Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
(solved) permissions hell
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 455
Location: Belgium

PostPosted: Mon Mar 18, 2019 8:34 pm    Post subject: (solved) permissions hell Reply with quote

In a previous life I just did everything as root. And everything worked... This new pc I decided to do it the right way and created a user for my normal use. But I run into permissions issues all the time. So hard I'm close to giving up and return to use root for everything.

Right now I run into the issue that I cannot copy files from any USB drive to /mnt/data. /mnt/data was created about 10 years ago by root and everything on it was created or put there by root.

Now I mount /mnt/data with the option user in fstab. So I take it that any user should be able to use /mnt/data without limitations. But if I want to create a directory anywhere I get "can't create folder: permission denied". If I look at the permissions of /mnt/data I get:

User: read, write, execute
Group: read, execute
Others: read, execute
Special:
Owner: user:root
Owner: group: root

But the user is part of group "wheel" so it should have root-like access rights? And the drive is mounted as "user". What the **** does it need more?

I get the same with another drive mouted under /mnt with the same settings and history.
_________________
Expert in non-working solutions


Last edited by Spanik on Sun Mar 24, 2019 10:22 am; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Mon Mar 18, 2019 8:57 pm    Post subject: Reply with quote

Spanik,

The options in fstab affecting permissions only work on non native filesystems.
The user option allows any user to mount a filesystem and the same user to unmount it.
The users option allows any user to perform the unmount.

USB drives normally have have some form of FAT filesystem, so you can use fstab to fake permissions there.
/mnt/data is probably a native filesystem, so that won't work.

Traditionally, normal users have write access to /home/<user> and /tmp. That's all.

There are several things you can do to grant access to /mnt/data.
Your normal user should be in the users group.
Code:
$ groups
tty wheel uucp audio cdrom video games kvm cdrw usb users vboxusers scanner wireshark plugdev roy

You can recursively change the group on /mnt/data to be users.
If that's too wide, You will also have your own group, named for your user.
If neither of those suit, make a new group and add the users that should have access to /mnt/data to it, then assign it recursively as before.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 455
Location: Belgium

PostPosted: Mon Mar 18, 2019 9:08 pm    Post subject: Reply with quote

It is indeed a native xfs disk. (the other one is jfs). I'll make a group users and change the ownership then.

Other point, if I would mount that disk to /home/<user> would that work or would it still be impossible as it's ownership is still root?
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Mon Mar 18, 2019 9:53 pm    Post subject: Reply with quote

Spanik,

You users group should exist and you should be a member.
Make it if it doesn't. That's what groups are for.

There are two issues. The permissions on the mount point and the permissions on the directories and files that already exist on the filesystem.
Lets take /home as an example.

Code:
drwxr-xr-x  12 root root   4096 Dec 27 13:11 home
That's from ls -l /
Code:
drwxr-xr-x  10 neddy neddy         4096 Aug 21  2009 neddy
is the next layer down, inside /home, so its owner, group neddy and readable to the world
I also have
Code:
drwxr-xr-x 232 roy   users        57344 Mar 18 21:00 roy
so everyone in the users group has access.

The permissions on the mount point and the permissions on the existing files both need to be correct.
That's true wherever the filesystem is mounted in the filesystem tree.
Permissions means owner, group and the permissions bits. Well the owner won't matter if you get your permissions via the group
The group will need to be rwx on directories and rw on files, if you want to be able to change files.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Tue Mar 19, 2019 1:15 am    Post subject: Reply with quote

I won't tell you how to run your box Spanik, but I will say that I have gotten into some tremendous trouble running as root, years back. I won't do it anymore.

I would spend some time figuring out how the permissions strategy works in UNIX. Look at how apps utilize ownership and group ownership to secure and leverage their systems. There are standard no-login users and groups in /etc/passwd and /etc/group, you might want to look into those as well. This stuff was not obvious to me when I started UNIX, in spite of what I thought.

