Why the user have no permission?

Question

List all the file permission :

sudo ls -al /home/ftpuser
total 40
drwxr-x--- 6 ftpuser ftpuser 4096 Jul 24 11:32 .
drwxr-xr-x 5 root    root    4096 Jul 22 13:26 ..
-rwxr-x--- 1 ftpuser ftpuser  169 Jul 24 11:54 .bash_history
-rwxr-x--- 1 ftpuser ftpuser  220 Jul 22 13:26 .bash_logout
-rwxr-x--- 1 ftpuser ftpuser 3526 Jul 22 13:26 .bashrc
drwxr-x--- 4 ftpuser ftpuser 4096 Jul 22 13:36 .config
drwxr-x--- 3 ftpuser ftpuser 4096 Jul 22 13:27 ftp_dir
drwxr-x--- 3 ftpuser ftpuser 4096 Jul 22 13:43 home
-rwxr-x--- 1 ftpuser ftpuser  807 Jul 22 13:26 .profile
drwxr-x--- 2 ftpuser ftpuser 4096 Jul 24 11:29 .ssh

All directory and file are 750,i have already add debian into group ftpuser:

grep  'ftpuser'  /etc/group
ftpuser:x:1001:debian

groups ftpuser
ftpuser : ftpuser

Login as account debian:

debian@debian:~$ ls /home/ftpuser
ls: cannot open directory '/home/ftpuser': Permission denied

Why the user debian has no permission?

sudo chmod -R 770  /home/ftpuser
ls  /home/ftpuser
ls: cannot open directory '/home/ftpuser': Permission denied

Only 777 can work.

sudo chmod  -R  777  /home/ftpuser
ls  /home/ftpuser
ftp_dir  home

How many groups is debian already in?

groups debian
debian : debian cdrom floppy audio dip video plugdev netdev bluetooth lpadmin scanner ftpuser

Add extra info on the directory:

df  /home/ftpuser
Filesystem     1K-blocks     Used Available Use% Mounted on
/dev/sda1      767863552 26621992 702162752   4% /

sudo blkid | grep sda1 |cut -d ' ' -f 4
TYPE="ext4"   

groups
debian cdrom floppy audio dip video plugdev netdev bluetooth lpadmin scanner ftpuser

namei -l /home/ftpuser
f: /home/ftpuser
drwxr-xr-x root    root    /
drwxr-xr-x root    root    home
drwxr-x--- ftpuser ftpuser ftpuser

getfacl /home/ftpuser
getfacl: Removing leading '/' from absolute path names
# file: home/ftpuser
# owner: ftpuser
# group: ftpuser
user::rwx
group::r-x
other::---

More extra info:

debian@debian:~$ id debian
uid=1000(debian) gid=1000(debian) groups=1000(debian),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth),120(lpadmin),123(scanner),1001(ftpuser)
debian@debian:~$ ls -aln /home/ftpuser
total 44
drwxr-x--- 6 1001 1001 4096 Jul 27 10:12 .
drwxr-xr-x 5    0    0 4096 Jul 27 21:09 ..
-rwxr-x--- 1 1001 1001  576 Jul 27 10:15 .bash_history
-rwxr-x--- 1 1001 1001  220 Jul 22 13:26 .bash_logout
-rwxr-x--- 1 1001 1001 3526 Jul 22 13:26 .bashrc
drwxr-x--- 4 1001 1001 4096 Jul 22 13:36 .config
drwxr-x--- 3 1001 1001 4096 Jul 22 13:27 ftp_dir
drwxr-x--- 3 1001 1001 4096 Jul 22 13:43 home
-rwxr-x--- 1 1001 1001  807 Jul 22 13:26 .profile
drwxr-x--- 2 1001 1001 4096 Jul 24 11:29 .ssh
debian@debian:~$ sudo grpck /etc/group
debian@debian:~$ 
cat /etc/group |grep ftpuser
ftpuser:x:1001:debian

