Permissions - I'm loosing the battle... [SOLVED]

  • Hi all,
    I was determined to solve it myself and learn along the way, but after two full days I have to admit defeat...


    This is what I have studied so far...
    Assistance/advice with setup - permissions! - I haven't tried this yet as I am determined that I should be able to make it work anyway (but I could be wrong)
    Permissions denied. Cannot understand why. - different problem, but I found out about the 'tree' command
    Permission issues - This one could have something to do with it as I am using ACL permissions, as far as I can tell, but they are set exactly the same for both users, so still don't explain why one works and the other one doesn't. Also I still feel the normal permissions are set right...
    How to make a good Media share for Emby and PlexMediaServer - read this one and removed my root share (I haven't used that one since setting up directory structure) and installed omv-extras.
    I have also read another sixor so on permissions topics, but this is getting a bit distracting 8|


    I am having permission issues in various places, but I will focus on one here and hopefully the cause is the same for all :)
    So, I have two users, 'mattias' and 'matback'. The plan is to have matback deal with backups (backing up other systems onto the OMV drive) only and mattias to have general and admin access to all other shares.
    One place where the issues present them selves is in the /home directory on my attached drive (software raid). The user 'mattias' can access /home/mattias' and /home/matback' whereas the user 'matback' can't access either... I can't see what is wrong here...


    here is the tree structure and the relevant folder permissions:

    Code
    matback@omv:/$ sudo tree -L 2 -gupd /media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home 
    /media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home
    ├── [drwxrwsr-- matback  users   ]  matback
    └── [drwxrwsr-- mattias  users   ]  mattias

    Both users are members of the same groups:

    Code
    matback@omv:/$ groups matback
    matback : users sudo ssh
    matback@omv:/$ groups mattias
    mattias : users sudo ssh

    ...and to complete the picture, if I run getfacl for matback and mattias and compare the outputs, then the only differences are the folder names and who owns them...


    Code
    diff mattias2.list matback2.list 
    1,2c1,2
    < # file: /media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home/mattias/
    < # owner: mattias
    ---
    > # file: /media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home/matback/
    > # owner: matback


    As a reference, here is the full output of the 'mattias2.list' one:



    so, why I get this ssh-ing as mattias (all good):


    Code
    mattias@omv:/media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352$ cd home/mattias/
    mattias@omv:~$  <Note this is the configured home dir for mattias>
    mattias@omv:/media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home$ cd matback/
    mattias@omv:/media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home/matback$


    ...and with matback (Permission denied as far as the eye can see):


    Code
    matback@omv:/$ cd /media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home/mattias
    -bash: cd: /media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home/mattias: Permission denied
    matback@omv:/$ cd /media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home/matback
    -bash: cd: /media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/home/matback: Permission denied
    matback@omv:/$

    Both users were created through the omv web interface.
    I am really at a loss here... I am a reasonably fresh Linux user, but I have used OMV and FreeNAS before for many years as well as running an ownCloud server, so I know my way around a little bit.


    Can someone help point out the (hopefully) obvious mistake I am making here ?(


    If I can provide more information that might be useful, please ask, and I will be happy to oblige.


    //mattias

  • Hi,


    you should look at the parent directory, I guess user matback does not have the correct rights there.


    Edit: esp execute, as you are trying to traverse

  • Thanks for the replies, bump and subzero79
    I ended up playing with the ACL's when other things didn't work. Going through them I have set them up identical for both users. I didn't know about the execute flag and "cd", so that was a good learning point :)
    I will reset and remove all ACL's, but before I do that, here is the settings for the parent folders...


    /media/
    # file: /media/
    # owner: root
    # group: root
    user::rwx
    group::r-x
    other::r-x


    /media/947..../
    # file: /media/9475cd71-9789-44f8-a1e6-5b6c4d9a3352/
    # owner: root
    # group: users
    # flags: -s-
    user::rw-
    user:openmediavault:rwx
    user:mattias:rwx
    group::rw-
    group:sambashare:rwx
    group:openmediavault:rwx
    mask::rwx
    other::rw-
    default:user::rw-
    default:user:openmediavault:rwx
    default:user:mattias:rwx
    default:group::rw-
    default:group:sambashare:rwx
    default:group:openmediavault:rwx
    default:mask::rwx
    default:other::rw-


    in the /meda/947.../home/ the ACL permisssions are again the same for 'mattias' and 'matback', so the only difference is on the drive itself.


