How to debug filesystem permissions

debuggingpermissions

I get permissions errors when I have a process running as root, spawning a subprocess as www-data, which then accesses a dir which is owned by root, with a subfolder which is owned by www-data, which has a symlink to a dir which is owned by a user in the group www-data, which then has…. YOU GET THE IDEA. How the heck do I know where it fails in this impossibly complex chain? All I get is Permission Denied

Without getting bogged down in the details of this particular situation, how does one begin to debug a problem like this on unix?

I want to just say

debug_permissions.sh www-data /my/long/symlink/chain```

and I want it to go through and tell me where the terminal point is (where www-data fails to have permissions)

I know there is a tool
``` namei -l /path/```
but that isn't very helpful because it doesn't let me run as another user (or at least I don't know how)

If I run 
```sudo su www-data```
I get **This account is currently not available.**

I want to be able to  "become" www-data and "cd" around to the dirs and see where i fail to see things. But, that's not letting me do this and I don't want to create a new user just to do this.

Best Answer

Aha, this does it:

sudo -H -u www-data namei /my/long/symlink/chain

where www-data is the user I'm trying to debug

Example

$ whoami
saml

$ groups
saml wheel wireshark

setup a directory with perms + ownerships

$ sudo mkdir --mode=u+rwx,g+rs,g-w,o-rwx somedir
$ sudo chown saml.apache somedir
$ ll -d somedir/
drwxr-s---. 2 saml apache 4096 Feb 17 20:10 somedir/

touch a file as saml in this dir

$ whoami
saml

$ touch somedir/afile
$ ll somedir/afile 
-rw-rw-r--. 1 saml apache 0 Feb 17 20:11 somedir/afile

This will give you approximately what it sounds like you want. If you truly want exactly what you've described though, I think you'll need to resort to Access Control Lists functionality to get that (ACLs).

ACLs

If you want to get a bit more control over the permissions on the files that get created under the directory, somedir, you can add the following ACL rule to set the default permissions like so.

before

$ ll -d somedir
drwxr-s---. 2 saml apache 4096 Feb 17 20:46 somedir

set permissions

$ sudo setfacl -Rdm g:apache:rx somedir
$ ll -d somedir/
drwxr-s---+ 2 saml apache 4096 Feb 17 20:46 somedir/

Notice the + at the end, that means this directory has ACLs applied to it.

$ getfacl somedir
# file: somedir
# owner: saml
# group: apache
# flags: -s-
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:group:apache:r-x
default:mask::r-x
default:other::---

after

$ touch somedir/afile
$ ll somedir/afile 
-rw-r-----+ 1 saml apache 0 Feb 17 21:27 somedir/afile
$ 

$ getfacl somedir/afile
# file: somedir/afile
# owner: saml
# group: apache
user::rw-
group::r-x              #effective:r--
group:apache:r-x        #effective:r--
mask::r--
other::---

Notice with the default permissions (setfacl -Rdm) set so that the permissions are (r-x) by default (g:apache:rx). This forces any new files to only have their r bit enabled.

What’s wrong with these file permissions

chmod a+x TEMPFILES

As directories must have the eXecute bit because reasons[1]. (You may also want the sticky bit like is set on for example /tmp.)

[1] "Note that read permission for a directory and execute permission for a directory mean different things. Read permission lets us read the directory, obtaining a list of all the filenames in the directory. Execute permission lets us pass through the directory when it is a component of a pathname that we are trying to access." -- Stevens, "APUE" (first edition), chapter 4, section 5.

Best Answer

Related Solutions

Permissions – Getting New Files to Inherit Group Permissions on Linux

Example

ACLs

What’s wrong with these file permissions

Related Question