change to RO.
could not find any sym-links to my directory

output of ls -ltrh
drwxrwxrwx 2 root root 4.0K Aug 31 10:14 <dir-name>

output of df -h
Filesystem Size Used Avail Use% Mounted on
/dev/vdd1 504G 5.8G 473G 2% /mnt/storage

output of fdisk -l
Device Boot Start End Blocks Id System
/dev/vdd1 1 66837 536868171 83 Linux

lsattr <dir-name>
------------- <dir-name>/aaa
-------------<dir-name>/bbb
-------------<dir-name>/cccc
------------- <dir-name>/abxxx
------------- <dir-name>/xyz

Note that aaa,bbb,cccc,abxxx,xyz are the files that were already present in my directory from where I copied.

Now I cant futher create files or directories

getfacl <dir-name>
# file: <dir-name>
# owner: root
# group: root
user::rwx
group::rwx
other::rwx

ls -Z <dir-name>
-rwxr-xr-x root root system_ubject_r:unlabeled_t aaa
-rwxr-xr-x root root system_ubject_r:unlabeled_t bbb
-rwxr-xr-x root root system_ubject_r:unlabeled_t cccc
-rwxr-xr-x root root system_ubject_r:unlabeled_t abxxx
-rwxr-xr-x root root system_ubject_r:unlabeled_t xyz
 
Old 08-31-2012, 08:31 AM   #9
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by surajchalukya View Post
could not find any sym-links to my directory

output of ls -ltrh
drwxrwxrwx 2 root root 4.0K Aug 31 10:14 <dir-name>

output of df -h
Filesystem Size Used Avail Use% Mounted on
/dev/vdd1 504G 5.8G 473G 2% /mnt/storage

output of fdisk -l
Device Boot Start End Blocks Id System
/dev/vdd1 1 66837 536868171 83 Linux

lsattr <dir-name>
------------- <dir-name>/aaa
-------------<dir-name>/bbb
-------------<dir-name>/cccc
------------- <dir-name>/abxxx
------------- <dir-name>/xyz

Note that aaa,bbb,cccc,abxxx,xyz are the files that were already present in my directory from where I copied.

Now I cant futher create files or directories

getfacl <dir-name>
# file: <dir-name>
# owner: root
# group: root
user::rwx
group::rwx
other::rwx

ls -Z <dir-name>
-rwxr-xr-x root root system_ubject_r:unlabeled_t aaa
-rwxr-xr-x root root system_ubject_r:unlabeled_t bbb
-rwxr-xr-x root root system_ubject_r:unlabeled_t cccc
-rwxr-xr-x root root system_ubject_r:unlabeled_t abxxx
-rwxr-xr-x root root system_ubject_r:unlabeled_t xyz
ls -Z
drwxrwxrwx root root system_ubject_r:unlabeled_t <dir-name>
 
Old 08-31-2012, 08:31 AM   #10
pan64
Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 5,035

Rep: Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338Reputation: 1338
what is the output of mount ?
 
Old 08-31-2012, 08:33 AM   #11
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
what is the output of mount ?
/dev/vdd1 on /mnt/storage type ext3 (rw)
 
Old 08-31-2012, 08:44 AM   #12
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by surajchalukya View Post
/dev/vdd1 on /mnt/storage type ext3 (rw)
disabling SELINUX solves the problem.
echo 0 >/selinux/enforce

But this is not advisable as it is a security threat.
I want to know the root cause and solution other than disabling SELINUX
 
Old 09-01-2012, 01:15 AM   #13
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
What kind of device is /dev/vdd?

Part of the problem may be that you are working as root? A regular user may not be restricted by selinux.
Alternately, label the files and directories, but not running as root is recommended anyway. Especially for external storage with global access. An suid file could spell trouble. Consider using nosuid and noexec mount options.

Check your logs on why selinux prevents root from creating a file there. I think it has to do with restrictions on root processes rather than file system permissions. It's been a while since I tried Fedora. Part of the log entry was needed to add a rule allowing a restricted action. Also check for booleans (getsebool -a). Look in /etc/selinux/ for a config listing directories. The installation program uses it to generate policies. Is /mnt/ mentioned?
 
Old 09-03-2012, 08:33 AM   #14
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jschiwal View Post
What kind of device is /dev/vdd?

Part of the problem may be that you are working as root? A regular user may not be restricted by selinux.
Alternately, label the files and directories, but not running as root is recommended anyway. Especially for external storage with global access. An suid file could spell trouble. Consider using nosuid and noexec mount options.

Check your logs on why selinux prevents root from creating a file there. I think it has to do with restrictions on root processes rather than file system permissions. It's been a while since I tried Fedora. Part of the log entry was needed to add a rule allowing a restricted action. Also check for booleans (getsebool -a). Look in /etc/selinux/ for a config listing directories. The installation program uses it to generate policies. Is /mnt/ mentioned?
One update is that the directory for which I am facing problem is created in a RHEL 6.1 machine and has been moved to RHEL 5.7 machine machine. Is there compatibility issue with this? I am facing problem when I move that directory to 5.5 or 5.7 machines and no problems in 6.1 machines.

---------- Post added 09-03-12 at 07:34 AM ----------

Quote:
Originally Posted by surajchalukya View Post
One update is that the directory for which I am facing problem is created in a RHEL 6.1 machine and has been moved to RHEL 5.7 machine machine. Is there compatibility issue with this? I am facing problem when I move that directory to 5.5 or 5.7 machines and no problems in 6.1 machines.
No problem when I move it to another machine of 6.1
 
Old 09-03-2012, 09:34 AM   #15
surajchalukya
LQ Newbie
 
Registered: Jul 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by surajchalukya View Post
One update is that the directory for which I am facing problem is created in a RHEL 6.1 machine and has been moved to RHEL 5.7 machine machine. Is there compatibility issue with this? I am facing problem when I move that directory to 5.5 or 5.7 machines and no problems in 6.1 machines.

---------- Post added 09-03-12 at 07:34 AM ----------



No problem when I move it to another machine of 6.1
Changing the file type from unlabeled_t to file_t using the command "chcon -t file_t <diretory-name>" is solving the problem.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Permission denied even with chmod 777 Zabrajin Linux - Newbie 19 02-06-2011 08:40 AM
can't execute c++ binaries, "permission denied"... even though permission is 777 SerfurJ Programming 14 02-20-2009 05:50 AM
BIND 9 Permission denied when chmod is 777 o_O KasperLotus Linux - Networking 10 09-07-2005 01:20 AM
BIND 9 Permission denied when chmod is 777 o_O KasperLotus Linux - Software 0 08-29-2005 12:42 AM
mkdir permission denied rmorgan1016 Linux - Newbie 2 07-30-2005 09:46 PM


All times are GMT -5. The time now is 01:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration