Got Permission Denied?

Throughout my career, I have dealt with permission denied problems. While root cause could vary, they more or less fall into the followings.

Unix ACL

The Unix ACL defines read/write/execute privileges for owner, group member, and others. One can use chmod(1) to protect files and directories. Users that don’t have the proper privileges are denied of access.

Linux Capabilities(7)

Linux Capabilities defines capabilities that executables have for certain actions. For example, a program needs CAP_CHOWN to execute chown(2). Similarly, a container that wants to run mount has to have CAP_SYS_ADMIN capability to avoid permission deny problem, which can be supplied by –cap-add option to docker run command.

SELinux

SELinux is a role based mandatory access control. SELinux is supported by many filesystems. Once SELinux is enabled, a filesystem must be mounted with proper label to allow processes to access content. For example, a Docker container needs svirt_sandbox_file_t label to access external volume.

Some Special Cases

  • NFS
    • root_squash, and all_squash. An NFS server exports a share with root_squash strips uid 0 and converts it to anonymous id. All_squash converts any uid to anonymous id.
    • NFS v4 ACL. v4 ACL defined rules for read/write/execute/chown/delete/etc. Missing flags also cause permission deny.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s