[SOLVED] user removed from one group can still get that group's permission
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
user removed from one group can still get that group's permission
This is my first post in this forum. Sorry if I posted it in the wrong place.
I use openLDAP for user management. A group foo is used to share some files among the users belong to group foo. The ownership of shared folder is root:foo, and the permission is set to 770. This will make sure that users not in group foo will be denied to access that folder.
For some reasons, the member of group foo varies occasionally. If a new user is added to group foo, a simple re-logon will gives the user correct id and groups, and get the access to the shared folder. Everything works fine.
The issue comes if the user is removed from group foo. After the remove and re-logon, the id and groups say the user is no longer the member of group foo (it should be the case). And this user should no long access that shared folder. However, this user can still cd to that shared folder without a permission denied error message.
So, why user removed from one group can still get that group's permission, even after re-logon.
I tried restart my ldap service to refresh the user info, but no help. Only a reboot of the box will make the user get the right permission. So I think it's could be a user credential cache. But I do not know how to flush it without a reboot.
What should I do to get the right permission? Any help will be appreciated. thx
PS: Seems to be less related, but the shared folder is also a samba share. But the samba share got the right permission after a restart of smb service.
pan_res is the shared folder for all members in group pan_res
Code:
[lanfan@beetle /smb]$ id
uid=1087(lanfan) gid=1001(pan) groups=1001(pan) context=user_u:system_r:unconfined_t
[lanfan@beetle /smb]$ groups
pan
user lanfan is just removed from group pan_res. And id and groups say it's no longer a member of that group
Code:
[lanfan@beetle /smb]$ cd pan_res/
[lanfan@beetle pan_res]$ ls
But I can still cd to that folder without an error.
Code:
[lijs@beetle /smb]$ id
uid=61317(lijs) gid=1001(pan) groups=1001(pan) context=user_u:system_r:unconfined_t
[lijs@beetle /smb]$ groups
pan
[lijs@beetle /smb]$ cd pan_res
pan_res: Permission denied.
For other users not in that group, it received a Permission denied error as expected.
pan_res is the shared folder for all members in group pan_res
Code:
[lanfan@beetle /smb]$ id
uid=1087(lanfan) gid=1001(pan) groups=1001(pan) context=user_u:system_r:unconfined_t
[lanfan@beetle /smb]$ groups
pan
user lanfan is just removed from group pan_res. And id and groups say it's no longer a member of that group
Code:
[lanfan@beetle /smb]$ cd pan_res/
[lanfan@beetle pan_res]$ ls
But I can still cd to that folder without an error.
Code:
[lijs@beetle /smb]$ id
uid=61317(lijs) gid=1001(pan) groups=1001(pan) context=user_u:system_r:unconfined_t
[lijs@beetle /smb]$ groups
pan
[lijs@beetle /smb]$ cd pan_res
pan_res: Permission denied.
For other users not in that group, it received a Permission denied error as expected.
After you remove lanfan from the pan_res group did you log out and then log in?
Because id program don't show id/group for the current process, it's read /etc/passwd, /etc/group, whatever to get information.
So, while id output may be correct current process STILL may have more privileges that id shows.
By the way, what shared in this folder?
Not always, but often enough need in shared folder indicate that actually some version control needed instead.
I tested on another box using the /etc/passwd and /etc/group for user management instead of openLDAP.
Everything goes fine: After remove user from that group, the user immediately get the permission denied error message.
So I think it's maybe a openLDAP related issue.
Any more suggestion? Any help will be appreciated. thx
Could you test it
- on the box with openLDAP, but for directory that is not samba share.
- without openLDAP (i.e /etc/passwd, etc/group) but with directory on samba share
?
Do you have an openLDAP replication server that is not in sync? Is information previously obtained from LDAP being cached? How exactly do you connect to LDAP?
Could you test it
- on the box with openLDAP, but for directory that is not samba share.
- without openLDAP (i.e /etc/passwd, etc/group) but with directory on samba share
?
Things go even more complicated.
I tested on a new directory which is not a samba share, and received the permission denied message correctly.
I added this new directory to a new samba share, and this time received the permission denied message correctly.
Then I found that the previous shared directory is mounted from an NFS.
So, it's neither an openLDAP issue, nor a samba issue. It seems to be an NFS issue. Maybe I mounted this NFS with too high privileges.
I decide to use another share directory which is not from NFS. That's the easiest solution.
For NFS issue, I'll look into it at other times.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.