View previous topic :: View next topic |
Author |
Message |
Spanik l33t
Joined: 12 Dec 2003 Posts: 943 Location: Belgium
|
Posted: Mon Mar 18, 2019 8:34 pm Post subject: (solved) permissions hell |
|
|
In a previous life I just did everything as root. And everything worked... This new pc I decided to do it the right way and created a user for my normal use. But I run into permissions issues all the time. So hard I'm close to giving up and return to use root for everything.
Right now I run into the issue that I cannot copy files from any USB drive to /mnt/data. /mnt/data was created about 10 years ago by root and everything on it was created or put there by root.
Now I mount /mnt/data with the option user in fstab. So I take it that any user should be able to use /mnt/data without limitations. But if I want to create a directory anywhere I get "can't create folder: permission denied". If I look at the permissions of /mnt/data I get:
User: read, write, execute
Group: read, execute
Others: read, execute
Special:
Owner: user:root
Owner: group: root
But the user is part of group "wheel" so it should have root-like access rights? And the drive is mounted as "user". What the **** does it need more?
I get the same with another drive mouted under /mnt with the same settings and history. _________________ Expert in non-working solutions
Last edited by Spanik on Sun Mar 24, 2019 10:22 am; edited 1 time in total |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Mon Mar 18, 2019 8:57 pm Post subject: |
|
|
Spanik,
The options in fstab affecting permissions only work on non native filesystems.
The user option allows any user to mount a filesystem and the same user to unmount it.
The users option allows any user to perform the unmount.
USB drives normally have have some form of FAT filesystem, so you can use fstab to fake permissions there.
/mnt/data is probably a native filesystem, so that won't work.
Traditionally, normal users have write access to /home/<user> and /tmp. That's all.
There are several things you can do to grant access to /mnt/data.
Your normal user should be in the users group.
Code: | $ groups
tty wheel uucp audio cdrom video games kvm cdrw usb users vboxusers scanner wireshark plugdev roy |
You can recursively change the group on /mnt/data to be users.
If that's too wide, You will also have your own group, named for your user.
If neither of those suit, make a new group and add the users that should have access to /mnt/data to it, then assign it recursively as before. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Spanik l33t
Joined: 12 Dec 2003 Posts: 943 Location: Belgium
|
Posted: Mon Mar 18, 2019 9:08 pm Post subject: |
|
|
It is indeed a native xfs disk. (the other one is jfs). I'll make a group users and change the ownership then.
Other point, if I would mount that disk to /home/<user> would that work or would it still be impossible as it's ownership is still root? _________________ Expert in non-working solutions |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Mon Mar 18, 2019 9:53 pm Post subject: |
|
|
Spanik,
You users group should exist and you should be a member.
Make it if it doesn't. That's what groups are for.
There are two issues. The permissions on the mount point and the permissions on the directories and files that already exist on the filesystem.
Lets take /home as an example.
Code: | drwxr-xr-x 12 root root 4096 Dec 27 13:11 home | That's from ls -l /
Code: | drwxr-xr-x 10 neddy neddy 4096 Aug 21 2009 neddy | is the next layer down, inside /home, so its owner, group neddy and readable to the world
I also have
Code: | drwxr-xr-x 232 roy users 57344 Mar 18 21:00 roy | so everyone in the users group has access.
The permissions on the mount point and the permissions on the existing files both need to be correct.
That's true wherever the filesystem is mounted in the filesystem tree.
Permissions means owner, group and the permissions bits. Well the owner won't matter if you get your permissions via the group
The group will need to be rwx on directories and rw on files, if you want to be able to change files. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Tue Mar 19, 2019 1:15 am Post subject: |
|
|
I won't tell you how to run your box Spanik, but I will say that I have gotten into some tremendous trouble running as root, years back. I won't do it anymore.
I would spend some time figuring out how the permissions strategy works in UNIX. Look at how apps utilize ownership and group ownership to secure and leverage their systems. There are standard no-login users and groups in /etc/passwd and /etc/group, you might want to look into those as well. This stuff was not obvious to me when I started UNIX, in spite of what I thought.
