Friends,
I have weird problem with my Linux OS.
I have few files which is owned by root but could not be modified (edit, chmod, chown etc)
[root@ip-10-34-70-117 ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@ip-10-34-70-117 ~]# whoami
root
[root@ip-10-34-70-117 ~]# ls -l /etc/security/access-sshd.conf
-rw-r--r-- 1 root root 431 Jun 22 03:31 /etc/security/access-sshd.conf
[root@ip-10-34-70-117 ~]# mv /etc/security/access-sshd.conf /etc/security/access-sshd.conf1
mv: cannot move �/etc/security/access-sshd.conf� to �/etc/security/access-sshd.conf1�: Permission denied
[root@ip-10-34-70-117 ~]# chmod 777 /etc/security/access-sshd.conf
chmod: changing permissions of �/etc/security/access-sshd.conf�: Permission denied
[root@ip-10-34-70-117 ~]# rm -rf /etc/security/access-sshd.conf
rm: cannot remove �/etc/security/access-sshd.conf�: Permission denied
[root@ip-10-34-70-117 ~]#
Appreciate your input in this regard.
Thanks
Bala
gull04
June 28, 2016, 8:44am
2
Hi,
You may need to set the permissions on the "/etc/security" directory, you may find that you don't have execute permissions set.
Regards
Gull04
I verified the permission and it seems good.
drwxr-xr-x. 6 root root 4096 Jun 28 06:14 security
Something odd is going on if root can't remove it, root should override all file permissions and do it anyway unless
a) You have a read-only filesystem
b) selinux is tut-tutting at you.
Technically mv and rm do not modify the file, they modify the directory. What permissions do you have on the folder you're inside?
joker
June 28, 2016, 7:33pm
5
Maybe immutable attribute is set?
Check with ...
lsattr file
Still it is strange .. The file system is RW.
[root@ip-10-34-66-104 security]# pwd
/etc/security
[root@ip-10-34-66-104 security]# lsattr
---------------- ./limits.d
---------------- ./namespace.conf
---------------- ./console.handlers
---------------- ./console.perms.d
---------------- ./sepermit.conf
---------------- ./limits.conf
---------------- ./namespace.d
---------------- ./access.conf
---------------- ./time.conf
---------------- ./console.perms
---------------- ./access-sshd.conf
---------------- ./chroot.conf
---------------- ./namespace.init
---------------- ./console.apps
---------------- ./opasswd
---------------- ./pwquality.conf
---------------- ./group.conf
---------------- ./pam_env.conf
[root@ip-10-34-66-104 security]# ls -l
total 72
-rw-r--r-- 1 root root 4620 Aug 4 2015 access.conf
-rw-r--r-- 1 root root 431 Jun 29 02:58 access-sshd.conf
-rw-r--r-- 1 root root 82 Aug 4 2015 chroot.conf
drwxr-xr-x. 2 root root 4096 Mar 25 12:06 console.apps
-rw-r--r-- 1 root root 604 Aug 4 2015 console.handlers
-rw-r--r-- 1 root root 939 Aug 4 2015 console.perms
drwxr-xr-x. 2 root root 4096 Aug 4 2015 console.perms.d
-rw-r--r-- 1 root root 3635 Aug 4 2015 group.conf
-rw-r--r-- 1 root root 2422 Aug 4 2015 limits.conf
drwxr-xr-x. 2 root root 4096 Mar 25 12:04 limits.d
-rw-r--r-- 1 root root 1440 Aug 4 2015 namespace.conf
drwxr-xr-x. 2 root root 4096 Aug 4 2015 namespace.d
-rwxr-xr-x 1 root root 1019 Aug 4 2015 namespace.init
-rw------- 1 root root 0 Aug 4 2015 opasswd
-rw-r--r-- 1 root root 2972 Aug 4 2015 pam_env.conf
-rw-r--r--. 1 root root 1718 Dec 6 2011 pwquality.conf
-rw-r--r-- 1 root root 419 Aug 4 2015 sepermit.conf
-rw-r--r-- 1 root root 2179 Aug 4 2015 time.conf
[root@ip-10-34-66-104 security]# echo `date` >> access-sshd.conf
bash: access-sshd.conf: Permission denied
[root@ip-10-34-66-104 security]# touch bala
[root@ip-10-34-66-104 security]# ls -l bala
-rw-r--r-- 1 root root 0 Jun 29 03:42 bala
[root@ip-10-34-66-104 security]# pwd
/etc/security
[root@ip-10-34-66-104 security]#
Aia
June 29, 2016, 4:08am
7
What's the deal with your Selinux?
Some files have it, some directories have it, many files do not.
drwxr-xr-x. 2 root root 4096 Mar 25 12:06 console.apps
-rw-r--r--. 1 root root 1718 Dec 6 2011 pwquality.conf
What's the output of getenforce
?
aia:
What's the deal with your Selinux?
Some files have it, some directories have it, many files do not.
drwxr-xr-x. 2 root root 4096 Mar 25 12:06 console.apps
-rw-r--r--. 1 root root 1718 Dec 6 2011 pwquality.conf
What's the output of getenforce
?
I'm not aware of selinux and i will explore on that.
BTW, gentenforce output is "Disabled"
Thanks
Bala
c) There are ACLs in place, like there seem to be:
drwxr-xr-x. 6 root root 4096 Jun 28 06:14 security
The dot at the end of the filemode display is indicative of ACLs (access control lists) being in place for this file. Please report the output of the aclget [/path/to/]security
command.
I hope this helps.
bakunin
1 Like
Thank you. I was not aware that access control lists could supercede even root, this is quite interesting!
bakunin:
c) There are ACLs in place, like there seem to be:
drwxr-xr-x. 6 root root 4096 Jun 28 06:14 security
The dot at the end of the filemode display is indicative of ACLs (access control lists) being in place for this file. Please report the output of the aclget [/path/to/]security
command.
I hope this helps.
bakunin
Thank you very much. I was not aware of the ACL and "dot" stuff before.
However, i could not find the command "aclget" on my linux OS. I did searched on Google and i could see something related to IBM software.
Can you please let me know what Software i need in order to get "aclget" command?
Thanks
Bala
Sorry, my bad. aclget
is the command on AIX, use the getfacl
instead.
Just for completeness sake, i remembered a fourth (although quite unprobable) possibility of what might have happened:
D) a DCE (distributed computing enviroment, similar to what Windoze calls a "domain")-cell is set up. Local root will not have automatically authority over all files, only dceroot does have this.
I hope this helps.
Yes bakunin. You seems to be correct. Is there a way i can find what is my dceroot account name?
BTW, the result of getfacl command output.
[root@ip-10-34-70-118 ~]# getfacl /etc/security/
getfacl: Removing leading '/' from absolute path names
# file: etc/security/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
[root@ip-10-34-70-118 ~]# getfacl /etc/security/access-sshd.conf
getfacl: Removing leading '/' from absolute path names
# file: etc/security/access-sshd.conf
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@ip-10-34-70-118 ~]#