Question:
Strange Linux permissions - what's going on?
Eric V
2007-09-28 17:24:07 UTC
I don't even know where to start, because I'm so baffled by this. But here goes:

I put all my internet files in directory
/var/www/html

permissions on this folder are
drwxrwxr-x+

owner and group are both
root root

From these permissions, it would seem that no one except root would have permission to create a file or directory. However, I can create anything I want in there. This is the first thing that shouldn't be.

Next: say I have a directory /var/www/html/test, with following permissions:
drwxrwx---+ apache webadminGrp

In group webadminGrp is myself, as well as another user.

If I am myself, I can write to the directory. If I su to apache, I can write to that directory. But if I su to the other user, I get permission denied. This is the case EVEN WITH 777 permission!

I highly suspect that his has to do with that + character in my permissions. That additional item is present ONLY in my html directory, and its the ONLY place where this problem happens.

Insights, anyone?
Four answers:
2007-09-28 18:02:19 UTC
You are almost there! But it's a bit complicated to give a short simple answer here.



You should try to get hold of some simple (or more advanced as you can deal with them!) books that explain UNIX/Linux.



Different releases of Linux handle security things slightly differently, and I don't know everything about everything!



You need to understand



1) root can do anything - it overwrites any and all permissions - you should NOT ever run as root unless you NEED to do so for maintainence, and perhaps new program installation running with 'root permissions' all the time is how you CAN get malware into a system!



2) "it would seem that no one except root would have permission to create a file or directory. However, I can create anything I want in there. This is the first thing that shouldn't be."

When running some tasks for which the normal level user has no permissions, the job is passed to root (or other 'users' such as 'apache'), which is why you can put stuff in that directory when a normal user - this is how it is SUPPOSED to work, so your basic 'common sense' idea is not how the system really works! :-)



3) You may be lucky to get another answer that gets it right on, but Linux tends to need an 'experienced' user :-) the learning curve is often very steep. I'm still learning - been around things for some decades... :-)



3) I would NOT recommend the 'just a "chmod 666 /var/www/html" approach' - this is called 'hacking around' - the apache application will setup what directories and files and permissions and ownerships it needs to work correctly, 'blindly mucking about' with permissions and ownerships may even make more problems than it solves! Perhaps you might consider saving any files you want to keep, and uninstalling apache, then deleting any directories it did not remove, then reinstalling the application from start again. This is a more 'correct' way to handle the situation.



4) Make sure that any users you want to do things with apache are correctly set up with the correct groups, etc - this stuff should be in the documentation for apache - often a bit hard to wade thru I know, but those who want to just be a 'mindless user', are probably better off sticking with MS type products, rather than using open source stuff like Linux, as it is meant for 'experienced users', rather than just 'mindless users' unfortunately. You DO however have almost infinite flexibility to set up things, but with that capability comes the ability to do much damage if you don't 'get it right'!

~~~~~~~~~~~~~

Response to "Added":



Useful debugging info!



OK now check SELinux - have you got the permissions set correctly there? If you can't work that out easily, then try to turn it off, see what happens. Linux (what distro?) and apache may not be interacting properly with SELinux, something may not have been set up correctly... I'm not an expert on everything yet. :-)
Linerd
2007-09-29 07:08:17 UTC
The only thing I can think of is that the sticky bit is set, but that's supposed to be represented by a "t" rather than a "+".



Try this:

chmod -t /var/www/html



Does that change the permissions and the behavior?



I'm not very familiar with the use of the sticky bit, but some of the behavior you are describing sounds like the sticky bit is set.



Try searching the internet for "linux sticky bit".



Good luck!
2016-04-06 10:03:27 UTC
Make a chart of all the machines involved. Write down the host names, addresses, gateway addresses of each machine. Note any switches in common, switches not in common. Take note of who can ping whom. Check the firewall rules, including iptables, at each node. Use nmap localhost on each machine to determine what ports are truly open. Note them on the chart. Watch where traceroute takes you. Make sure sshd is still on 22. That is as far as I can take you. Good luck. Added: I agree with Tim that DNS could be a problem. SSH might be trying to do a reverse lookup. Bypass DNS and use IP addresses directly and (as Tim suggests) disable DNS usage by SSHD. You may have to snoop the subnet (tcpdump) to watch the traffic for a while. Definitely something weird.
2007-09-28 17:29:28 UTC
I never really understood UNIX permissions. :p



but you could try a "chmod 666 /var/www/html"



Sorry. :/


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Continue reading on narkive:
Loading...