Solved

Linux File permissions problem

Posted on 2011-03-16
9
492 Views
Last Modified: 2012-05-11
I need some assistance understanding and fixing some Linux permissions on files and folders.  I don't have the onsite expert available that I once did.  I have an Ubuntu box the hosts our Intranet, and it's integrated with our Active Directory.  The documentation my former network admin left me indicated the "intranetadmins" group is assigned the permissions to log in and manage the files, but when I add a new user to that AD group, they can only login, they can't change anything.  I have a specific share using Samba setup that allows them to get directly to the site files.

When I list files in the directory using "ls -l", I see something like the following:

drwxrwxr-x 2 Domain\AdminUser Domain\intranetadmins  4096 2011-02-04 06:02 videos
-rwxrwxr-x 1 Domain\AdminUser Domain\intranetadmins   260 2009-04-27 16:23 videos.css

I tried changing the permissions directly on these files and folders setting Domain\AdminUser as the user and Domain\intranetadmins (the group mentioned above) as the group.  These files and folders have permissions set to 775, but the users in the intranetadmin group can't make changes.

Now, I though this was setup using Likewise Open, at least that was the discussion the network admin and I had at the time.  But I can't find any files that I'd expect related to any Likewise installation (like lsassd.conf), yet I can and do log in with my AD account all the time.  What should I be looking at to determine where my problem is?

Environment: Ubuntu 8.1.0
Thanks!
0
Comment
Question by:kbirecki
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Assisted Solution

by:paulqna
paulqna earned 125 total points
ID: 35152462
Only the owner of the file or directory can change permissions.
0
 
LVL 5

Expert Comment

by:paulqna
ID: 35152463
and of course the superuser can do that (root).
0
 
LVL 77

Expert Comment

by:arnold
ID: 35153354
Based on the permissions, members of the Domain\intranetadmins can edit/modify the files.
run id Domain\\user and see whether it is seen as a member of the specified group
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 11

Author Comment

by:kbirecki
ID: 35153481
Thanks for the responses.  My account has Sudo user permissions and I log in with a domain account.  I can chown and chmod to my heart's content, but as I understand it (obviously missing something), with the permissions for the group specified on these files and folders (Domain\intranetadmins), I would have thought anyone in the group could also add, delete & modify these files and folders.

When I run "id Domain\\MyUserAccount" I see all the AD groups my domain account is a member of.
When I run "id Domain\\UserThatShouldHaveAccess" I see that they are a member of the group "Domain\intranetadmins" and the other AD groups they are in.  So it is puzzling that the group "Domain\intranetadmins" is assigned to the files and folders, yet they can't do anything in these folders.

Any suggestions of what I need to change to allow members of the group Domain\intranetadmins access to the files and folders?  Do I understand this correctly when I assign 775 (user-group-other) that 7 in positions 1 and 2 means the user and group should have full read-write access?
Thanks!
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 375 total points
ID: 35153521
The modify and add I think is right, but the delete might not be the case.
The other issue you have to check is the path
/
/var
/var/www
/var/www/html
to get to the underlying location.
The issue might be that the reason the user can not do a thing in these folders is because they do not have the rights to get there.
try changing directory one at a time as one of those users.
sudo su - domain\\user

cd /
cd /<next directory in the path to those files>
until you get a deny error or until you get to the destination.

Yes, 7 in the owner and group position grant the owner and group full writes.
The other issue deals with the user who make changes i.e. their umask which may when they create a file change the mode.
It might require using the Group SetUID on the directory
chmod 2775 directory to set the GroupSetuid
the umask of the user must be 002 to create files owner and group full access with other read and execute.
0
 
LVL 11

Author Comment

by:kbirecki
ID: 35169705
arnold, regarding the path, do the users have to have permissions all the way down the path if they are only getting into a particular subfolder via a Samba share?  This is how I have the users accessing the folder I want them to be able to add, modify and delete files in.  They have no access to anything else, including the parent folders of the folder (and subfolders) in question.  

If they do need access to the parent folders, how do I give them sufficient access while not screwing up permissions on other folders.  I want to limit them to the specific subfolder I've designated.

And regarding umask, it looks like this applies to the currently logged in user, is that correct?  How should I use that to apply read-write permissions to other users?
Thanks!
0
 
LVL 77

Accepted Solution

by:
arnold earned 375 total points
ID: 35171712
A samba folder, check /var/log/messages for Selinux alerts when the users try to make changes.
You need to make sure that the UMASK set within the samba share is 002.
Double check that guest is not what the users accessing the share are seen as.
0
 
LVL 11

Author Comment

by:kbirecki
ID: 35365008
Sorry that I dropped the ball on this question.  After reading through all this, I think my issue is with the PAM module configuration because it seems to be a problem with user accounts.  I thought from some documentation we had that Likewise was in use on the Linux box, but it is not.  I'm still learning Linux.  I'm going to assign points and close this question until I can better figure out what my next step is.....and maybe a more appropriate question to the problem I'm having.
0
 
LVL 11

Author Closing Comment

by:kbirecki
ID: 35365039
The problems snowballed as I got into this more.  Samba and the file permissions seem not to be directly the problem.  It seems there's a number of things on this server that are not standard, and since I didn't put the server together, I think I'm going to rebuild another from scratch trying to follow "best practices" and easier solutions.  Thanks for your help!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Xymon customize http timeout 2 86
AWS ELB 5 77
winscp 000webhost.com 6 48
how to configure linux OS using Ubuntu 7 40
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question