[SOLVED] Permission issue for directory access in user's home directory

BhushanPathak · 06-30-2017, 05:52 AM

Hello,

I have 10 CentOS 7 servers. There is a python script which creates admin user, generates SSH keys, set the correct groups for admin user & other necessary settings.

On 8 out of the 10 servers, the script ran successfully. On 2 servers, the script fails while executing the below command -

Code:

sudo su -c 'ssh-keygen -q -t ecdsa -N \"\" -f ~/.ssh/id_ecdsa -b 521' -s /bin/bash admin

The error received was -

Code:

Could not stat /home/admin/.ssh: Permission denied

The issue is not with sudo access. Now, I checked the python script. It creates the admin user, then creates the .ssh directory inside the admin user's home directory, executes chown command so that admin user is owner for the .ssh directory.

The only difference I observed is that on servers where the python script is successful -

Code:

userb@server5:~$ ls -lZd /home/admin/
drwxr-x---. admin admin system_u:object_r:user_home_dir_t:s0 /home/admin

And where the script failed -

Code:

userb@server6:~$ ls -lZd /home/admin/
drwxr-x---. 1001 1001 system_u:object_r:user_home_dir_t:s0 /home/admin/

The groups that admin belongs to is same on all the servers -

Code:

userb@server6:~$ id admin
uid=2000(admin) gid=2000(admin) groups=2000(admin),10(wheel),600(java)

Any idea what the '1001' means here? And what could be the issue?

Thanks

Bhushan Pathak

malekmustaq · 06-30-2017, 06:54 AM

Quote:

Any idea what the '1001' means here? And what could be the issue?

It is a user ID. It means that: on systems (2 of them, you said) where the script failed, the folder /home/admin is NOT owned by 2000:2000, rather it is owned by 1001:1001 --user and group.

Thus, try to check whether somebody is already using the UID 2000 in those units/systems and make appropriate adjustments in assigning other UIDs. or
Try to change the owner:group of that mistaken folders in the 2 systems MANUALLY and observe if the problem goes off.

Code:

man chmod
man chgrp

Hope that helps. Good luck.

m.m.

BhushanPathak · 06-30-2017, 07:05 AM

Well, according to the /etc/passwd file
- There is no user with UID as 1001
- UID 2000 is assigned to admin user

Manually executing the chown command makes the problem go away.

Let me check further if I can dig up few more details. Any other things I can check/look for?

BW-userx · 06-30-2017, 09:35 AM

change UID

Code:

usermod -u <NEWUID> <LOGIN>    
groupmod -g <NEWGID> <GROUP>
find / -user <OLDUID> -exec chown -h <NEWUID> {} \;
find / -group <OLDGID> -exec chgrp -h <NEWGID> {} \;
usermod -g <NEWGID> <LOGIN>

ref:
https://muffinresearch.co.uk/linux-c...gids-for-user/

https://www.cyberciti.biz/faq/linux-...l-owned-files/

sweepnine · 06-30-2017, 12:57 PM

I guess the user 'admin' previously existed with uid 1001 on the two system that produces the error.

Appearantly, the uid 2000 comes from one of your scripts. At some point you create the user and subsequently assume the user to have uid 2000. But if the user already extisted with uid 1001, the creation fails and assumoption does not hold. You may fix the uid after the user creation attempt, see BW-userxs reply.

However, if user 'admin' existed beforehand there might be some reason for this, and if so you risk to break its previous function. If you dont know whether the existence of the user 'admin' is a relict of previous trials of yours, or has been on the system for other reasons, you better choose another user name, f.i. 'adminbushan', presuming the role the user you created has nothing to do with the role the previously existing 'admin'.

BhushanPathak · 07-04-2017, 01:29 AM

I debugged this further and found the following -
1. All 10 centOS servers had a user admin created which had UID 1001
2. The python script that I executed intentionally deletes the admin user with UID 1001 & creates again with UID 2000

The same script worked on 8 servers & failed on 2.

Additionally, I cannot change the user name from admin to something else. Is there any thing else I can debug?

If I execute the script again, it would probably work as the old admin user [with UID 1001] is deleted from the system. This issue came up again on another 3 servers over the weekend.

MadeInGermany · 07-04-2017, 01:52 AM

A passwd caching service like nscd can obscure chown admin ....
chown 2000 ... i.e. a numeric uid/gid is safer.
Check your Python script for it!

BhushanPathak · 07-04-2017, 04:52 AM

I verified that the python script indeed uses the UID & GID to set the ownership of the directory -

Code:

os.chown(path, uid, gid)

Just out of curiosity - if the home directory had some files in it & we delete the admin user, would the home directory be also deleted? If not, is there a possibility that we would run into this issue?

MadeInGermany · 07-04-2017, 05:59 AM

uid and gid are the names of two variables.
Ensure their values are not symbolic names!

Normally the homedirectory is not touched.
Tools like userdel provide an option for it: userdel -r ...

BhushanPathak · 07-11-2017, 06:04 AM

Using the -r option seems to have solved the issue.

Thanks everyone.