Permission denied for /home directories

ARM General system
1

I need access to the /home of a systemuser ‘iobroker’
My default user is member of group ‘iobroker’.
But I can’t access the directory. Has it to do with ACLs?

[thomas@daleth iobroker]$ sudo ls -la /home/iobroker/
total 44
drw-rw-r-- 2 iobroker iobroker  4096 Jul  1 22:27 .
drwxr-xr-x 4 root     root      4096 Jul  1 22:11 ..
-rw-rw-r-- 1 iobroker iobroker    21 Jan 22 14:59 .bash_logout
-rw-rw-r-- 1 iobroker iobroker    57 Jan 22 14:59 .bash_profile
-rw-rw-r-- 1 iobroker iobroker   172 Jan 22 14:59 .bashrc
-rw-rw-r-- 1 iobroker iobroker 23302 Jul  1 22:28 .diag.sh
-rw-rw-r-- 1 iobroker iobroker     0 Jul  1 22:28 iob_diag.log
[thomas@daleth iobroker]$ ls -la /home/iobroker/
ls: cannot access '/home/iobroker/.diag.sh': Permission denied
ls: cannot access '/home/iobroker/.bash_profile': Permission denied
ls: cannot access '/home/iobroker/..': Permission denied
ls: cannot access '/home/iobroker/iob_diag.log': Permission denied
ls: cannot access '/home/iobroker/.': Permission denied
ls: cannot access '/home/iobroker/.bashrc': Permission denied
ls: cannot access '/home/iobroker/.bash_logout': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
-????????? ? ? ? ?            ? .bash_logout
-????????? ? ? ? ?            ? .bash_profile
-????????? ? ? ? ?            ? .bashrc
-????????? ? ? ? ?            ? .diag.sh
-????????? ? ? ? ?            ? iob_diag.log
[thomas@daleth iobroker]$ groups
users wheel thomas iobroker
[thomas@daleth iobroker]$
2

Did you just add that group membership? You may need to log out and log back in before it will work.

3

Yes, I even did a complete reboot of that machine.

4

The directory may require execute permission for the group members to be able to list contents and traverse the directory.

sudo chmod g+x /home/iobroker
1 Like
5

It has something to do with sudo.

[thomas@daleth iobroker]$ sudo -u iobroker mkdir /home/iobroker/testdir
mkdir: cannot create directory ‘/home/iobroker/testdir’: Permission denied
6

Just spitballin’ here …

Not sure if your terminal prompt as seen above is standard or otherwise edited in your console app, but might it be the case that you are trying to see iobroker’s directory as user thomas instead of as iobroker? If so, presumably that’s your objective?

Related: can you confirm for yourself that thomas is currently a member of iobroker group? (thomas may not be your typical default user)

7

thomas is member of the group iobroker. See the last line of the console output.

The problem is that iobroker not even can mkdir a directory in his own home.

8

Did you address this issue?

sudo chmod g+x /home/iobroker
9

Sure.

[thomas@daleth ~]$ ls -lh /home/
total 8.0K
drw-rwxr-- 2 iobroker iobroker 4.0K Jul  2 00:27 iobroker
drwx------ 6 thomas   thomas   4.0K Jul  1 22:47 thomas
[thomas@daleth ~]$
10

Yep, that looks fine. Any difference?

If not, run a filesystem check. What filesystem is in use?

11

No change.
Filesystem is ext4.
fschck ran without any issues.

12

Can you access /home/iobroker with cd ?

13

I think this is only part of the solution. They can enter the directory, but they cannot list the files within it
I’d suggest sudo chmod g+x /home/iobroker --recursive

14

No, that’s definitely not right because you you would be adding the execute permission to all files inside.

The permissions for this directory have obviously been “messed with”, since the directory was missing the executable bit in the first place. So far there is not enough information in the thread to be able to tell what configuration error has been made.

15

What information is missing?

16

For example, how was this directory created? With useradd -m, or mkdir, or…?

We can see the permissions for this directory were modified at some point, but how specifically were they modified? What commands were run? Did directory access work normally before that?

