Solved

Linux File permissions problem

Posted on 2011-03-16
9
487 Views
Last Modified: 2012-05-11
I need some assistance understanding and fixing some Linux permissions on files and folders.  I don't have the onsite expert available that I once did.  I have an Ubuntu box the hosts our Intranet, and it's integrated with our Active Directory.  The documentation my former network admin left me indicated the "intranetadmins" group is assigned the permissions to log in and manage the files, but when I add a new user to that AD group, they can only login, they can't change anything.  I have a specific share using Samba setup that allows them to get directly to the site files.

When I list files in the directory using "ls -l", I see something like the following:

drwxrwxr-x 2 Domain\AdminUser Domain\intranetadmins  4096 2011-02-04 06:02 videos
-rwxrwxr-x 1 Domain\AdminUser Domain\intranetadmins   260 2009-04-27 16:23 videos.css

I tried changing the permissions directly on these files and folders setting Domain\AdminUser as the user and Domain\intranetadmins (the group mentioned above) as the group.  These files and folders have permissions set to 775, but the users in the intranetadmin group can't make changes.

Now, I though this was setup using Likewise Open, at least that was the discussion the network admin and I had at the time.  But I can't find any files that I'd expect related to any Likewise installation (like lsassd.conf), yet I can and do log in with my AD account all the time.  What should I be looking at to determine where my problem is?

Environment: Ubuntu 8.1.0
Thanks!
0
Comment
Question by:kbirecki
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Assisted Solution

by:paulqna
paulqna earned 125 total points
Comment Utility
Only the owner of the file or directory can change permissions.
0
 
LVL 5

Expert Comment

by:paulqna
Comment Utility
and of course the superuser can do that (root).
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Based on the permissions, members of the Domain\intranetadmins can edit/modify the files.
run id Domain\\user and see whether it is seen as a member of the specified group
0
 
LVL 11

Author Comment

by:kbirecki
Comment Utility
Thanks for the responses.  My account has Sudo user permissions and I log in with a domain account.  I can chown and chmod to my heart's content, but as I understand it (obviously missing something), with the permissions for the group specified on these files and folders (Domain\intranetadmins), I would have thought anyone in the group could also add, delete & modify these files and folders.

When I run "id Domain\\MyUserAccount" I see all the AD groups my domain account is a member of.
When I run "id Domain\\UserThatShouldHaveAccess" I see that they are a member of the group "Domain\intranetadmins" and the other AD groups they are in.  So it is puzzling that the group "Domain\intranetadmins" is assigned to the files and folders, yet they can't do anything in these folders.

Any suggestions of what I need to change to allow members of the group Domain\intranetadmins access to the files and folders?  Do I understand this correctly when I assign 775 (user-group-other) that 7 in positions 1 and 2 means the user and group should have full read-write access?
Thanks!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 76

Assisted Solution

by:arnold
arnold earned 375 total points
Comment Utility
The modify and add I think is right, but the delete might not be the case.
The other issue you have to check is the path
/
/var
/var/www
/var/www/html
to get to the underlying location.
The issue might be that the reason the user can not do a thing in these folders is because they do not have the rights to get there.
try changing directory one at a time as one of those users.
sudo su - domain\\user

cd /
cd /<next directory in the path to those files>
until you get a deny error or until you get to the destination.

Yes, 7 in the owner and group position grant the owner and group full writes.
The other issue deals with the user who make changes i.e. their umask which may when they create a file change the mode.
It might require using the Group SetUID on the directory
chmod 2775 directory to set the GroupSetuid
the umask of the user must be 002 to create files owner and group full access with other read and execute.
0
 
LVL 11

Author Comment

by:kbirecki
Comment Utility
arnold, regarding the path, do the users have to have permissions all the way down the path if they are only getting into a particular subfolder via a Samba share?  This is how I have the users accessing the folder I want them to be able to add, modify and delete files in.  They have no access to anything else, including the parent folders of the folder (and subfolders) in question.  

If they do need access to the parent folders, how do I give them sufficient access while not screwing up permissions on other folders.  I want to limit them to the specific subfolder I've designated.

And regarding umask, it looks like this applies to the currently logged in user, is that correct?  How should I use that to apply read-write permissions to other users?
Thanks!
0
 
LVL 76

Accepted Solution

by:
arnold earned 375 total points
Comment Utility
A samba folder, check /var/log/messages for Selinux alerts when the users try to make changes.
You need to make sure that the UMASK set within the samba share is 002.
Double check that guest is not what the users accessing the share are seen as.
0
 
LVL 11

Author Comment

by:kbirecki
Comment Utility
Sorry that I dropped the ball on this question.  After reading through all this, I think my issue is with the PAM module configuration because it seems to be a problem with user accounts.  I thought from some documentation we had that Likewise was in use on the Linux box, but it is not.  I'm still learning Linux.  I'm going to assign points and close this question until I can better figure out what my next step is.....and maybe a more appropriate question to the problem I'm having.
0
 
LVL 11

Author Closing Comment

by:kbirecki
Comment Utility
The problems snowballed as I got into this more.  Samba and the file permissions seem not to be directly the problem.  It seems there's a number of things on this server that are not standard, and since I didn't put the server together, I think I'm going to rebuild another from scratch trying to follow "best practices" and easier solutions.  Thanks for your help!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now