15.4 - chgrp of files I own "Operation not permitted"?? chmod setgid must be root after chgrp?? Apparmor??
All, I am totally bewildered at the behavior of setting basic file permissions and ownership on 15.4. I cannot change the group on files I own. (WTF?). I cannot set or unset setgid on directories on directories I own with octets (I can with the g+s syntax) Is this apparmor or some other security setting? It wasn't this way with 15.0. Take for example a directory I own and have full write capability to: 00:02 wizard:~/tmp> l -d ./ drwxr-xr-x 10 david david 4096 Jun 15 23:01 ./ Now let's create a new directory named "foo": $ md foo $ l -d ./foo/ drwxr-xr-x 2 david david 4096 Jun 16 00:03 ./foo/ So far so good. Let's change the group to "skyline" of which I'm the sole member, e.g. $ grep skyline /etc/group skyline:x:1000:david $ chown david:skyline foo chown: changing ownership of 'foo': Operation not permitted Huh?? What gives? Why can't I change directory ownership of "foo" to "skyline". That's really bad. Why would I have to be root to set group ownership on a directory I own? But I do: $ sudo chown david:skyline foo $ l -d ./foo drwxr-xr-x 2 david skyline 4096 Jun 16 00:03 ./foo Alright, can I at least set it setgid now so that the files created within it will have the proper permissions: $ chmod 2755 foo $ l -d ./foo drwxr-xr-x 2 david skyline 4096 Jun 16 00:03 ./foo What? Why didn't that work? Can I at least use 'g+s'? $ chmod g+s foo $ l -d ./foo drwxr-xr-x 2 david skyline 4096 Jun 16 00:03 ./foo What? Do I have to be root to do that? What gives? $ sudo chmod 2755 foo $ l -d ./foo drwxr-sr-x 2 david skyline 4096 Jun 16 00:03 ./foo Damnit! This is going to get old quick. I've never had to be root to set group ownership before. There are no ACL's set, so that's not it either. Is there an apparmor rule or something that is doing this? -- David C. Rankin, J.D.,P.E.
Am Donnerstag, 16. Juni 2022, 07:21:27 CEST schrieb David C. Rankin:
All,
I am totally bewildered at the behavior of setting basic file permissions and ownership on 15.4. I cannot change the group on files I own. (WTF?). I cannot set or unset setgid on directories on directories I own with octets (I can with the g+s syntax)
Damnit! This is going to get old quick. I've never had to be root to set group ownership before. There are no ACL's set, so that's not it either. Is there an apparmor rule or something that is doing this?
I tried to reproduce just now and couldn't (on an ext4 on TW). What filesystem are you on, and what mount options are in place? Cheers MH -- Mathias Homann Mathias.Homann@openSUSE.org Jabber (XMPP): lemmy@tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on freenode and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 6/16/22 00:32, Mathias Homann wrote:
Am Donnerstag, 16. Juni 2022, 07:21:27 CEST schrieb David C. Rankin:
All,
I am totally bewildered at the behavior of setting basic file permissions and ownership on 15.4. I cannot change the group on files I own. (WTF?). I cannot set or unset setgid on directories on directories I own with octets (I can with the g+s syntax)
Damnit! This is going to get old quick. I've never had to be root to set group ownership before. There are no ACL's set, so that's not it either. Is there an apparmor rule or something that is doing this?
I tried to reproduce just now and couldn't (on an ext4 on TW). What filesystem are you on, and what mount options are in place?
Cheers MH
ext4 Let me restart box. I just added the groups with groupadd, and gpasswd and then confirmed all was well in Yast. (I did start a new terminal to force a new shell) I wonder if I've made me own bewilderment by not logging out and back in so the group changes are visible. Will report back (wouldn't be the first time that bit me) -- David C. Rankin, J.D.,P.E.
On 6/16/22 00:59, David C. Rankin wrote:
I tried to reproduce just now and couldn't (on an ext4 on TW). What filesystem are you on, and what mount options are in place?
Cheers MH
ext4
Let me restart box. I just added the groups with groupadd, and gpasswd and then confirmed all was well in Yast. (I did start a new terminal to force a new shell)
I wonder if I've made me own bewilderment by not logging out and back in so the group changes are visible.
Will report back (wouldn't be the first time that bit me)
Mathias, Thank you! Yep - I done done it too myself :) After you said you can't reproduce, the bells went off I needed to log out and back in so the group additions would be seen by the system. I think Yast handles that for you, but manually adding with groupadd, it's needed. -- David C. Rankin, J.D.,P.E.
Am Donnerstag, 16. Juni 2022, 08:10:26 CEST schrieb David C. Rankin:
After you said you can't reproduce, the bells went off I needed to log
not exactly, "newgrp groupname" changes your *active* group to any group you're a member of - but of course only for the shell session you're uing it in. Cheers MH -- Mathias Homann Mathias.Homann@openSUSE.org OBS: lemmy04 Jabber (XMPP): lemmy@tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on liberachat and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 6/16/22 03:56, Mathias Homann wrote:
Am Donnerstag, 16. Juni 2022, 08:10:26 CEST schrieb David C. Rankin:
After you said you can't reproduce, the bells went off I needed to log
not exactly, "newgrp groupname" changes your*active* group to any group you're a member of - but of course only for the shell session you're uing it in.
I just took the old-school approach and had my group, and gid and used groupadd, e.g. # groupadd -g 1038 somegroup ... (I actually pasted about 11 of those that were relevant to my laptop) Then to add myself to the group I pasted the same 11 with # gpasswd -a david somegroup ... Then just to make sure Yast was happy I opened user-management and all was good -- but I failed to log out/log back in for the changes to be seen. After the log out/in, all is well :) -- David C. Rankin, J.D.,P.E.
On 6/16/22 08:10, David C. Rankin wrote:
After you said you can't reproduce, the bells went off I needed to log out and back in so the group additions would be seen by the system. I think Yast handles that for you, but manually adding with groupadd, it's needed.
Yast does most probably the same as groupadd - actually I'd bet it calls that tool. I think the point is that each process has a group and the list of additional groups assigned at the time of the process start. auser@somehost:~> id uid=1003(auser) gid=1003(auser) groups=1003(auser) If one adds that user to another group in a parallel session ... root:~ # groupadd -U auser agroup then that user is of course member of that group: root:~ # id auser uid=1003(auser) gid=1003(auser) groups=1004(agroup),1003(auser) but in the above process of 'auser' one would still see the original membership from the start of the process: auser@somehost:~> id uid=1003(auser) gid=1003(auser) groups=1003(auser) Still, if that process queries the group membership for its own username (and not for the current process), it would see the new group: auser@somehost:~> id auser uid=1003(auser) gid=1003(auser) groups=1004(agroup),1003(auser) Finally, what does it have to do with chown/chgrp? Well, the kernel only allows for a regular user to change the group ownership to groups assigned to the current process. Have a nice day, Berny
participants (3)
-
Bernhard Voelker -
David C. Rankin -
Mathias Homann