From owner-freebsd-questions Tue Aug 4 21:24:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA05644 for freebsd-questions-outgoing; Tue, 4 Aug 1998 21:24:18 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from lucy.bedford.net (lucy.bedford.net [206.99.145.54]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA05628 for ; Tue, 4 Aug 1998 21:24:10 -0700 (PDT) (envelope-from listread@lucy.bedford.net) Received: (from listread@localhost) by lucy.bedford.net (8.8.8/8.8.8) id AAA17521; Wed, 5 Aug 1998 00:05:56 -0400 (EDT) (envelope-from listread) Message-Id: <199808050405.AAA17521@lucy.bedford.net> Subject: Re: Weird /home problem In-Reply-To: from James Snow at "Aug 4, 98 02:59:50 pm" To: sno@teardrop.org (James Snow) Date: Wed, 5 Aug 1998 00:05:56 -0400 (EDT) Cc: freebsd-questions@FreeBSD.ORG X-no-archive: yes Reply-to: djv@bedford.net From: CyberPeasant X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG James Snow wrote: > > We recently segregated our users into subdirectories of /home. The > appropriate changes were made via vipw to the password file, and all the > directories were moved. > > The problem that now exists is that if any of /home's subdirectories are > chmoded to 750, users' home directories are not found at login. Assumptions: /home 755 root.wheel /home/lepers 750 root.wheel /home/lepers/djv 755 djv.djv Note, I use a unique group for each user. The symptom looks like this: ![root@castor login]# telnet localhost !Trying 127.0.0.1... !Connected to localhost. !Escape character is '^]'. ! !FreeBSD (castor.loco.net) (ttyp4) ! !login: djv !Password: !Setting wd: euid uid: 0 0 <<< I hacked login to print this <<< The login can cd to HOME, but then login <<< set[gu]id's to the user's uid and primary group. These messages appeared in the /var/log/messages: Aug 4 23:42:59 castor login: _secure_path: cannot stat /home/lepers/djv/.login_conf: Permission denied Aug 4 23:42:59 castor login: _secure_path: cannot stat /home/lepers/djv/.login_conf: Permission denied Note, the homedir contained no files at all. !Last login: Tue Aug 4 23:41:28 from localhost !Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 ! The Regents of the University of California. All rights reserved. ! !FreeBSD 2.2.6-RELEASE (CASTOR-S) #0: Sun Jul 5 07:02:34 EDT 1998 ! !You have mail. !shell-init: could not get current directory: getcwd: cannot access parent directories: Permission denied !job-working-directory: could not get current directory: getcwd: cannot access parent directories: Permission denied !bash: /home/lepers/djv/.bash_profile: Permission denied ! This is normal operation. The user must have 'x' (search) access to the whole tree from / down to cwd. Why are you denying read/search access to the parent directory? To hide other users' names and/or home directory name? This can't be done ... all users can read /etc/passwd or equivalent. To keep users from browsing other users' dirs? To do that, control the permissions on the other users' homedirs (700). > It doesn't happen if the directories are set to 751 or 755, it doesn't > happen if you ssh in, it doesn't happen if you run /usr/bin/login by hand > after logging in, and it doesn't happen if you use screen and ^a-c out to > a shell. Sounds like bugs in these programs, IMHO. Note, if the user being tested is a member of group wheel, the login will succeed since the user will be able to stat all the dirs by virtue of the group field. > It happens whether or not telnetd is wrapped with tcpwrappers, it happens > despite telnetd being run as root, and it happens even with a very liberal > set of permissions on any file I could conceive of being used in the login > process. Except the parent directory of cwd. :) Dave -- Bedford County, PA -- 47,000 polite, friendly Appalachians, 4,000 of whom have concealed-carry permits. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message