With some understanding of this strategy and careful planning you can give access to certain users or groups without overly exposing your system to malicious attacks or to a badly typed command. |
|
Back to top |
|
|
Spanik l33t
Joined: 12 Dec 2003 Posts: 943 Location: Belgium
|
Posted: Tue Mar 19, 2019 8:06 pm Post subject: |
|
|
NeddySeagoon wrote: | Spanik,
The options in fstab affecting permissions only work on non native filesystems.
The user option allows any user to mount a filesystem and the same user to unmount it.
The users option allows any user to perform the unmount.
USB drives normally have have some form of FAT filesystem, so you can use fstab to fake permissions there.
/mnt/data is probably a native filesystem, so that won't work.
Traditionally, normal users have write access to /home/<user> and /tmp. That's all.
There are several things you can do to grant access to /mnt/data.
Your normal user should be in the users group.
Code: | $ groups
tty wheel uucp audio cdrom video games kvm cdrw usb users vboxusers scanner wireshark plugdev roy |
You can recursively change the group on /mnt/data to be users.
If that's too wide, You will also have your own group, named for your user.
If neither of those suit, make a new group and add the users that should have access to /mnt/data to it, then assign it recursively as before. |
Ok, so let's see where this leads. I'm logged in as my regular user:
Code: | ikke@desktop$groups
root bin deqmon sys adm disk wheel wheel floppy audio cdrom tape video video usb users ikke |
I clearly remember putting myself into wheel, audio, cdrom, video, usb and users. No idea where the others come from and why wheel and video are listed twice. I'll have to put myself in virtualbox when I get that set up.
Now moving to /mnt/data I get
Code: | ikke@desktop /mnt/data$ ls -l
total 116
drwxr-xr-x 2 root root 92 Jun 25 2015 backgrounds
drwxr-xr-x 14 root root 4096 Jul 23 2017 bqckup
etc etc |
If I understand it then I should
Code: | chown -R :users /mnt/data
chmod -R 774 /mnt/data |
Meaning I'd make everything on /mnt/data is stays owned by root but is now in the group users. And giving the group read/write/execute rights on /mnt/data.
1clue wrote: | I won't tell you how to run your box Spanik, but I will say that I have gotten into some tremendous trouble running as root, years back. I won't do it anymore. |
When I started linux 15 years ago (or longer) I was specially interested in music recording. And at that time to get the lowest latency or even get it working being root was the fastest, easiest, most certain and recommended way to go. Never changed it and never had issues due to it.The only issues I had was waiting too long to "emerge --world" and then hosing the system because of the load of conflicting dependencies. Once by loosing the OS disk due the HD failing.
But you are right and that's why I'm trying to change it. But honestly documentation only get you that far. _________________ Expert in non-working solutions |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Tue Mar 19, 2019 9:35 pm Post subject: |
|
|
Spanik wrote: | 1clue wrote: | I won't tell you how to run your box Spanik, but I will say that I have gotten into some tremendous trouble running as root, years back. I won't do it anymore. |
When I started linux 15 years ago (or longer) I was specially interested in music recording. And at that time to get the lowest latency or even get it working being root was the fastest, easiest, most certain and recommended way to go. Never changed it and never had issues due to it.The only issues I had was waiting too long to "emerge --world" and then hosing the system because of the load of conflicting dependencies. Once by loosing the OS disk due the HD failing.
But you are right and that's why I'm trying to change it. But honestly documentation only get you that far. |
My exposure is production servers in an enterprise environment. A typo can wipe out a lot of data, and running services as root can lead to a security compromise. If you're not networking and not using a browser that reduces the risk a bit, and if you only have one box to worry about then that simplifies things quite a bit.
I agree with Jaglover. Lose the root group membership. And much of the rest: adm, disk, floppy (do you really use a floppy?) and tape.
Not sure what deqmon and ikke are. If your work with music requires access to a tape drive then keep tape in there.
