[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Linux File permissions problem

Posted on 2011-03-16
9
Medium Priority
?
511 Views
Last Modified: 2012-05-11
I need some assistance understanding and fixing some Linux permissions on files and folders.  I don't have the onsite expert available that I once did.  I have an Ubuntu box the hosts our Intranet, and it's integrated with our Active Directory.  The documentation my former network admin left me indicated the "intranetadmins" group is assigned the permissions to log in and manage the files, but when I add a new user to that AD group, they can only login, they can't change anything.  I have a specific share using Samba setup that allows them to get directly to the site files.

When I list files in the directory using "ls -l", I see something like the following:

drwxrwxr-x 2 Domain\AdminUser Domain\intranetadmins  4096 2011-02-04 06:02 videos
-rwxrwxr-x 1 Domain\AdminUser Domain\intranetadmins   260 2009-04-27 16:23 videos.css

I tried changing the permissions directly on these files and folders setting Domain\AdminUser as the user and Domain\intranetadmins (the group mentioned above) as the group.  These files and folders have permissions set to 775, but the users in the intranetadmin group can't make changes.

Now, I though this was setup using Likewise Open, at least that was the discussion the network admin and I had at the time.  But I can't find any files that I'd expect related to any Likewise installation (like lsassd.conf), yet I can and do log in with my AD account all the time.  What should I be looking at to determine where my problem is?

Environment: Ubuntu 8.1.0
Thanks!
0
Comment
Question by:kbirecki
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Assisted Solution

by:paulqna
paulqna earned 500 total points
ID: 35152462
Only the owner of the file or directory can change permissions.
0
 
LVL 5

Expert Comment

by:paulqna
ID: 35152463
and of course the superuser can do that (root).
0
 
LVL 81

Expert Comment

by:arnold
ID: 35153354
Based on the permissions, members of the Domain\intranetadmins can edit/modify the files.
run id Domain\\user and see whether it is seen as a member of the specified group
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 11

Author Comment

by:kbirecki
ID: 35153481
Thanks for the responses.  My account has Sudo user permissions and I log in with a domain account.  I can chown and chmod to my heart's content, but as I understand it (obviously missing something), with the permissions for the group specified on these files and folders (Domain\intranetadmins), I would have thought anyone in the group could also add, delete & modify these files and folders.

When I run "id Domain\\MyUserAccount" I see all the AD groups my domain account is a member of.
When I run "id Domain\\UserThatShouldHaveAccess" I see that they are a member of the group "Domain\intranetadmins" and the other AD groups they are in.  So it is puzzling that the group "Domain\intranetadmins" is assigned to the files and folders, yet they can't do anything in these folders.

Any suggestions of what I need to change to allow members of the group Domain\intranetadmins access to the files and folders?  Do I understand this correctly when I assign 775 (user-group-other) that 7 in positions 1 and 2 means the user and group should have full read-write access?
Thanks!
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1500 total points
ID: 35153521
The modify and add I think is right, but the delete might not be the case.
The other issue you have to check is the path
/
/var
/var/www
/var/www/html
to get to the underlying location.
The issue might be that the reason the user can not do a thing in these folders is because they do not have the rights to get there.
try changing directory one at a time as one of those users.
sudo su - domain\\user

cd /
cd /<next directory in the path to those files>
until you get a deny error or until you get to the destination.

Yes, 7 in the owner and group position grant the owner and group full writes.
The other issue deals with the user who make changes i.e. their umask which may when they create a file change the mode.
It might require using the Group SetUID on the directory
chmod 2775 directory to set the GroupSetuid
the umask of the user must be 002 to create files owner and group full access with other read and execute.
0
 
LVL 11

Author Comment

by:kbirecki
ID: 35169705
arnold, regarding the path, do the users have to have permissions all the way down the path if they are only getting into a particular subfolder via a Samba share?  This is how I have the users accessing the folder I want them to be able to add, modify and delete files in.  They have no access to anything else, including the parent folders of the folder (and subfolders) in question.  

If they do need access to the parent folders, how do I give them sufficient access while not screwing up permissions on other folders.  I want to limit them to the specific subfolder I've designated.

And regarding umask, it looks like this applies to the currently logged in user, is that correct?  How should I use that to apply read-write permissions to other users?
Thanks!
0
 
LVL 81

Accepted Solution

by:
arnold earned 1500 total points
ID: 35171712
A samba folder, check /var/log/messages for Selinux alerts when the users try to make changes.
You need to make sure that the UMASK set within the samba share is 002.
Double check that guest is not what the users accessing the share are seen as.
0
 
LVL 11

Author Comment

by:kbirecki
ID: 35365008
Sorry that I dropped the ball on this question.  After reading through all this, I think my issue is with the PAM module configuration because it seems to be a problem with user accounts.  I thought from some documentation we had that Likewise was in use on the Linux box, but it is not.  I'm still learning Linux.  I'm going to assign points and close this question until I can better figure out what my next step is.....and maybe a more appropriate question to the problem I'm having.
0
 
LVL 11

Author Closing Comment

by:kbirecki
ID: 35365039
The problems snowballed as I got into this more.  Samba and the file permissions seem not to be directly the problem.  It seems there's a number of things on this server that are not standard, and since I didn't put the server together, I think I'm going to rebuild another from scratch trying to follow "best practices" and easier solutions.  Thanks for your help!
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have written articles previously comparing SARDU and YUMI.  I also included a couple of lines about Easy2boot (easy2boot.com).  I have now been using, and enjoying easy2boot as my sole multiboot utility for some years and realize that it deserves …
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month19 days, 3 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question