With some understanding of this strategy and careful planning you can give access to certain users or groups without overly exposing your system to malicious attacks or to a badly typed command.
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 455
Location: Belgium

PostPosted: Tue Mar 19, 2019 8:06 pm    Post subject: Reply with quote

NeddySeagoon wrote:
Spanik,

The options in fstab affecting permissions only work on non native filesystems.
The user option allows any user to mount a filesystem and the same user to unmount it.
The users option allows any user to perform the unmount.

USB drives normally have have some form of FAT filesystem, so you can use fstab to fake permissions there.
/mnt/data is probably a native filesystem, so that won't work.

Traditionally, normal users have write access to /home/<user> and /tmp. That's all.

There are several things you can do to grant access to /mnt/data.
Your normal user should be in the users group.
Code:
$ groups
tty wheel uucp audio cdrom video games kvm cdrw usb users vboxusers scanner wireshark plugdev roy

You can recursively change the group on /mnt/data to be users.
If that's too wide, You will also have your own group, named for your user.
If neither of those suit, make a new group and add the users that should have access to /mnt/data to it, then assign it recursively as before.


Ok, so let's see where this leads. I'm logged in as my regular user:
Code:
ikke@desktop$groups
root bin deqmon sys adm disk wheel wheel floppy audio cdrom tape video video usb users ikke


I clearly remember putting myself into wheel, audio, cdrom, video, usb and users. No idea where the others come from and why wheel and video are listed twice. I'll have to put myself in virtualbox when I get that set up.

Now moving to /mnt/data I get
Code:
ikke@desktop /mnt/data$ ls -l
total 116
drwxr-xr-x  2 root root   92 Jun 25 2015 backgrounds
drwxr-xr-x 14 root root 4096 Jul 23 2017 bqckup
etc etc


If I understand it then I should
Code:
chown -R :users /mnt/data
chmod -R 774 /mnt/data

Meaning I'd make everything on /mnt/data is stays owned by root but is now in the group users. And giving the group read/write/execute rights on /mnt/data.

1clue wrote:
I won't tell you how to run your box Spanik, but I will say that I have gotten into some tremendous trouble running as root, years back. I won't do it anymore.


When I started linux 15 years ago (or longer) I was specially interested in music recording. And at that time to get the lowest latency or even get it working being root was the fastest, easiest, most certain and recommended way to go. Never changed it and never had issues due to it.The only issues I had was waiting too long to "emerge --world" and then hosing the system because of the load of conflicting dependencies. Once by loosing the OS disk due the HD failing.

But you are right and that's why I'm trying to change it. But honestly documentation only get you that far.
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 6972
Location: Saint Amant, Acadiana

PostPosted: Tue Mar 19, 2019 8:13 pm    Post subject: Reply with quote

What's the point putting user into root group? Defeats the whole principle of security - which is: default denied.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Tue Mar 19, 2019 9:35 pm    Post subject: Reply with quote

Spanik wrote:
1clue wrote:
I won't tell you how to run your box Spanik, but I will say that I have gotten into some tremendous trouble running as root, years back. I won't do it anymore.


When I started linux 15 years ago (or longer) I was specially interested in music recording. And at that time to get the lowest latency or even get it working being root was the fastest, easiest, most certain and recommended way to go. Never changed it and never had issues due to it.The only issues I had was waiting too long to "emerge --world" and then hosing the system because of the load of conflicting dependencies. Once by loosing the OS disk due the HD failing.

But you are right and that's why I'm trying to change it. But honestly documentation only get you that far.


My exposure is production servers in an enterprise environment. A typo can wipe out a lot of data, and running services as root can lead to a security compromise. If you're not networking and not using a browser that reduces the risk a bit, and if you only have one box to worry about then that simplifies things quite a bit.

I agree with Jaglover. Lose the root group membership. And much of the rest: adm, disk, floppy (do you really use a floppy?) and tape.

