Greetings, I have a weird issue with permissions that is really getting to me on SL 6.6. I did a quick name replacement to simplify but most of the other details are just copy-paste.
Here is the structure of my folders. /data drwxr-xr-x. 163 root root 12K Jan 28 16:52 data /data/share drwxrws---. 3 root share 12K Jan 28 16:55 share /data/share/share1 /data/share/share2 drwxrws---. 4 root share1 12K Mar 4 8:20 share1 drwxrws---. 4 root share2 12K Apr 16 12:05 share2 And here are the groups: share:x:690:user1,user2,user3 share1:x:1220:user1 share2:x:1342:user2 So, one would expect that all three users should be able to access /data/share. However, only user1 should be able to access share1 and only user2 should be able to access share2. Right? Well, let's take a further step. ACL's are not enabled. # file: share/ # owner: root # group: share user::rwx group::rws other::--- The other folders match. Nothing special; no ACL's in play. So again. User3 should not be able to access the other two folders, right? Except he can access share1...not share2, but he can access share1. WTF?? Why can he access share1? Why share1 but not share2?? I don't know. I have been pouring over this for an hour. I have asked 3 coworkers. I can't figure it out. User3 isn't a part of any special group or anything. In fact, I added user4 with NO other groups and verified that he can't access /data/share. Then I added him to the share group. Now he has access to share1, but not share2. Any user that is a part of share, has access to share1 but not share2. Only users that are both in the share AND share2 groups can see share2. That is precisely what it should be for share1! Well...maybe I have a weird SELinux rule?? I can't find anything flagging it. I took a look at strace while I ran ls on the directory from the users perspective. As far as it is concerned, the user has full access to share1 and gets permission errors on share2. Fine. Let's take away permissions for everyone. # chown root:root -R share1 # chmod g-s share1 # chmod a-rwx share1 # ls -ld share1 d---------. 4 root root 12K Mar 4 8:20 share1 Let's see them get into that!! user3 /> cd /data/share/share1 user3 /data/share/share1> DAH!!! HOW!!?!?!?!??? Maybe a cached credential?? Completely log out the user and back in. Nope. Still has full access to a folder that NO ONE should be able to look into! OK. Fine. Maybe a rename of the folder? Nope. Delete the folder and create a new folder with the original file permissions! Still the same result... Share2 is working perfectly the way I expect it to. Share1 I am stumped on. Anyone have a suggestion for how I can trace down the /how/ question to a user having permissions? Something has to be over-ridding the file system permissions but I am stumped as to what. I have never seen such goofiness before in permissions when ACL's weren't involved and all of my internet-search-foo has only returned the opposite problem (a user should have access but doesn't). Any suggestions would be greatly appreciated. Thanks! ~Stack~
signature.asc
Description: OpenPGP digital signature