A user should have as few permissions as they can get by with. Lack of access to most of the system means that when backup time comes they can only write in a few places, simplifying the backups.
FWIW I recommend that for your workstation you use a login with zero special permissions for your normal login. You can have a second login which is a sudoer, which is what 'wheel' gets you. When you need sudoer access, you can:
Code: | su - otheruser
sudo <some root-level task>
exit
|
My company uses Ubuntu Server for their generic server boxes and VMs. The biggest reason for that is the way they handle the root user. It's disabled. A typical ubuntu box doesn't even have a root password. You get in with a sudoer login, and do your deed and exit. I really like that idea.
A typical user should be able to do everything they need to do with only the permissions given to a default user. People who administer exactly one type of thing, like backups, should be added to a group which facilitates that one thing. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Tue Mar 19, 2019 11:04 pm Post subject: |
|
|
Spanik,
Normal users should not be in the root bin sys adm or disk groups.
root gives you access to all the files with group root. That's as bad as doing everything as root.
disk gives raw access to your drives and partitions. Such users can access everything that root can and all the deleted data on your drives too. Its not quite as convenient as using the filesystem, but it only takes a few seconds to steal all your users private keys and /etc/shadow, so everything can be brute forced away from your system.
disk allows users to wipe your drives too.
Think about what Code: | chmod -R 774 /mnt/data | will do.
All the files will get execute permissions. You probably don't want that.
All the directories will be rwx, which is probably correct.
You need different settings on files and directories. I glossed over that earlier. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Tue Mar 19, 2019 11:15 pm Post subject: |
|
|
Personally I wouldn't give 774 on /mnt/data. I would make /mnt/data/<user> and /mnt/data/<shared> and make ownership the same as $HOME folders, or something special for shared.
Then you can symbolic link:
Code: | cd
ln -s /mnt/data/$USER
|
|
|
Back to top |
|
|
Spanik l33t
Joined: 12 Dec 2003 Posts: 943 Location: Belgium
|
Posted: Wed Mar 20, 2019 8:59 am Post subject: |
|
|
Now I'm officially confused.
NeddySeagoon wrote: | Normal users should not be in the root bin sys adm or disk groups. |
I have no idea where those come from, didn't even knew they existed. I followed the handbook and added myself (user="ikke") to wheel, audio, usb, video, cdrom and users. Group "deqmon" was a typo, should have been "daemon", but again, no idea where it comes from.
NeddySeagoon wrote: | root gives you access to all the files with group root. That's as bad as doing everything as root |
But this is what really confuses me. If I understand what you wrote then any user of the group "root" can access directories and files like he would be root. Now my user is part of group "root". The disk I want to use /mnt/data is owned by "root" and is part of group "root". But I cannot create a directory on /mnt/data and I cannot copy a file to it.
This is just frustrating. So I'm part of group "root" (not because I specified it) but I still cannot do any meaningfull. It also doesn't make me trust that if I change the the ownership of /mnt/data to group "users" I'll be able to actually use it if I belong to group "users".
Now, going forward would the following give me access to /mnt/data?
- I remove my user from the groups root, adm, deamon, sys, bin, tape and floppy
- I change ownership of /mnt/data to group "users" chown -R :users /mnt/data
- I change permissions to chmod -R 764 /mnt/data _________________ Expert in non-working solutions |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Wed Mar 20, 2019 5:14 pm Post subject: |
|
|
Let's do this in steps. Let's first get your group membership sane, and then we'll make sure your directories work.
You said you're in the following groups:
Code: | root bin deqmon sys adm disk wheel wheel floppy audio cdrom tape video video usb users ikke |
A default Gentoo user is a member of their own personal group, and 'users'.
In order to use the sound card and cdrom and video, you need to be in audio, cdrom and video respectively. In order to do stuff with usb drives I believe you need to be in usb. In order to be able to use 'sudo' you need to be in wheel.
If you have and actually still use a floppy, you can add floppy. I can't imagine what you'd use it for though.
