Operating System - Linux
1839148 Members
2732 Online
110136 Solutions
New Discussion

Re: permission issue for a user...

 
SOLVED
Go to solution
MikeL_4
Super Advisor

permission issue for a user...

I have a server that NFS mounts a file system that contains an ftp directory...
On this server the application group has an admin ID that they use to process files in these directories...

The directory with an issue is the inbound directory:

[root@awopvpa01 sftponly]# ls -al ./arisftp
total 16
drwxr-xr-x 4 633 sftponly24 4096 Jun 5 01:50 .
drwxr-xr-x 27 root root 4096 Feb 3 14:27 ..
drwxrwxr-x 2 633 sftponly24 4096 Jun 5 13:01 inbound

When the ID infawcp tries to access they are getting permission denied:

=> cd /t3public/infawcp/sftponly/arisftp/inbound
AWCC:PROD infawcp@awopvpa01 [/t3public/infawcp/sftponly/arisftp/inbound]:
=> touch ./test_file
touch: cannot touch `./test_file': Permission denied
=>

If I try another directory, that is setup the same way, they have no issue:
# ls -al ./synvsftp
total 2548
drwxr-xr-x 4 612 sftponly3 4096 May 6 15:42 .
drwxr-xr-x 27 root root 4096 Feb 3 14:27 ..
drwxrwxr-x 2 612 sftponly3 4096 Jun 5 13:08 inbound

=> cd /t3public/infawcp/sftponly/synvsftp/inbound
=> touch ./mike
=> ls -al
total 8
drwxrwxr-x 2 612 sftponly3 4096 Jun 5 13:24 .
drwxr-xr-x 4 612 sftponly3 4096 May 6 15:42 ..
-rw-rw-r-- 1 infawcp infinys 0 Jun 5 13:24 mike
=> rm ./mike
=> ls -al
total 8
drwxrwxr-x 2 612 sftponly3 4096 Jun 5 13:24 .
drwxr-xr-x 4 612 sftponly3 4096 May 6 15:42 ..
=>

The ID has group permissions on both of these directories:
=> id
uid=650(infawcp) gid=601(infinys) groups=601(infinys),610(sftponly1),611(sftponly2),612(sftponly3),613(sftponly4),614(sftponly5),617(sftponly8),620(sftponly11),621(sftponly12),622(sftponly13),623(sftponly14),624(sftponly15),625(sftponly16),626(sftponly17),627(sftponly18),629(sftponly20),630(sftponly21),631(sftponly22),632(sftponly23),633(sftponly24)

We are running Red Hat 5.6 on the servers, anyone have any ideas what may be causing this ??
2 REPLIES 2
Matti_Kurkela
Honored Contributor
Solution

Re: permission issue for a user...

The NFS protocol versions 2 and 3 limit the maximum effective number of supplementary groups to 16. Run "man 5 nfs" and read the paragraph titled "SECURITY CONSIDERATIONS".

This limitation is written in the NFS protocol standards.

NFS version 4 would allow this limit to be overcome, but only if you use one of the newer authentication modes, like RPCGSS:

http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.html

The only workaround I know is to rearrange the supplemental groups so that the groups required for NFS access are within the first 16 supplemental groups for that user.

MK
MK
MikeL_4
Super Advisor

Re: permission issue for a user...

Learned something new again today, did not realize there was this limit....

I dropped the supplemental groups down to 16 and the issue was resolved...

Thanks