 
| Subject: | |
| From: | |
| Reply To: | ~Stack~ |
| Date: | Fri, 28 Aug 2015 17:19:00 -0500 |
| Content-Type: | multipart/signed |
| Parts/Attachments: |
|
|
Greetings,
I have a weird issue with permissions that is really getting to me on SL
6.6. I did a quick name replacement to simplify but most of the other
details are just copy-paste.
Here is the structure of my folders.
/data
drwxr-xr-x. 163 root root 12K Jan 28 16:52 data
/data/share
drwxrws---. 3 root share 12K Jan 28 16:55 share
/data/share/share1
/data/share/share2
drwxrws---. 4 root share1 12K Mar 4 8:20 share1
drwxrws---. 4 root share2 12K Apr 16 12:05 share2
And here are the groups:
share:x:690:user1,user2,user3
share1:x:1220:user1
share2:x:1342:user2
So, one would expect that all three users should be able to access
/data/share. However, only user1 should be able to access share1 and
only user2 should be able to access share2. Right?
Well, let's take a further step. ACL's are not enabled.
# file: share/
# owner: root
# group: share
user::rwx
group::rws
other::---
The other folders match. Nothing special; no ACL's in play.
So again. User3 should not be able to access the other two folders, right?
Except he can access share1...not share2, but he can access share1.
WTF?? Why can he access share1? Why share1 but not share2?? I don't know.
I have been pouring over this for an hour. I have asked 3 coworkers. I
can't figure it out. User3 isn't a part of any special group or anything.
In fact, I added user4 with NO other groups and verified that he can't
access /data/share. Then I added him to the share group. Now he has
access to share1, but not share2. Any user that is a part of share, has
access to share1 but not share2. Only users that are both in the share
AND share2 groups can see share2. That is precisely what it should be
for share1!
Well...maybe I have a weird SELinux rule?? I can't find anything
flagging it.
I took a look at strace while I ran ls on the directory from the users
perspective. As far as it is concerned, the user has full access to
share1 and gets permission errors on share2.
Fine. Let's take away permissions for everyone.
# chown root:root -R share1
# chmod g-s share1
# chmod a-rwx share1
# ls -ld share1
d---------. 4 root root 12K Mar 4 8:20 share1
Let's see them get into that!!
user3 /> cd /data/share/share1
user3 /data/share/share1>
DAH!!! HOW!!?!?!?!???
Maybe a cached credential?? Completely log out the user and back in.
Nope. Still has full access to a folder that NO ONE should be able to
look into!
OK. Fine. Maybe a rename of the folder? Nope.
Delete the folder and create a new folder with the original file
permissions! Still the same result...
Share2 is working perfectly the way I expect it to. Share1 I am stumped on.
Anyone have a suggestion for how I can trace down the /how/ question to
a user having permissions? Something has to be over-ridding the file
system permissions but I am stumped as to what. I have never seen such
goofiness before in permissions when ACL's weren't involved and all of
my internet-search-foo has only returned the opposite problem (a user
should have access but doesn't).
Any suggestions would be greatly appreciated.
Thanks!
~Stack~
|
|
|
