More on unix permission

Coolmax · 02-27-2013, 01:16 PM

Hi,
I read some articles about permissions, but I think my knowledge is still superficial. Today I went to my website, but nginx told me that page is unavailable (permission denied). Before everything worked well. I remember that only thing what I change was to add 'www-data' user to 'coolmax' group. I made some tests with directories and this is what I found:

Code:

# ls -la / |grep qwer
drwxr--r-x   2 coolmax coolmax  4096 2013-02-27 19:06 qwer
# id -nG www-data
www-data cooolmax
# su - www-data
$ ls -la /qwer
ls: cannot access /qwer/.: Permission denied
ls: cannot access /qwer/..: Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
$ exit
# usermod -G www-data www-data
# su - www-data
$ ls -la /qwer
total 8
drwxr--r-x  2 coolmax coolmax 4096 Feb 27 19:50 .
drwxr-xr-x 23 root    root    4096 Feb 27 19:50 ..

Distro is Debian 6.0.5. I know that no 'x' for group is nonsense, when there is 'x' for other users. So I think, when user belongs to group, which directory is set to, then 'other' permissions aren't taken into account. But why's that? I'd very appreciate, if someone could explain it or give me some links.

chrism01 · 02-27-2013, 06:41 PM

Basically, it checks all the perms, looking for a way to do what's required. I don't know if it goes left-to-right or reverse, but the effect is the same. It keeps going till it gets what it needs or runs out of perms to check.
See also ACLs.

http://www.linuxtopia.org/online_boo...5_ch-acls.html

shivaa · 02-27-2013, 07:48 PM

The problem is with this:

Code:

# ls -la / | grep qwer
drwxr--r-x   2 coolmax coolmax  4096 2013-02-27 19:06 qwer

Directory 'qwer' has no write or execute permission for group members. See this part (marked in Red):

Code:

drwxr--r-x

And since 'coolmax' is a supplimentry group for user 'www-data', so he cannot write or execute the directory i.e. cannot see it's content.

So simply solution to this problem is to add at least execute permission for group on qwer directory, as:

Code:

~$ chmod -R g+wx qwer

Either user 'www-data' should be member of 'coolmax' group and 'qwer' dir. should have write/execute permission of group OR, 'qwer' directory shold have all permissions for others.