LinuxQuestions.org - impossible situation. root is Permission denied to run a script with 777 permissions

- Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)

- - impossible situation. root is Permission denied to run a script with 777 permissions (https://www.linuxquestions.org/questions/linux-general-1/impossible-situation-root-is-permission-denied-to-run-a-script-with-777-permissions-4175489732/)

impossible situation. root is Permission denied to run a script with 777 permissions

how in the world is this possible?

Code:

-rwxrwxrwx.  1 ray  ray        464 Dec 31 15:45 nospace.sh*

[root@centos Dr_Who]# ./nospace.sh

-bash: ./nospace.sh: Permission denied

[root@centos Dr_Who]# chmod a+x nospace.sh 

[root@centos Dr_Who]# ./nospace.sh

-bash: ./nospace.sh: Permission denied

its a typical script that ive used hundreds of times on this exact server as both user and root to replace spaces with _..

Code:

[root@centos Dr_Who]# cat nospace.sh 

#!/bin/bash

if [ -n "$1" ]

then

  if [ -d "$1" ] 

  then

    cd "$1"

  else

    echo invalid directory

    exit

  fi

fi



for i in *

do

  OLDNAME="$i"

  NEWNAME=`echo "$i" | tr ' ' '_' | sed s/_-_/-/g`

  if [ "$NEWNAME" != "$OLDNAME" ]

  then

    TMPNAME="$i"_TMP 

    echo ""

    mv -v -- "$OLDNAME" "$TMPNAME"

    mv -v -- "$TMPNAME" "$NEWNAME"

  fi

  if [ -d "$NEWNAME" ] 

  then

    echo Recursing lowercase for directory "$NEWNAME"

    $0 "$NEWNAME"

  fi

done

nothing out of the ordinary there.

Code:

[ray@centos Dr_Who]$ d

total 6040752

drwxrwxr-x. 14 ray  ray        4096 Dec 31 15:45 ./

drwsrwxrwx. 22 root root      4096 Dec 19 10:45 ../

-rw-r--r--.  1 ray  ray  2203326316 Nov 25 02:26 Doctor_Who-50th_Anniversary_Special_The_Day_of_the_Doctor.mkv

-rw-rw-r--.  1 ray  ray  1505484852 Sep  3 23:15 Doctor_Who_at_the_Proms_II-2013.mkv

-rw-rw-r--.  1 ray  ray  1319808158 Mar  1  2013 Doctor_Who_Christmas_Special_The_Snowmen.mkv

drwxr-xr-x. 10 ray  ray        4096 Oct 20 21:12 Doctor_Who-Season_01-1963–64/

drwxr-xr-x. 11 ray  ray        4096 Oct 20 21:48 Doctor Who - Season 02 - (1964-65) - 39 Episodes/

drwxr-xr-x. 12 ray  ray        4096 Oct 20 22:43 Doctor Who - Season 03 - (1965-66) - 45 Episodes/

drwxr-xr-x. 11 ray  ray        4096 Oct 20 23:25 Doctor Who - Season 04 - (1966–67) - 43 Episodes/

drwxr-xr-x.  9 ray  ray        4096 Oct 21 00:04 Doctor Who - Season 05 - (1967-68) - 40 Episodes/

drwxrwxr-x.  2 ray  ray        4096 Apr 18  2013 Doctor_Who_Season_1/

drwxrwxr-x.  2 ray  ray        4096 Apr 18  2013 Doctor_Who_Season_2/

drwxrwxr-x.  2 ray  ray        4096 Apr 18  2013 Doctor_Who_Season_3/

drwxrwxr-x.  2 ray  ray        4096 Apr 18  2013 Doctor_Who_Season_4/

drwxr-xr-x.  2 ray  ray        4096 Apr 18  2013 Doctor_Who_Season_5/

drwxrwxr-x.  2 ray  ray        4096 Apr 18  2013 Doctor_Who_Season_6/

drwxrwxr-x.  2 ray  ray        4096 Dec 27 15:35 Doctor_Who_Season_7/

-rw-rw-r--.  1 ray  ray  1157025282 Dec 17 02:08 Doctor.Who.The.Ultimate.Guide.720p.HDTV.x264.AAC.MVGroup.org.mkv

-rwxrwxrwx.  1 ray  ray        464 Dec 31 15:45 nospace.sh*

[ray@centos Dr_Who]$ ./nospace.sh

-bash: ./nospace.sh: Permission denied

[ray@centos Dr_Who]$ whoami

ray

i am the owner, i have full permissions, the directory is owned and controlled by me, why in the world can i no longer run this simple script?

edit to add**

yet i can cp/mv/rm/ any directory/file i desire in same directory(ies)

Apparently you have SEL or are using ACLs in that directory.

Code:

-rwxrwxrwx. 1 ray ray 464 Dec 31 15:45 nospace.sh*

Is that blocking access/execution?

not that im aware of. this is one of my NFS shares for my media server to the house.

