Trouble with write access and groups.

jmgibson1981 · 05-02-2020, 01:18 PM

Code:

$ groups
jason adm sudo kvm libvirt lxd windowsbackup

Code:

ls -al
total 8
drwxrwxr-x 2 root  windowsbackup 4096 May  2 11:14 .
drwxr-xr-x 5 jason jason         4096 May  2 10:49 ..

Code:

$ touch indeed
touch: cannot touch 'indeed': Permission denied

Code:

$ newgrp windowsbackup
$ touch indeed
ls -l
total 0
-rw-rw-r-- 1 jason windowsbackup 0 May  2 11:12 indeed

I am so confused. I figured this should be simple. I'm clearly a member of the group. The permissions on the directory are 775. I can't write to the directory. I've logged out and in several times. I can however write just fine after using

Code:

newgrp windowsbackup

I've done nothing involving special acls or anything.
I've hit this before but I've never tested with the newgrp command. So if it doesn't ask me for a password on the newgrp command, then I'm a member of the group... but I can't write anything? As wrong as it is I've bypassed by just tossing 777 and leaving it. But it bugs the hell out of me. I've posted this issue elsewhere and get nowhere. Google just says chmod 775 and chgrp the folder.

ehartman · 05-02-2020, 01:53 PM

Quote:

Originally Posted by jmgibson1981

$ touch indeed
touch: cannot touch 'indeed': Permission denied

Ar this moment you're in group "jason", which doesn't have write access to the . directory.

Quote:

$ newgrp windowsbackup
$ touch indeed

But now you have changed your group to windowsbackup, so now the touch works.

That you're allowed to use the "newgrp" command without a password is because you are in both groups already. But now the default group for your session is that one, not jason anymore:

Quote:

newgrp changes the current real group ID to the named group, or to the default group listed in /etc/passwd if no group name is given. newgrp also tries to add the group to the user groupset.

But a file (or directory) can be given only a single group ID and that is the "real group ID" of the session, which starts as the one, listed in /etc/passwd
To revert to that default afterwards, you can just issue the command "newgrp" without any parameters.

jmgibson1981 · 05-02-2020, 02:30 PM

Ok. I'll have to rework my script. Logic tells me if you have a group membership, you should be able to do what it allows by default. But doesn't work for directories I guess?

ehartman · 05-02-2020, 03:27 PM

Quote:

Originally Posted by jmgibson1981

Ok. I'll have to rework my script. Logic tells me if you have a group membership, you should be able to do what it allows by default. But doesn't work for directories I guess?

It should work for existing files, so you can "touch" a file IN that directory when it has the right group, but for creating NEW files (and subdirs) it can only use a single group (the "real session group ID") to create that file with. And that real group ID of the touch command does not have write permission to that dir as the groups are different.
You, the user, have multiple groups YOU belong too, but a process (like touch), just like a file or directory, can have only a single group ID, which normally is your primary one (the one you logged in with). Thus a process does NOT inherit all of your groups.