14

I have a user ftpadmin:

-bash-3.2$ id ftpadmin
uid=10001(ftpadmin) gid=2525(fsg) groups=2525(fsg),10005(git)

The important group to note is "git"

Then I have my git repository:

ls -al
drwxrwxr-x   7 git      git          4096 Apr 20 14:17 fsg

So ftpadmin is a member of git, and git has given all permissions to people in the group. Why do I see this when I login as ftpadmin:

-bash-3.2$ ls -al /home/git/
ls: /home/git/fsg: Permission denied
...

Seems like I should have permission...

Update The permissions on /home/git are

drwxrw-rw-   6 git      git          4096 Apr 26 09:20 git

still looks good...

Update New permissions on /home/git are:

drwxrwxrw-   6 git      git          4096 Apr 26 09:20 git

Permissions on /home/git/fsg are:

drwxrwxr-x   7 git      git          4096 Apr 20 14:17 fsg

However, I still get

ls: /home/git/fsg: Permission denied
ls: /home/git/fsg: Permission denied
Tony
  • 1,241
  • 4
  • 17
  • 21

4 Answers4

9

Wanted to give mpez0 a +1 specifically, for his answer "You need the group "x" bit set in the directory to allow group searches. The "rw-" permissions allow opening a file given its name (r) or creating a file (w), but not listing or searching the files (x)."

Its so easy to forget, and his solution is buried in the middle. This is definitely a problem for new Linux users with respects to file / directory permissions for users and groups.

Everything Avery said was right on the money, again wish I could give you a +1 as well.

Figure another more detailed example might help new Linux users (not looking for any credit, just providing another example for clarity). On my own pc I wanted to create an additional user for a specific development project. Was testing some SSH, SFTP issues between my machine and a co-located server out on the web. Got the same "Permission denied" error after setting everything up...and yes it looked correct except for the searching issue based on the permissions for other that mpez0 pointed out.

Note: For new Linux users, permissions are user, group, other or rwx, rwx, rwx respectively and would look like this

drwxr-xr--   

user has read + write + execute, rwx 
group has only read and execute, r-x
other has only read acces r--

For 'other' we are reminded its NOT enough to find/search for the directory, thus the error message.

Here is what I did, (encountered the error message in step 6)

1) created a user, hoiuser (to see user information, you can use the finger cmd, "finger hoiuser" or read the 'cat /etc/passwd' file)

2) created a group, hoidevs (added user "hoiuser" to group)

root@zareason-breeze:/etc# cat group | grep hoidevs 
hoidevs:x:1010:userz,hoiuser 

Remember you have to log off and log in again for the new “group” permissions to be associated with the Account ID.

3) chgrp hoidevs for directory /home/userz/data/Sites/hoi and created a place for the files

hoiuser@zareason-breeze:/home/userz/data/Sites/hoi$ ls -alF
total 16
drwxr-xr-x  4 userz hoidevs  4096 2012-02-27 13:34 ./
drwxr-xr-x  2 userz userz 4096 2012-02-29 17:00 odt/
drwxrwxr-x  2 userz hoidevs  4096 2012-02-27 13:34 html/

4) Opened a Terminal Window, user userz was active

5) su - hoiuser (switched to user hoiuser)

6) Attempted to cd /home/userz/data/Sites

hoiuser@zareason-breeze:/home/userz/data$ cd Sites
-su: cd: Sites: Permission denied    (voila, the problem)


userz@zareason-breeze:~/data/Sites$ ls -alF
total 60
drwxr-xr--  11 userz userz  4096 2012-02-24 16:20 ./
drwxr-xr-x   4 userz hoidevs   4096 2012-02-27 13:34 hoi/

7) Changed the permissions for Sites

userz@zareason-breeze:~/data/Sites$ chmod 755 .
userz@zareason-breeze:~/data/Sites$ ls -alF
total 60
drwxr-xr-x  11 userz userz  4096 2012-02-24 16:20 ./

And voila problem fixed....here is proof

hoiuser@zareason-breeze:/home/userz/data$ id
uid=1009(hoiuser) gid=1009(hoiuser) groups=1009(hoiuser),1010(hoidevs)

hoiuser@zareason-breeze:/home/userz/data$ cd Sites        (<- yea no error message)
hoiuser@zareason-breeze:/home/userz/data/Sites$ cd hoi
hoiuser@zareason-breeze:/home/userz/data/Sites/hoi$ ls -alF
total 16
drwxr-xr-x  4 userz hoidevs  4096 2012-02-27 13:34 ./
drwxr-xr-x 11 userz userz 4096 2012-02-24 16:20 ../
drwxr-xr-x  2 userz userz 4096 2012-02-29 17:00 odt/
drwxrwxr-x  2 userz hoidevs  4096 2012-02-27 13:34 html/

Even us experienced Linux/Unix users need a reminder now and again.

