Group permissions: user can't access 770 directory even though a member of group

jm34003 · 05-16-2012, 10:54 AM

I have 3 users that belong to 3 corresponding groups:

user-russia belongs to group-russia
user-belarus belongs to group-belarus
user-ukraine belongs to group-ukraine.

I also have 3 directories: russia (belongs to “user-russia”), belarus (belongs to “user-belarus”), ukraine (belongs to “user-ukraine”). Each of these directories has permissions rwxrwx--- (full permissions to members of group).

So if I login as user-russia, I can access directory “russia”, but cannot access the other two, and so on.

THE PROBLEM:

I also created “user-all”, and made it a member of groups group-russia, group-belarus and group-ukraine. I expected this user to have access to all 3 directories, since it belongs to all these groups, and each directory has full permissions for members of user group. Meanwhile, whenever I try to access ANY of these directories as “user-all”, I get “Permission denied”.

Ideas?

pingu · 05-16-2012, 11:04 AM

That should work.
Did you log in as user-all before you added that user to the 3 groups?
That would explain it - group membership is read at login.
If so, log out & log in again.
If not, or if that doesn't help, return with info about distro, desktop manager, pam, SE-Linux...

pan64 · 05-16-2012, 11:24 AM

a user may belong to several groups, but actually it is only member of a given one and he can change this group (from the list)
So there is an actual group selected from the list, by default it is the primary group. If you want to change it you need to use the command newgrp <another group>.
You can check the actual settings by the command id, or by creating a file.

jm34003 · 05-16-2012, 11:40 AM

pingu,
No, I made that user a member of groups at the time of creation:

Code:

useradd -u 1100 -g group-russia -G group-belarus,group-ukraine -d /var/countries/ -s /bin/sh -m user-all
passwd user-all

Tried logging in and out, but no luck.

System info:

I am running a CentOS relase 5.8. It is actually a remote VPS and I only have console access.

jm34003 · 05-16-2012, 12:19 PM

pan64,
When I run id as user-all, I get the following:

Code:

uid=1100(user-all) gid=500(group-russia) groups=500(group-russia),501(group-belarus),502(group-ukraine)

So, when I do "newgrp group-belarus", and then id again:

Code:

uid=1100(user-all) gid=501(group-belarus) groups=500(group-russia),501(group-belarus),502(group-ukraine)

The primary group did change, but no effect on permissions. Still get "Permission denied" when cd to any of these directories.

pan64 · 05-16-2012, 12:32 PM

Is that possible the homes are mounted?

jm34003 · 05-16-2012, 12:44 PM

pan64, no.
I tried creating another directory, which is not home to any user, gave membership to "user-russia" and set permissions to 770. But I still can't access it with user-all.

pan64 · 05-16-2012, 01:01 PM

That sounds strange.
So please write all the commands you executed one by one, and also post the results.
including id <username>, pwd and ls -la

pingu · 05-16-2012, 01:12 PM

Try disabling SE-Linux, it might very well be the cause.
Never used it myself but here's a link that seems helpful: http://www.crypt.gen.nz/selinux/disable_selinux.html

jm34003 · 05-16-2012, 01:35 PM

pingu, I tried doing what you advised, but it doesn't help.

Code:

[root@server selinux]# echo 0 >/selinux/enforce
[root@server selinux]# cat /selinux/enforce
0
[root@server selinux]# su - user-all
-sh-3.2$ cd /var/countries
-sh-3.2$ ls -la
total 20
drwxr-xr-x  5 root          root 4096 May 16 14:19 .
drwxr-xr-x 20 root          root 4096 May 16 10:03 ..
drwxrwx---  2 user-belarus  root 4096 May 16 12:44 belarus
drwxrwx---  2 user-russia   root 4096 May 16 12:44 russia
drwxrwx---  2 user-ukraine  root 4096 May 16 12:44 ukraine
-sh-3.2$ cd ukraine
-sh: cd: ukraine: Permission denied
-sh-3.2$ groups
group-russia group-belarus group-ukraine
-sh-3.2$

pan64 · 05-16-2012, 01:47 PM

how is this /var/countries mounted?

pingu · 05-16-2012, 01:52 PM

Quote:

Originally Posted by jm34003

Code:

-sh-3.2$ ls -la
total 20
drwxr-xr-x  5 root          root 4096 May 16 14:19 .
drwxr-xr-x 20 root          root 4096 May 16 10:03 ..
drwxrwx---  2 user-belarus  root 4096 May 16 12:44 belarus
drwxrwx---  2 user-russia   root 4096 May 16 12:44 russia
drwxrwx---  2 user-ukraine  root 4096 May 16 12:44 ukraine

Ha, look at that again: the 3 directories are group root!
They are owned by their respective user (user-belarus, user-russia & user-ukraine) but group is root!
So, "chgrp group-russia russia" etc and you're done!

jm34003 · 05-16-2012, 02:00 PM

pingu, THANK YOU!!!
And that was so obvious, I need to get some sleep finally :-)

pingu · 05-16-2012, 02:03 PM

Glad to help!
Off to your beauty-sleep now, you deserve it! :-)