Code:

[ray@centos Dr_Who]$ cat /etc/exports 

#

#        /etc/exports



#        NFS4

/exports *(rw,insecure,subtree_check,crossmnt,fsid=0)



#        NFSv3

/exports/centos/public *(rw,insecure,no_subtree_check,fsid=3010)

/exports/NFS_TV_Shows *(rw,insecure,no_subtree_check,fsid=3020)

Code:

[ray@centos Dr_Who]$ df -Th

Filesystem                    Type  Size  Used Avail Use% Mounted on

/dev/mapper/vg_centos-lv_root ext4    50G  17G  31G  35% /

tmpfs                        tmpfs  3.9G  4.0K  3.9G  1% /dev/shm

/dev/sdb1                    ext4  485M  149M  312M  33% /boot

/dev/mapper/vg_centos-lv_home ext4  1.8T  969G  722G  58% /exports/centos

/dev/sda1                    ext4  1.4T  802G  504G  62% /exports/NFS_TV_Shows

/dev/sdc1                    ext4  3.6T  1.9T  1.6T  56% /exports/New

[ray@centos Dr_Who]$ cat /etc/fstab 



#

# /etc/fstab

# Created by anaconda on Fri Jan  4 14:43:59 2013

#

# Accessible filesystems, by reference, are maintained under '/dev/disk'

# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info

#

/dev/mapper/vg_centos-lv_root /                      ext4    defaults        1 1

UUID=7b6db420-abc8-4ad9-a8a1-a8da83552e09 /boot                  ext4    defaults        1 2

/dev/mapper/vg_centos-lv_home /exports/centos                  ext4    defaults        1 2

/dev/mapper/vg_centos-lv_swap swap                    swap    defaults        0 0

tmpfs                  /dev/shm                tmpfs  defaults        0 0

devpts                  /dev/pts                devpts  gid=5,mode=620  0 0

sysfs                  /sys                    sysfs  defaults        0 0

proc                    /proc                  proc    defaults        0 0

UUID=2284e13a-7d41-461d-aa97-131612ac6174        /exports/NFS_TV_Shows        ext4        rw,user        0 0

UUID=dfba63a0-9b78-44bf-bb5f-12f141472a06        /exports/New                ext4        rw,user        0 0

as for detecting SEL or ACLs how? neither I am aware of ever configuring or enabling.

found something, but not sure how to resolve the issue:

Code:

[ray@centos Dr_Who]$ mount | column -t

/dev/mapper/vg_centos-lv_root  on  /                        type  ext4        (rw)

proc                          on  /proc                    type  proc        (rw)

sysfs                          on  /sys                      type  sysfs        (rw)

devpts                        on  /dev/pts                  type  devpts      (rw,gid=5,mode=620)

tmpfs                          on  /dev/shm                  type  tmpfs        (rw,rootcontext="system_u:object_r:tmpfs_t:s0")

/dev/sdb1                      on  /boot                    type  ext4        (rw)

/dev/mapper/vg_centos-lv_home  on  /exports/centos          type  ext4        (rw)

/dev/sda1                      on  /exports/NFS_TV_Shows    type  ext4        (rw,noexec,nosuid,nodev)

/dev/sdc1                      on  /exports/New              type  ext4        (rw,noexec,nosuid,nodev)

none                          on  /proc/sys/fs/binfmt_misc  type  binfmt_misc  (rw)

sunrpc                        on  /var/lib/nfs/rpc_pipefs  type  rpc_pipefs  (rw)

nfsd                          on  /proc/fs/nfsd            type  nfsd        (rw)

/exports/centos                on  /home/ssmahome            type  none        (rw,bind)

i see that both sda1 and sdc1 are set to noexec, how do i get around that and modify my fstab so it mounts with proper permissions to match the LVM for centos-lv?

Quote:

Originally Posted by lleb (Post 5089794)

as for detecting SEL or ACLs how? neither I am aware of ever configuring or enabling.

I do not use SEL or ACLs so don't know much about them, but you can see the presence by the trailing dot in the long file listing format:

Code:

-rwxrwxrwx.  1 ray  ray        464 Dec 31 15:45 nospace.sh*



Hilighted here...



-rwxrwxrwx[.]  1 ray  ray        464 Dec 31 15:45 nospace.sh*

It is my understanding that the dot indicates that the directory is under SEL/ACL control. Beyond that I don't know much...

thanks, it at least gives me a direction in addition to what i found with the mount command above.

Quote:

Originally Posted by lleb (Post 5089798)

thanks, it at least gives me a direction in addition to what i found with the mount command above.

Looking around I found this from info ls:

Quote:

Following the file mode bits is a single character that specifies
whether an alternate access method such as an access control list
applies to the file. When the character following the file mode
bits is a space, there is no alternate access method. When it is
a printing character, then there is such a method.

GNU `ls' uses a `.' character to indicate a file with an SELinux
security context, but no other alternate access method.

A file with any other combination of alternate access methods is
marked with a `+' character.

From that it is still a little ambiguous whether that means specifically SEL/ACL or simply any "alternate access method". Taking the latter case that might include the noexec from fstab.

It should be easy to edit your fstab and remove the noexec flag. Not sure off the top of my pointy head whether it might be necessary to also change the NFS exports setup, so that migt be worth checking.

Change in fstab from 'rw,user' to 'rw,user,exec'

Quote:

-rwxrwxrwx. 1 ray ray

that is a bit odd
ray as user name is fine
BUT ray as the group ???? -- odd

it should be
user = ray
group = users

the user "ray" should be in the "users" group
and that group should be the one that the folder is set to
( the same as your HOME folder )

Nothing wrong in creating a group with the same name as your user and make that your main group. Some distros does it as default.

Quote:

Originally Posted by John VV (Post 5089892)

yes it is ray ray for user/group on that account even in my home directory

it is uid, gid, and group all = 501 named ray.

An individual group per user has been the recommendation for quite a few years now. Giving each user a unique primary group ID makes it possible to form groups that share directories without requiring people to be constantly changing their umask. When working in the group-shared directory, you need to have a umask that permits group access, but if everyone's primary group is "users", you need to turn off group permissions when working elsewhere or else every user on the system would have access to your files. With a per-user primary group, a umask that does not block group access, and a set-GID permission bit on the shared directories, it all works pretty seamlessly.