Reputation: 460
Debian/Linux Group permissions are not working as they are supposed to
I'm working on BOINC project.
I have two users: boincadm and www-data (for apache). Both belong to group boinc
www-data : boinc www-data boincadm
boincadm : boinc adm dialout fax cdrom floppy tape audio dip www-data video plugdev netdev bluetooth lpadmin fuse scanner sambashare subversion
I have a boinc project created in /home/boincadm/projects/myproject/ All files and folders there are owned by boincadm : boinc and have rwxrwx--- permissions.
The problem is that www-data user can not access to files, which causes multiple errors like:
Warning: require_once(../inc/db.inc): failed to open stream: Permission denied in /home/boincadm/projects/myproject/html/user/index.php
Fatal error: require_once(): Failed opening required '../inc/db.inc' (include_path='.:/usr/share/php:/usr/share/pear') in /home/boincadm/projects/myproject/html/user/index.php
or just
Can't access the file XXX
in logs..
IF I change grant rwx to "others" (777) it works..
My question is, why don't the group permissions work as I expect? Any ideas?
I'm not an expert in linux, thus I could miss something.
Upvotes: 3
Views: 4042
Answers (2)
Reputation: 460
Here is how I solved it:
First of all I read this:
link
At some point this article mentioned file /etc/group whe information about groups is stored.
I opened this file and mentioned that inspite of my previous actions there is no www-data in group boinc. And no www-data in group boincadm and the opposite. That is strange!
Strange because I've added these users to group boinc using usermod command and made sure this group is primary for both.
Moreover command groups <username> showed that they are in group boinc.
So now the question is: Why this happened?
The problem was solved by modifying 3 lines:
boinc:x:1111:boincadm, www-data
boincadm:x:1112:boincadm, www-data
www-data:x:1113:www-data, boincadm
I needed all 3 lines to make it work. Hope it helps somebody. And I still would like to understand why the file /etc/group was not modified automatically when using usermod. And why grops shows correct result if so.
Upvotes: 1
Reputation: 204698
Here is a possibility:
www-data has primary group www-data; the rest are supplementary groups.
The server process has the right user (by setresuid or similar) and primary group (by setresgid or similar), but lacks the other supplementary groups (without initgroups or similar).
If this is the case, you have a few options: change the file ownership to the primary group, change the group the server runs as, or fix the server to include all supplementary groups.
Upvotes: 3
Related Questions
- Linux, Why can't I write even though I have group permissions?
- Members of group can't access directory in linux
- linux permission group
- Changes to group membership not respected by existing sessions
- Strange situation with linux permissions
- Linux permissions - user vs group permission
- Linux directory permissions for different groups
- What could override group permissions on a linux directory?
- why my inherit group permissions for dirs is not working?
- Linux Group Permissions