Let’s take a look at the ACLs for this directory:

getfacl /home/iobroker/

And attributes:

lsattr /home/iobroker/

Also check user and group IDs.

id thomas
id iobroker
17

The user is being created by an installation script. The respective part looks like this:

create_user_linux() {
	username="$1"
	id "$username" &> /dev/null;
	if [ $? -ne 0 ]; then
		# User does not exist
		$SUDOX useradd -m -s /usr/sbin/nologin "$username"
		echo "User $username created"
	fi
	# Add the current non-root user to the iobroker group so he can access the iobroker dir
	if [ "$username" != "$USER" ] && [ "$IS_ROOT" = false ]; then
		sudo usermod -a -G $username $USER
	fi

	SUDOERS_CONTENT="$username ALL=(ALL) ALL\n"
	# Add the user to all groups we need and give him passwordless sudo privileges
	# Define which commands iobroker may execute as sudo without password
	declare -a iob_commands=(
		"shutdown" "halt" "poweroff" "reboot"
		"systemctl start" "systemctl stop"
		"mount" "umount" "systemd-run"
		"apt-get" "apt" "dpkg" "make"
		"ping" "fping"
		"arp-scan"
		"setcap"
		"vcgencmd"
		"cat"
		"df"
		"mysqldump"
		"ldconfig"
	)
	add2sudoers "$username ALL=(ALL) " "${iob_commands[@]}"

	# Additionally, define which iobroker-related commands may be executed by every user
	declare -a all_user_commands=(
		"systemctl start iobroker"
		"systemctl stop iobroker"
		"systemctl restart iobroker"
	)
	add2sudoers "ALL ALL=" "${all_user_commands[@]}"

	# Furthermore, allow all users to execute node iobroker.js as iobroker
	if [ "$IOB_USER" != "$USER" ]; then
		add2sudoers "ALL ALL=($IOB_USER) " "node $CONTROLLER_DIR/iobroker.js *"
	fi

	SUDOERS_FILE="/etc/sudoers.d/iobroker"
	$SUDOX rm -f $SUDOERS_FILE
	echo -e "$SUDOERS_CONTENT" > ~/temp_sudo_file
	$SUDOX visudo -c -q -f ~/temp_sudo_file && \
		$SUDOX chown root:$ROOT_GROUP ~/temp_sudo_file &&
		$SUDOX chmod 440 ~/temp_sudo_file &&
		$SUDOX mv ~/temp_sudo_file $SUDOERS_FILE &&
		echo "Created $SUDOERS_FILE"
	# Add the user to all groups if they exist
	declare -a groups=(
		audio
		bluetooth
		dialout
		gpio
		i2c
  		plugdev
		redis
		tty
		video
	)
	for grp in "${groups[@]}"; do
		getent group $grp &> /dev/null && $SUDOX usermod -a -G $grp $username
	done
}


[thomas@daleth ~]$ getfacl /home/iobroker/
getfacl: Removing leading '/' from absolute path names
# file: home/iobroker/
# owner: iobroker
# group: iobroker
user::rw-
group::rwx
other::r--

[thomas@daleth ~]$ lsattr /home/iobroker/
--------------e------- /home/iobroker/iob_diag.log
[thomas@daleth ~]$ 

[thomas@daleth ~]$ id thomas
id iobroker
uid=1000(thomas) gid=1000(thomas) groups=1000(thomas),998(wheel),984(users),1001(iobroker)
uid=1001(iobroker) gid=1001(iobroker) groups=1001(iobroker),998(wheel),996(audio),5(tty),985(video)
[thomas@daleth ~]$

I just found that there is no sodoers entry for iobroker. Will dig around there…

18

Hmm, certainly a puzzling issue…:thinking:

You aren’t using SELinux or AppArmor, are you?

Is /home/iobroker mounted over NFS, or any other network filesystem that might have different permission settings?

19

[quote=“BluishHumility, post:18, topic:57545”]

You aren’t using SELinux or AppArmor, are you?

I haven’t configured SELinux nor AppArmor. The system is Endeavour OS on ARM / Raspberry 4.
Don’t know if either one comes preconfigured.

Is /home/iobroker mounted over NFS, or any other network filesystem that might have different permission settings?

No, all Filesystems are local ones.

/dev/mmcblk0p1 on /boot type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
/dev/mmcblk0p2 on / type ext4 (rw,relatime)

The installer is very Debian-centric. It runs succesfully over there. I just wanted to port it over to Arch / EOS.

20

Is it possible you have an issue with the SD card? They do tend to have limited writes. If the filesystem is not intact it could conceivably cause permission-related issues.

sudo smartctl -a /dev/mmcblk0

It may also be worth running fsck when the disk is not mounted (for example, from a live environment), if you have not done that yet.