As was pointed out, it is not enough to just give the correct permissions to the directory where the files are, you also need to make sure all the directories leading up to that directory have the correct permissions, especially the ability for "other" to "search" and look for the directory and the files. Hardly intuitive when x means execute, right.

My subdirectory structure was: /home/userz/data/Sites/hoi/html/

Starting from home

userz@zareason-breeze:~$ pwd
/home

This was my directory structure BEFORE the chmod

drwxr-xr-x  13 root root     4096 2012-02-29 14:51 home/
drwxr-xr-x 88 userz userz 4096 2012-02-29 17:07 userz/
drwxr-xr-x 476 userz userz    20480 2012-02-26 16:08 data/
drwxr-xr--  11 userz userz     4096 2012-02-24 16:20 Sites/    (<-- Do you see it, other is r--)
drwxr-xr-x   4 userz hoidevs   4096 2012-02-27 13:34 hoi/
drwxrwxr-x  2 userz hoidevs  4096 2012-02-27 13:34 html/

This was my directory structure AFTER the chmod

drwxr-xr-x  13 root root     4096 2012-02-29 14:51 home/
drwxr-xr-x 88 userz userz 4096 2012-02-29 17:07 userz/
drwxr-xr-x 476 userz userz    20480 2012-02-26 16:08 data/
drwxr-xr-x  11 userz userz     4096 2012-02-24 16:20 Sites/      (<-- Fixed by the chmod > 755 ., now r-x)
drwxr-xr-x   4 userz hoidevs   4096 2012-02-27 13:34 hoi/
drwxrwxr-x  2 userz hoidevs  4096 2012-02-27 13:34 html/

Note the only change was the r-x permissions for 'other' for the directory 'Sites'. Hope this helps others, it was a good refresher for me.

CBPHP
  • 99
  • 1
  • 3
  • 3
    I was having a similar problem on FreeBSD and OpenBSD. The key for me was this part: _Remember you have to log off and log in again for the new “group” permissions to be associated with the Account ID._ Sure enough, the FreeBSD documentation states: `-G grouplist ... **group membership changes do not take effect for current user login sessions, requiring the user to reconnect to be affected by the changes.** – iboisver Apr 11 '13 at 21:17
6

You have to have permissions on the directory that contains the file to get to the file. What are the permissions on /home/git? (yes, Zoredache, I gave you a +1 for pointing that out)


Follow-up: You need the execute (x) bit set for the group in order for that group to enter the directory. Think of it as a rough analog to the windows "Traverse Directory" setting. Without it, access will be denied for the group. If you're desperate, you can do:

chmod g+x /home/git
chmod g+x /home/git/fsg

Try the following and post the message from each:

cd /home
cd /home/git
cd /home/git/fsg

Each one of those should be accessable by ftpadmin. If any one of them isn't, then it will stop you from getting into /home/git/fsg.

Avery Payne
  • 14,326
  • 1
  • 48
  • 87
  • drwxrw-rw- 6 git git 4096 Apr 26 09:20 git – Tony May 07 '10 at 17:57
  • 1
    makes sense, i still get a permission denied on /home/git/fsg which is drwxrwxr-x 7 git git 4096 Apr 20 14:17 fsg – Tony May 07 '10 at 19:44
  • and on that last "permission denied", is the group-execute bit set? Won't matter if you have permission for the child if the parent doesn't have permission as well. – Avery Payne May 07 '10 at 23:07
  • Check out my latest update. I put the permissions there and the group-exec bit is set – Tony May 10 '10 at 13:47
  • I see you have results for `/home/git` and `/home/git/fsg` but what were the results for `/home` ? – Avery Payne May 10 '10 at 18:06
  • home is owned by root but has exec: drwxr-xr-x 9 root root 4096 Apr 20 13:11 home – Tony May 10 '10 at 19:31
3

Try logging in again, or running su - ftpadmin to login inside the current shell. Since groups are set when you log in, it might just be that you added so-and-so to a group but the old group settings are still being used.

erjiang
  • 296
  • 2
  • 10
3

After changing groups of an user X via root access, you must log out and log in again with that user X, otherwise new groups won't be taken into account

Marco Marsala
  • 471
  • 3
  • 7
  • 14