Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-02-2009, 04:12 AM
|
#1
|
Member
Registered: Dec 2004
Location: Belgium
Distribution: debian
Posts: 48
Rep:
|
groups +w problem
Hi to all
I'm having the following problem with my redhat 3 (yes, there are still somme around:-)
I've already search the forum and googled about it, but without success.
I have a folder, belonging to group A
some users of group A can write in the folder, some other not.
the folder privileges are 775
What must I verify further more than groups belongings and folder permissions?
we are 4 techs here working on it, but no one is really a linux specialists.
thanks in advance
|
|
|
09-02-2009, 07:03 AM
|
#2
|
LQ Newbie
Registered: Mar 2009
Location: Sydney, Australia
Distribution: fedora 23
Posts: 1
Rep:
|
I believe that you need to make the folder privileges 777. I don't know whether you know this but the privileges 777 means that the owner (first 7) the people in the same group as the owner (second 7) and anybody else (the third 7) all can modify files in that folder. If you want to restrict the modification of files in that folder to the owner and the people in the same group as the owner then 774 or 775 will do. It just means that anyone who wants to modify a file in that folder will have to be put in the same group as the owner. Either see your system administrator or if you are the system administrator, add the person the the owners group in /etc/group.
|
|
|
09-02-2009, 07:16 AM
|
#3
|
Member
Registered: Dec 2004
Location: Belgium
Distribution: debian
Posts: 48
Original Poster
Rep:
|
hi
thanks for your reply.
But the point is, that several users in group A can write in the folder belonging to group A, but other users, also in group A cannot write and face a permission denied.
I'm getting crazy about this.
I've been suggested to check out the "syncronisation" between the password and groups files, and the shadow password. Either I'm not sure about this, I will have a look anyway.
One info more, read access seem ok for all users of group A
|
|
|
09-02-2009, 09:01 PM
|
#4
|
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,397
|
The perms groups are
u = user/owner
g = group
o = other/the world
each of which can be any combo of rwx (read/write/search for dir).
You don't want to open up that dir to the world.
Start by finding out what the current situation is ie
1. ls -l on dir
2. check /etc/group to see who is in the dir's 'owning' group
3. check for ACLs - http://linux.die.net/man/1/getfacl
For a simple situation, you'd have
drwxrwx--- user1 group1
on the dir and everybody in group1 (doesn't have to be primary group).
You might want to force all files to be owned by the dir group eg
chmod g+s dirname
http://linux.die.net/man/1/chmod
For more complex situations, you may want to add ACLs, although it can get fiddly if you start doing that a lot.
HTH
|
|
|
09-03-2009, 03:20 AM
|
#5
|
Member
Registered: Dec 2004
Location: Belgium
Distribution: debian
Posts: 48
Original Poster
Rep:
|
here a little more explanations:
- here the folder I'm in:
yull@rotor:~/test$ ls -al
total 12
drwxr-xr-x 3 yull users 4096 Sep 2 16:51 .
drwx------ 5 yull users 4096 Sep 2 16:51 ..
drwxrwxr-x 2 apache groupA 4096 Sep 2 16:53 proj
- here my groups:
yull@rotor:~/test$ groups yull
yull: users groupA
- here I try to write in the folder 'proj', owned by groupA, wich I belong to, and wich has write access:
yull@rotor:~/test$ touch proj/test.txt
touch: creating `proj/test.txt': Permission denied
WTF!!!!!
thanks a lot to all for your time
|
|
|
09-03-2009, 03:47 AM
|
#6
|
Senior Member
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,797
|
Which RedHat 3 are you talking about? A version from somewhere in the 90's (not sure if a version 3 existed) or RHEL?
|
|
|
09-03-2009, 03:54 AM
|
#7
|
Member
Registered: Dec 2004
Location: Belgium
Distribution: debian
Posts: 48
Original Poster
Rep:
|
rhel (enterprise)
|
|
|
09-03-2009, 04:05 AM
|
#8
|
ELF Statifier author
Registered: Oct 2007
Posts: 676
Rep:
|
Quote:
Originally Posted by yull
Hi to all
I'm having the following problem with my redhat 3 (yes, there are still somme around:-)
I've already search the forum and googled about it, but without success.
I have a folder, belonging to group A
some users of group A can write in the folder, some other not.
the folder privileges are 775
What must I verify further more than groups belongings and folder permissions?
we are 4 techs here working on it, but no one is really a linux specialists.
thanks in advance
|
Not always, but usually when some people need write access to the same files, it's a sign that version control system can (should ?) be used instead.
Could you explain what is this folder for and why four people need write access to it ?
|
|
|
09-03-2009, 04:26 AM
|
#9
|
Member
Registered: Dec 2004
Location: Belgium
Distribution: debian
Posts: 48
Original Poster
Rep:
|
hi
indeed the problem was raised by a problem with our svn install.
But I insist, I'm able to reproduce the problem on the file system, locally, into my homedir, without using nothing else than my command line ssh connection
|
|
|
09-03-2009, 04:28 AM
|
#10
|
Member
Registered: Dec 2004
Location: Belgium
Distribution: debian
Posts: 48
Original Poster
Rep:
|
we noticed also that if we use a group that is higher positioned in the /etc/groups file, we don't face the problem any more.
Could it be possible there is a limitation to the number of groups in /etc/groups file?
|
|
|
09-03-2009, 05:27 AM
|
#11
|
ELF Statifier author
Registered: Oct 2007
Posts: 676
Rep:
|
Quote:
Originally Posted by yull
hi
indeed the problem was raised by a problem with our svn install.
But I insist, I'm able to reproduce the problem on the file system, locally, into my homedir, without using nothing else than my command line ssh connection
|
SVN server should be owner of the repository only server (== one UID) should be allowed to read/write repository.
So where your problem come from ?
|
|
|
09-03-2009, 08:51 PM
|
#12
|
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,397
|
|
|
|
09-04-2009, 03:43 AM
|
#13
|
Member
Registered: Dec 2004
Location: Belgium
Distribution: debian
Posts: 48
Original Poster
Rep:
|
hi to all
here we go a little further:
It looks like we had two problems mixed:
- we fixed the gaps between passwd, groups, shadow and gshadow file using the cleaning binaries available.
- we remain with security problem on our nas: after removing a group from a user, doing a logoff/login to activate those changes to the user, the user kept write access rights to the folder, even if he shouldn't. It appears this is linked to a 16 groups limitation of sys-auth on nfs mounted drives.
we're looking to mount our drives on nfs4, or something else.
|
|
|
All times are GMT -5. The time now is 08:48 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|