Not sure what deqmon and ikke are. If your work with music requires access to a tape drive then keep tape in there.

A user should have as few permissions as they can get by with. Lack of access to most of the system means that when backup time comes they can only write in a few places, simplifying the backups.

FWIW I recommend that for your workstation you use a login with zero special permissions for your normal login. You can have a second login which is a sudoer, which is what 'wheel' gets you. When you need sudoer access, you can:

Code:
su - otheruser
sudo <some root-level task>
exit


My company uses Ubuntu Server for their generic server boxes and VMs. The biggest reason for that is the way they handle the root user. It's disabled. A typical ubuntu box doesn't even have a root password. You get in with a sudoer login, and do your deed and exit. I really like that idea.

A typical user should be able to do everything they need to do with only the permissions given to a default user. People who administer exactly one type of thing, like backups, should be added to a group which facilitates that one thing.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Tue Mar 19, 2019 11:04 pm    Post subject: Reply with quote

Spanik,

Normal users should not be in the root bin sys adm or disk groups.

root gives you access to all the files with group root. That's as bad as doing everything as root.
disk gives raw access to your drives and partitions. Such users can access everything that root can and all the deleted data on your drives too. Its not quite as convenient as using the filesystem, but it only takes a few seconds to steal all your users private keys and /etc/shadow, so everything can be brute forced away from your system.
disk allows users to wipe your drives too.

Think about what
Code:
chmod -R 774 /mnt/data
will do.
All the files will get execute permissions. You probably don't want that.
All the directories will be rwx, which is probably correct.
You need different settings on files and directories. I glossed over that earlier.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Tue Mar 19, 2019 11:15 pm    Post subject: Reply with quote

Personally I wouldn't give 774 on /mnt/data. I would make /mnt/data/<user> and /mnt/data/<shared> and make ownership the same as $HOME folders, or something special for shared.

Then you can symbolic link:

Code:
cd
ln -s /mnt/data/$USER
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 455
Location: Belgium

PostPosted: Wed Mar 20, 2019 8:59 am    Post subject: Reply with quote

Now I'm officially confused.

NeddySeagoon wrote:
Normal users should not be in the root bin sys adm or disk groups.


I have no idea where those come from, didn't even knew they existed. I followed the handbook and added myself (user="ikke") to wheel, audio, usb, video, cdrom and users. Group "deqmon" was a typo, should have been "daemon", but again, no idea where it comes from.

NeddySeagoon wrote:
root gives you access to all the files with group root. That's as bad as doing everything as root


But this is what really confuses me. If I understand what you wrote then any user of the group "root" can access directories and files like he would be root. Now my user is part of group "root". The disk I want to use /mnt/data is owned by "root" and is part of group "root". But I cannot create a directory on /mnt/data and I cannot copy a file to it.

This is just frustrating. So I'm part of group "root" (not because I specified it) but I still cannot do any meaningfull. It also doesn't make me trust that if I change the the ownership of /mnt/data to group "users" I'll be able to actually use it if I belong to group "users".

Now, going forward would the following give me access to /mnt/data?

- I remove my user from the groups root, adm, deamon, sys, bin, tape and floppy
- I change ownership of /mnt/data to group "users" chown -R :users /mnt/data
- I change permissions to chmod -R 764 /mnt/data
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Wed Mar 20, 2019 5:14 pm    Post subject: Reply with quote

Let's do this in steps. Let's first get your group membership sane, and then we'll make sure your directories work.

You said you're in the following groups:
Code:
root bin deqmon sys adm disk wheel wheel floppy audio cdrom tape video video usb users ikke


A default Gentoo user is a member of their own personal group, and 'users'.

In order to use the sound card and cdrom and video, you need to be in audio, cdrom and video respectively. In order to do stuff with usb drives I believe you need to be in usb. In order to be able to use 'sudo' you need to be in wheel.

If you have and actually still use a floppy, you can add floppy. I can't imagine what you'd use it for though.