You could check with `getfacl /home/ftpuser /home` if there are unexpected restrictions. — Paul Pazderski, Jul 27 '23 at 08:28
What is the filesystem that holds `/home/ftpuser`? How is it mounted? Is [FUSE](https://en.wikipedia.org/wiki/Filesystem_in_Userspace) involved? — Kamil Maciorowski, Jul 27 '23 at 08:40
@PaulPazderski There's no trailing `+` after the normal permissions, so ACL is not in play. — iBug, Jul 27 '23 at 09:34
1) Can you check what groups are listed if you run `groups` **without** a user name specified? 2) Can you show the output of `namei -l /home/ftpuser`? — u1686_grawity, Jul 27 '23 at 09:34
@iBug Thanks. Use ACL not so often and missed that it is indicated in the ls output. — Paul Pazderski, Jul 27 '23 at 09:41
You could try to change the group of the directory to anything else the `debian` user is a member in, e.g. group `debian` and see if it changes anything. (btw. `df -T` can also list the filesystem) — Paul Pazderski, Jul 27 '23 at 11:57
**SANITY CHECK.** In the revision 8 (see [revisions](https://superuser.com/posts/1799177/revisions)) `debian@debian:~$ ls -aln /home/ftpuser` *worked*; and the permissions were `rwxr-x---`. No `Permission denied`. Does the problem still exist? — Kamil Maciorowski, Jul 27 '23 at 13:44
Strange,it can be opened,no permission denied,i don't know why. — showkey, Jul 27 '23 at 13:48
That `rm -f /home/ftpuser/.bashrc` (first screenshot) fails is correct because the group has no write permissions for the directory. — Paul Pazderski, Jul 27 '23 at 13:51
My *guess* is when you experienced the problem you operated as `debian` not logged in *anew* after changing `/etc/group`. — Kamil Maciorowski, Jul 27 '23 at 13:52
Have you looked at `getent group ftpuser` and `getent passwd debian` to make sure they look like you would expect? They will be `group` or `passwd` file formatted and should match what you see in /etc/ — KJ7LNW, Jul 30 '23 at 05:02

Paul Pazderski · Answer 1 · 2023-07-27T12:51:08.357

2

A strange problem indeed. Everything looks fine and the access should work.

I found one way to reproduce this behaviour but it is very unlikely to be actually OPs problem.

All the output you provided shows user- and groupnames but Linux uses numerical ids internally. It is very unlikely but the mapping can fail.

With the following setup:

$ cat /etc/group
ftpuser:x:1000:
ftpuser:x:1001:debian
$ mkdir test
$ sudo chown ftpuser:ftpuser test
$ ls -l
drwxr-x--- 1 ftpuser ftpuser 0 Jul 26 23:00 test
$ groups debian
debian : ... ftpuser
$ sudo -u debian ls test
ls: cannot open directory 'test': Permission denied

This could happen because all commands always show the group name instead of id and none of them prints an error for the duplicated group. (the only command complaining was usermod with "Multiple entries named 'ftpuser' in /etc/group. Please fix this with pwck or grpck.")

What you can do to ensure that this is not your problem:

run id as user debian to see the gid it is assigned
run ls -aln /home/ftpuser to see what gid the directory is using
run grpck to check if your /etc/group is ok

edited Jul 27 '23 at 12:51

answered Jul 27 '23 at 12:43

Paul Pazderski

241
5

Indeed. I also reproduced this on one of my servers with duplicate group names. – iBug Jul 27 '23 at 12:55
Nicely done, but unfortunately the poster's output of `grep 'ftpuser' /etc/group` shows that this is not his problem. – harrymc Jul 27 '23 at 13:39
@harrymc Your right and that's also the reason I doubt this is problem here, but /etc/group is not the only source to resolve group names. But I don't know enough about NIS and LDAP to say if it can be the reason for such duplication. – Paul Pazderski Jul 27 '23 at 13:44
I have evoked the possibility of a bad `/etc/passwd` file in my answer, but it can be one or both of these files that were manually updated. Impossible to know the history of what was done, but evidently *something* was done. – harrymc Jul 27 '23 at 13:47

harrymc · Answer 2 · 2023-07-27T13:49:11.033

The post as a whole, if we only take the information that we were given, just doesn't make sense. The problem is surely to do with badly configured user accounts, which can only happen with manual editing of /etc files.

Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd file and change the user name.

My guess is that there are two ftpuser entries in /etc/passwd. I can't know the course of events, but evidently the output of ls is misleading.

The poster can verify it by running grep ftpuser /etc/passwd.

Login and using the id command risks at picking up only the first entry in the file.

My guess was wrong (or is only wrong now), but I suspect that someone had manually edited one or both of the files /etc/group and /etc/passwd.

If you did this or suspect that this happened, I would suggest removing the ftpuser user account and group (including the home folder) and start from a clean slate.

`grep ftpuser /etc/passwd` print only one line. – showkey Jul 27 '23 at 13:34 — showkey, Jul 27 '23 at 13:34

Why the user have no permission?

2 Answers2