Strange permisson behavior

Latest response

Hi - thought I had control over this but...

Description: I have a webmaster (user: isk, group: afu).

The web-root is in: /webb_sidor/afudoc/DownL

Owner of web-root and recursive files: apache: afu

Permissions: 3770 for dirs, 1770 for files.

SELinux temporarily in permessive state.

Operating System: Red Hat Enterprise Linux
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.9:GA:server
Kernel: Linux 3.10.0-1160.31.1.el7.x86_64
Architecture: x86-64

Problem: I want the user (isk), as a member of afu, define the users home directory in the web-root file system above so the user within logins is accessing the web-root (and not the usual /home/isk). But this gives permission denied. Tried a lot of different configurations...

Logs: Nothing! In debug mode the logs only says that login (SSH and SFTP) works. I'm logging AUTH and AUTHPRIV.

So - what am I missing? Note tha the owner is apache for all files and afu is the group (where isk is a momber of). No one has root-privs.

PS Defining isk:s home-dir as /home/isk is OK. However doing cd /webb_sidor/afudoc/DownL gives the same result, permission denied.

Thank's for any tip ... (I'm not a Linux-expert...).

Responses

The user isk is not allowed for the directory /webb_sidor/afudoc/isk where owner/group: isk:isk

can you run ls -ld /webb_sidor/afudoc/isk and see if everything is right

Thank you

ls -ld gives me info about dir - and by doing it from my root account it tells me what I already know.

By doing it from the "isk" user account it's the same - Permission denied.

First

ls -al / | grep home

You should find 755 permissions there (rwxr-xr-x) and it is the 'global' r-x rights that are needed (you need execute permission to read rights and directory entries below), so:

sudo chmod o+rx /webb_sidor

should allow any user to see the layer below that includes afudoc. After you make the above rights change, "isk" should be able to

cd /webb_sidor

successfully. then

sudo chmod o+rx /webb_sidor/afudoc
sudo chmod o+rx /webb_sidor/afudoc/DownL

and "isk" should then succeed at being able to access the desired new home directory.

Note, that at each level, it may be necessary to revoke read and execute rights for 'others' for branches that "isk" (and the rest of the world) should not be nosing into.

Alternatively, you can do this with more generality using group rights, however, be aware that while users may be members of more than one group, ownership and access are limited to singleton members. So, for both "apache" and "isk" to have access to files, a super-group, "webadmin" should be the group to which /webb_sidor/afudoc/DownL/ige is assigned, then both "ige" and "apache" added to "webadmin"

With that solution, o-rwx may be maintained as long as "webadmin" is given rx access at each node on the path - to do this, use 'chgrp' along the desired access path.

While seemingly too simplistic, *nix rights are quite flexible - almost too much so when symbolic links are used (which would allow /home/isk to teleport to /webb_sidor/afudoc/DownL/igx, sidestepping having to change the home directory in /etc/passwd ...

Thank's all you nice people for tip. Since I didn't understand why a user (member) of a group with all permissions (0770) didn't get access to a specific folder down in the tree of the other "web roots") - I decided to move the whole site (afudoc) to another disk area where isk (and apache) could get full explicit access to all files in and under this sites root-folder afudoc.

Case closed. Thank's.... /CGN