So that gives us:

Code:
wheel audio cdrom video usb users ikke


Perhaps you can add a group for your /mnt/data directory so that you have specific control over that directory, independent of everything else.

Code:

# Remove yourself from groups you should not be in
sudo gpasswd -d ikke root
sudo gpasswd -d ikke bin
sudo gpasswd -d ikke <group to remove you from>
# DO NOT REMOVE YOURSELF FROM WHEEL LIKE THIS!

# Add a special group for your /mnt/data directory
sudo groupadd --system mntdata

# Add yourself to the group.
sudo gpasswd -a ikke mntdata


Once you've done this you can 'less /etc/group' and find out why you're in wheel twice.

Check your group membership with 'groups' command again. You will hopefully get something like:
Code:
wheel audio cdrom video usb users ikke mntdata


If you can't figure out why you're in wheel twice, you can:
Code:
wgetpaste /etc/group
and post the link here.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Wed Mar 20, 2019 6:08 pm    Post subject: Reply with quote

Spanik,

I'll add a bit of speculation to 1clues post.
The system does not use group or user names to manage permissions. It uses group and user IDs.
The name are presented to you by looking them up in the /etc/group and /etc/passwd.

Try
Code:
ls -n
if you want to see the GID and UID.
The real root is always GID=0 UID=0

Duplicate group names are permitted but they will have different GIDs Only the real root will be GID=0
If your other root is a different GID, then you will get confused but the system won't mind.

We really need to see /etc/group and maybe /etc/passwd too. You passwords are not in /etc/passwd - the hashes are saved in /etc/shadow so don't post that without trashing the hashes. Its not needed now anyway.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 455
Location: Belgium

PostPosted: Wed Mar 20, 2019 7:07 pm    Post subject: Reply with quote

The plot thickens... I started by running the information commands before changing any group membership. Find below the output of those commands.
Code:
ikke@desktop ~ $ groups
root bin daemon sys adm disk wheel wheel floppy audio cdrom tape video video usb users ikke
ikke@desktop ~ $ groups ikke
wheel audio cdrom video usb users wheel audio cdrom video usb users ikke
ikke@desktop ~ $ cd /mnt/data
ikke@desktop /mnt/data $ ls -n
total 116
drwxr-xr-x  2 0 0   92 Jun 25  2015 backgrounds
drwxr-xr-x 14 0 0 4096 Jul 23  2017 backup
drwxr-xr-x  3 0 0 4096 Apr 27  2016 cv
drwxr-xr-x  2 0 0   43 Jul 31  2012 daisy
... (rest of the directories are identical)

So this is the "real root". What I don't understand is why I get a different response when I do "group" vs "group ikke" when I'm logged in as user "ikke".

/etc/group looks like this
Code:
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root,adm
lp:x:7:lp
mem:x:8:
kmem:x:9:
wheel:x:10:root,ikke
floppy:x:11:root
news:x:13:news
uucp:x:14:uucp
console:x:17:
audio:x:18:ikke
cdrom:x:19:ikke
dialout:x:20:
tape:x:26:root
video:x:27:root,sddm,ikke
cdrw:x:80:
usb:x:85:ikke
input:x:97:
users:x:100:ikke
portage:x:250:portage
utmp:x:406:
nogroup:x:65533:
nobody:x:65534:
nullmail:x:88:
man:x:15:
sshd:x:22:
locate:x:249:
messagebus:x:248:
lpadmin:x:106:
plugdev:x:105:
polkitd:x:104:
realtime:x:103:
sddm:x:102:
ikke:x:1000:
vboxusers:x:101:

If I understand this correctly then according to the file I'm part of groups wheel, audio, video, users, usb and ikke.This looks like what I configured when installing the pc according to the handbook. So why does the command lists everything twice? And why does it give different results if I add the username or not?