So that gives us:
Code: | wheel audio cdrom video usb users ikke |
Perhaps you can add a group for your /mnt/data directory so that you have specific control over that directory, independent of everything else.
Code: |
# Remove yourself from groups you should not be in
sudo gpasswd -d ikke root
sudo gpasswd -d ikke bin
sudo gpasswd -d ikke <group to remove you from>
# DO NOT REMOVE YOURSELF FROM WHEEL LIKE THIS!
# Add a special group for your /mnt/data directory
sudo groupadd --system mntdata
# Add yourself to the group.
sudo gpasswd -a ikke mntdata
|
Once you've done this you can 'less /etc/group' and find out why you're in wheel twice.
Check your group membership with 'groups' command again. You will hopefully get something like:
Code: | wheel audio cdrom video usb users ikke mntdata |
If you can't figure out why you're in wheel twice, you can:
Code: | wgetpaste /etc/group | and post the link here. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Wed Mar 20, 2019 6:08 pm Post subject: |
|
|
Spanik,
I'll add a bit of speculation to 1clues post.
The system does not use group or user names to manage permissions. It uses group and user IDs.
The name are presented to you by looking them up in the /etc/group and /etc/passwd.
Try if you want to see the GID and UID.
The real root is always GID=0 UID=0
Duplicate group names are permitted but they will have different GIDs Only the real root will be GID=0
If your other root is a different GID, then you will get confused but the system won't mind.
We really need to see /etc/group and maybe /etc/passwd too. You passwords are not in /etc/passwd - the hashes are saved in /etc/shadow so don't post that without trashing the hashes. Its not needed now anyway. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Spanik l33t
Joined: 12 Dec 2003 Posts: 943 Location: Belgium
|
Posted: Wed Mar 20, 2019 7:07 pm Post subject: |
|
|
The plot thickens... I started by running the information commands before changing any group membership. Find below the output of those commands.
Code: | ikke@desktop ~ $ groups
root bin daemon sys adm disk wheel wheel floppy audio cdrom tape video video usb users ikke
ikke@desktop ~ $ groups ikke
wheel audio cdrom video usb users wheel audio cdrom video usb users ikke
ikke@desktop ~ $ cd /mnt/data
ikke@desktop /mnt/data $ ls -n
total 116
drwxr-xr-x 2 0 0 92 Jun 25 2015 backgrounds
drwxr-xr-x 14 0 0 4096 Jul 23 2017 backup
drwxr-xr-x 3 0 0 4096 Apr 27 2016 cv
drwxr-xr-x 2 0 0 43 Jul 31 2012 daisy
... (rest of the directories are identical) |
So this is the "real root". What I don't understand is why I get a different response when I do "group" vs "group ikke" when I'm logged in as user "ikke".
/etc/group looks like this
Code: | root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root,adm
lp:x:7:lp
mem:x:8:
kmem:x:9:
wheel:x:10:root,ikke
floppy:x:11:root
news:x:13:news
uucp:x:14:uucp
console:x:17:
audio:x:18:ikke
cdrom:x:19:ikke
dialout:x:20:
tape:x:26:root
video:x:27:root,sddm,ikke
cdrw:x:80:
usb:x:85:ikke
input:x:97:
users:x:100:ikke
portage:x:250:portage
utmp:x:406:
nogroup:x:65533:
nobody:x:65534:
nullmail:x:88:
man:x:15:
sshd:x:22:
locate:x:249:
messagebus:x:248:
lpadmin:x:106:
plugdev:x:105:
polkitd:x:104:
realtime:x:103:
sddm:x:102:
ikke:x:1000:
vboxusers:x:101: |
If I understand this correctly then according to the file I'm part of groups wheel, audio, video, users, usb and ikke.This looks like what I configured when installing the pc according to the handbook. So why does the command lists everything twice? And why does it give different results if I add the username or not?
And /etc/passwd
Code: |
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
news:x:9:13:news:/var/spool/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucp:/bin/false
operator:x:11:0:operator:/root:/sbin/nologin
portage:x:250:250:portage:/var/tmp/portage:/bin/false
nobody:x:65534:65534:nobody:/var/empty:/bin/false
nullmail:x:88:88:added by portage for nullmailer:/var/spool/nullmailer:/sbin/nologin
man:x:13:15:added by portage for man-db:/usr/share/man:/sbin/nologin
sshd:x:22:22:added by portage for openssh:/var/empty:/sbin/nologin
messagebus:x:101:248:added by portage for dbus:/dev/null:/sbin/nologin
polkitd:x:102:104:added by portage for polkit:/var/lib/polkit-1:/sbin/nologin
sddm:x:103:102:added by portage for sddm:/var/lib/sddm:/sbin/nologin
ikke:x:1000:1000::/home/ikke:/bin/bash |
_________________ Expert in non-working solutions |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Wed Mar 20, 2019 7:36 pm Post subject: |
|
|
Spanik,
Now we can explain some of your observations.
ls -n: | drwxr-xr-x 3 0 0 4096 Apr 27 2016 cv |
root the owner (UID=0) has rwx permissions there, x on a dir means can cd to that directory.
root the group (GUI=0) has r-x only. No write permissions, so members of the root group cannot write the directory content.
For me the groups command gives similar output. Its the same list of groups, just reordered. I am roy in that list.
Code: | $ groups
tty wheel uucp audio cdrom video games kvm cdrw usb users vboxusers scanner wireshark plugdev roy
roy@NeddySeagoon_Static ~ $ groups roy
tty wheel uucp audio cdrom video cdrw usb users scanner vboxusers games kvm plugdev wireshark roy |
Your group and passwd files look quite normal. I'm at a loss to explain your groups output.
What does show?
Its your effective user and group IDs. It should be 1000 and 1000 from your group and passwd files.
on its own is good too. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Spanik l33t
Joined: 12 Dec 2003 Posts: 943 Location: Belgium
|
Posted: Wed Mar 20, 2019 8:02 pm Post subject: |
|
|
That gives Code: | ikke@desktop /mnt/data $ id -u
1000
ikke@desktop /mnt/data $ id -g
1000
ikke@desktop /mnt/data $ id
uid=1000(ikke) gid=1000(ikke) groups=1000(ikke),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),18(audio),19(cdrom),26(tape),27(video),85(usb),100(users)
|
Quote: | Now we can explain some of your observations.
ls -n:
drwxr-xr-x 3 0 0 4096 Apr 27 2016 cv
root the owner (UID=0) has rwx permissions there, x on a dir means can cd to that directory.
root the group (GUI=0) has r-x only. No write permissions, so members of the root group cannot write the directory content. |
So another option would be to set the permissions for the root group to rwx? Or better change ownership to the users group? _________________ Expert in non-working solutions |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Wed Mar 20, 2019 8:39 pm Post subject: |
|
|
Spanik,
That says your current UID and GID is correct and that you are still a member of groups Code: | 0(root),1(bin),2(daemon),3(sys),4(adm),6(disk) | which you should not be.
It does not tie in with your group file.
To get write access via group membership, the group needs write access to the object and you need to be a member of the group.
Do not use root as your group.
Use users, if you expect that other users will need access later.
Use ikke, if its just you. You can change it later anyway.
Add a new group if the two case above don't suit.
users, the group cannot own anything.
Users are listed in /etc/passwd. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Spanik l33t
Joined: 12 Dec 2003 Posts: 943 Location: Belgium
|
Posted: Wed Mar 20, 2019 8:49 pm Post subject: |
|
|
Too late this night to try it, I want to be fresh doing this. So it will have to wait till the weekend (next evenings are busy). Thanks for the help and I'll let you know how it ended. _________________ Expert in non-working solutions |
|
Back to top |
|
|
Spanik l33t
Joined: 12 Dec 2003 Posts: 943 Location: Belgium
|
Posted: Sun Mar 24, 2019 10:21 am Post subject: |
|
|
Ok, this seems solved. I changed ownership to group "users" and gave the group write permission. _________________ Expert in non-working solutions |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|