    ...and I am guessing this is where the issue lies...
    So, if this is the case, then does this mean that if there are ACL permissions set, then they override the basic ones?
    the basic ones for the directories above are
    ├── [drwxr-xr-x root root ] media
    │ ├── [drw-rwsrw- root users ] 9475cd71-9789-44f8-a1e6-5b6c4d9a3352
    | | ├── [drwxrwsr-x root users ] home


    So, my understanding is that with those permissions, both users should have the same access as neither owns the directories in question, but both are in the 'users' group. Is this correct?


    If I forgo the ACL permissions, is it still possible to set different access levels for different people? I can set my self as the owner of a movie directory with full rights, but then could I set it, using groups, so that my wife can write to it and my daughter can't as an example? My understanding is that I can't set it up that way as I can only have one group in the basic permissions system, or is this poor understanding on my behalf?
    Or, is the answer to have guest access which doesn't use a login, and then anyone there becomes "Other/Everyone" and has read access and execute for directory traversing, but if the person logs in, then they are now part of the "users" group and can have read and write access... Would that be the way forward?


    Oh, one final thing with traversing...
    Assuming that everything is set up properly, if I say the home directory for a user is, /media/drive/home/user, does that user have to have execute rights, i.e. traversing, on the directories below the user directory to be able to access it using ssh (as an example), or is the execute right only required if the person is logged in to '/' say, and want to "cd /media/drive/home/user"?


    Thanks again for a quick and helpful reply!


    (and now, I shall start from scratch anyway and try to make it all better :)

    • Offizieller Beitrag

    I honestly have no idea how to use ACL user them once and my opinion is they give you more trouble than benefits. For home is usage totally unjustified. Basic posix permissions should do it.
    You don't need to be here to learn ACL as you can probably find plenty of guides howtos and information with Google. You can use the reset permission utility of omvextras to default the folders permissions.

  • Solved!
    Thanks again bump and subzero79 for pointing me in the right direction. I was close, but I was thwarted by the one missing privilege of 'matback' in the ACL for the drive itself. I was also thrown by the fact that I thought I had reset the ACL permissions, but I had just clicked the "save" icon, and in my tiredness I didn't think that the "reset permissions" button was actually a button... Well, now I know :)


    So, to conclude and answer some of my own questions for reference to others (anyone can feel free to correct if I have got it wrong :)
    ACL's trump the standard (posix?) permissions. In my case, a missing ACL permission on the parent folder of the home directory for a user prevented access to the SSH home directory, even though the user had the proper ACL rights to the home directory and was a member of the "users" group, which had the right permissions in the base permissions. resetting the ACL on the parent directory made it all work as intended.


    When using ACL's, the user must have the proper permissions on all parent folders to access a sub folder. (as shown above)


    This would be the reason for not sharing the root directory (recommended not to do so in many places). I only shared it once to set up the folder structure of my other shares. The ACL's got set, and then after removing that share and adding a new user, that new user couldn't access the shares. I had to re-share the root to remove all ACL's, using omv-extras, and then remove the share once more.


    Resources to sort out permissions issues (besides the help from the forum :)
    omv-extras use to reset ACL permissions. If you share the root to remove permissions, don't have that share selected in the permissions reset tab as that will mark it as referenced, and as such the system will not let you delete that share.


    tree -L 2 -gudp /media/
    This will list the "group and user permissions for directories only, two directory levels down from the /media/ folder. (Not ACL permissions). Install with apt-get install tree. I found out about this from here: Permissions denied. Cannot understand why. (from subzero79)




    getfacl -p /media/ this command will list all the ACL permissions on the given directory. Other parameters will allow to list for subb directories and files etc. Can be used with "> permissions.txt" to get it in a text file, then one can use 'diff' on two of the to compare quickly. there can a very long list of ACL permissions in there. I found the tool from here:
    How to I Document User Rights on an existing Linux System?


    After two days of researching and looking at every detail of my permissions, I still missed one, and that was the crucial one. Lot's of Linux learning and thanks once more to the community for helping out!


    //mattias

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!