And /etc/passwd
Code:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
news:x:9:13:news:/var/spool/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucp:/bin/false
operator:x:11:0:operator:/root:/sbin/nologin
portage:x:250:250:portage:/var/tmp/portage:/bin/false
nobody:x:65534:65534:nobody:/var/empty:/bin/false
nullmail:x:88:88:added by portage for nullmailer:/var/spool/nullmailer:/sbin/nologin
man:x:13:15:added by portage for man-db:/usr/share/man:/sbin/nologin
sshd:x:22:22:added by portage for openssh:/var/empty:/sbin/nologin
messagebus:x:101:248:added by portage for dbus:/dev/null:/sbin/nologin
polkitd:x:102:104:added by portage for polkit:/var/lib/polkit-1:/sbin/nologin
sddm:x:103:102:added by portage for sddm:/var/lib/sddm:/sbin/nologin
ikke:x:1000:1000::/home/ikke:/bin/bash

_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Wed Mar 20, 2019 7:36 pm    Post subject: Reply with quote

Spanik,

Now we can explain some of your observations.
ls -n:
drwxr-xr-x  3 0 0 4096 Apr 27  2016 cv

root the owner (UID=0) has rwx permissions there, x on a dir means can cd to that directory.
root the group (GUI=0) has r-x only. No write permissions, so members of the root group cannot write the directory content.

For me the groups command gives similar output. Its the same list of groups, just reordered. I am roy in that list.
Code:
$ groups
tty wheel uucp audio cdrom video games kvm cdrw usb users vboxusers scanner wireshark plugdev roy
roy@NeddySeagoon_Static ~ $ groups roy
tty wheel uucp audio cdrom video cdrw usb users scanner vboxusers games kvm plugdev wireshark roy


Your group and passwd files look quite normal. I'm at a loss to explain your groups output.
What does
Code:
id -u
id -g
show?

Its your effective user and group IDs. It should be 1000 and 1000 from your group and passwd files.

Code:
id
on its own is good too.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 455
Location: Belgium

PostPosted: Wed Mar 20, 2019 8:02 pm    Post subject: Reply with quote

That gives
Code:
ikke@desktop /mnt/data $ id -u
1000
ikke@desktop /mnt/data $ id -g
1000
ikke@desktop /mnt/data $ id
uid=1000(ikke) gid=1000(ikke) groups=1000(ikke),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),18(audio),19(cdrom),26(tape),27(video),85(usb),100(users)


Quote:
Now we can explain some of your observations.
ls -n:
drwxr-xr-x 3 0 0 4096 Apr 27 2016 cv

root the owner (UID=0) has rwx permissions there, x on a dir means can cd to that directory.
root the group (GUI=0) has r-x only. No write permissions, so members of the root group cannot write the directory content.


So another option would be to set the permissions for the root group to rwx? Or better change ownership to the users group?
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Wed Mar 20, 2019 8:39 pm    Post subject: Reply with quote

Spanik,

That says your current UID and GID is correct and that you are still a member of groups
Code:
0(root),1(bin),2(daemon),3(sys),4(adm),6(disk)
which you should not be.
It does not tie in with your group file.

To get write access via group membership, the group needs write access to the object and you need to be a member of the group.

Do not use root as your group.
Use users, if you expect that other users will need access later.
Use ikke, if its just you. You can change it later anyway.
Add a new group if the two case above don't suit.

users, the group cannot own anything.
Users are listed in /etc/passwd.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 455
Location: Belgium

PostPosted: Wed Mar 20, 2019 8:49 pm    Post subject: Reply with quote

Too late this night to try it, I want to be fresh doing this. So it will have to wait till the weekend (next evenings are busy). Thanks for the help and I'll let you know how it ended.
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
Spanik
Guru
Guru


Joined: 12 Dec 2003
Posts: 455
Location: Belgium

PostPosted: Sun Mar 24, 2019 10:21 am    Post subject: Reply with quote

Ok, this seems solved. I changed ownership to group "users" and gave the group write permission.
_________________
Expert in non-working solutions
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum