Solved

Linux File permissions problem

Posted on 2011-03-16
9
496 Views
Last Modified: 2012-05-11
I need some assistance understanding and fixing some Linux permissions on files and folders.  I don't have the onsite expert available that I once did.  I have an Ubuntu box the hosts our Intranet, and it's integrated with our Active Directory.  The documentation my former network admin left me indicated the "intranetadmins" group is assigned the permissions to log in and manage the files, but when I add a new user to that AD group, they can only login, they can't change anything.  I have a specific share using Samba setup that allows them to get directly to the site files.

When I list files in the directory using "ls -l", I see something like the following:

drwxrwxr-x 2 Domain\AdminUser Domain\intranetadmins  4096 2011-02-04 06:02 videos
-rwxrwxr-x 1 Domain\AdminUser Domain\intranetadmins   260 2009-04-27 16:23 videos.css

I tried changing the permissions directly on these files and folders setting Domain\AdminUser as the user and Domain\intranetadmins (the group mentioned above) as the group.  These files and folders have permissions set to 775, but the users in the intranetadmin group can't make changes.

Now, I though this was setup using Likewise Open, at least that was the discussion the network admin and I had at the time.  But I can't find any files that I'd expect related to any Likewise installation (like lsassd.conf), yet I can and do log in with my AD account all the time.  What should I be looking at to determine where my problem is?

Environment: Ubuntu 8.1.0
Thanks!
0
Comment
Question by:kbirecki
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Assisted Solution

by:paulqna
paulqna earned 125 total points
ID: 35152462
Only the owner of the file or directory can change permissions.
0
 
LVL 5

Expert Comment

by:paulqna
ID: 35152463
and of course the superuser can do that (root).
0
 
LVL 78

Expert Comment

by:arnold
ID: 35153354
Based on the permissions, members of the Domain\intranetadmins can edit/modify the files.
run id Domain\\user and see whether it is seen as a member of the specified group
0
Monthly Recap

May was a big month for new releases from Linux Academy! Take a look at what our team built recently in our blog. You can access the newest releases from our blog.

 
LVL 11

Author Comment

by:kbirecki
ID: 35153481
Thanks for the responses.  My account has Sudo user permissions and I log in with a domain account.  I can chown and chmod to my heart's content, but as I understand it (obviously missing something), with the permissions for the group specified on these files and folders (Domain\intranetadmins), I would have thought anyone in the group could also add, delete & modify these files and folders.

When I run "id Domain\\MyUserAccount" I see all the AD groups my domain account is a member of.
When I run "id Domain\\UserThatShouldHaveAccess" I see that they are a member of the group "Domain\intranetadmins" and the other AD groups they are in.  So it is puzzling that the group "Domain\intranetadmins" is assigned to the files and folders, yet they can't do anything in these folders.

Any suggestions of what I need to change to allow members of the group Domain\intranetadmins access to the files and folders?  Do I understand this correctly when I assign 775 (user-group-other) that 7 in positions 1 and 2 means the user and group should have full read-write access?
Thanks!
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 375 total points
ID: 35153521
The modify and add I think is right, but the delete might not be the case.
The other issue you have to check is the path
/
/var
/var/www
/var/www/html
to get to the underlying location.
The issue might be that the reason the user can not do a thing in these folders is because they do not have the rights to get there.
try changing directory one at a time as one of those users.
sudo su - domain\\user

cd /
cd /<next directory in the path to those files>
until you get a deny error or until you get to the destination.

Yes, 7 in the owner and group position grant the owner and group full writes.
The other issue deals with the user who make changes i.e. their umask which may when they create a file change the mode.
It might require using the Group SetUID on the directory
chmod 2775 directory to set the GroupSetuid
the umask of the user must be 002 to create files owner and group full access with other read and execute.
0
 
LVL 11

Author Comment

by:kbirecki
ID: 35169705
arnold, regarding the path, do the users have to have permissions all the way down the path if they are only getting into a particular subfolder via a Samba share?  This is how I have the users accessing the folder I want them to be able to add, modify and delete files in.  They have no access to anything else, including the parent folders of the folder (and subfolders) in question.  

If they do need access to the parent folders, how do I give them sufficient access while not screwing up permissions on other folders.  I want to limit them to the specific subfolder I've designated.

And regarding umask, it looks like this applies to the currently logged in user, is that correct?  How should I use that to apply read-write permissions to other users?
Thanks!
0
 
LVL 78

Accepted Solution

by:
arnold earned 375 total points
ID: 35171712
A samba folder, check /var/log/messages for Selinux alerts when the users try to make changes.
You need to make sure that the UMASK set within the samba share is 002.
Double check that guest is not what the users accessing the share are seen as.
0
 
LVL 11

Author Comment

by:kbirecki
ID: 35365008
Sorry that I dropped the ball on this question.  After reading through all this, I think my issue is with the PAM module configuration because it seems to be a problem with user accounts.  I thought from some documentation we had that Likewise was in use on the Linux box, but it is not.  I'm still learning Linux.  I'm going to assign points and close this question until I can better figure out what my next step is.....and maybe a more appropriate question to the problem I'm having.
0
 
LVL 11

Author Closing Comment

by:kbirecki
ID: 35365039
The problems snowballed as I got into this more.  Samba and the file permissions seem not to be directly the problem.  It seems there's a number of things on this server that are not standard, and since I didn't put the server together, I think I'm going to rebuild another from scratch trying to follow "best practices" and easier solutions.  Thanks for your help!
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question