Date: Wed, 5 Aug 1998 00:05:56 -0400 (EDT) From: CyberPeasant <djv@bedford.net> To: sno@teardrop.org (James Snow) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Weird /home problem Message-ID: <199808050405.AAA17521@lucy.bedford.net> In-Reply-To: <Pine.BSF.3.96.980804144543.16141E-100000@silver.teardrop.org> from James Snow at "Aug 4, 98 02:59:50 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
James Snow wrote:
>
> We recently segregated our users into subdirectories of /home. The
> appropriate changes were made via vipw to the password file, and all the
> directories were moved.
>
> The problem that now exists is that if any of /home's subdirectories are
> chmoded to 750, users' home directories are not found at login.
Assumptions: /home 755 root.wheel
/home/lepers 750 root.wheel
/home/lepers/djv 755 djv.djv
Note, I use a unique group for each user.
The symptom looks like this:
![root@castor login]# telnet localhost
!Trying 127.0.0.1...
!Connected to localhost.
!Escape character is '^]'.
!
!FreeBSD (castor.loco.net) (ttyp4)
!
!login: djv
!Password:
!Setting wd: euid uid: 0 0 <<< I hacked login to print this
<<< The login can cd to HOME, but then login
<<< set[gu]id's to the user's uid and primary group.
These messages appeared in the /var/log/messages:
Aug 4 23:42:59 castor login: _secure_path: cannot stat /home/lepers/djv/.login_conf: Permission denied
Aug 4 23:42:59 castor login: _secure_path: cannot stat /home/lepers/djv/.login_conf: Permission denied
Note, the homedir contained no files at all.
!Last login: Tue Aug 4 23:41:28 from localhost
!Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
! The Regents of the University of California. All rights reserved.
!
!FreeBSD 2.2.6-RELEASE (CASTOR-S) #0: Sun Jul 5 07:02:34 EDT 1998
!
!You have mail.
!shell-init: could not get current directory: getcwd: cannot access parent directories: Permission denied
!job-working-directory: could not get current directory: getcwd: cannot access parent directories: Permission denied
!bash: /home/lepers/djv/.bash_profile: Permission denied
!
This is normal operation. The user must have 'x' (search) access
to the whole tree from / down to cwd.
Why are you denying read/search access to the parent directory?
To hide other users' names and/or home directory name? This can't be
done ... all users can read /etc/passwd or equivalent. To keep users
from browsing other users' dirs? To do that, control the permissions
on the other users' homedirs (700).
> It doesn't happen if the directories are set to 751 or 755, it doesn't
> happen if you ssh in, it doesn't happen if you run /usr/bin/login by hand
> after logging in, and it doesn't happen if you use screen and ^a-c out to
> a shell.
Sounds like bugs in these programs, IMHO. Note, if the user being
tested is a member of group wheel, the login will succeed since
the user will be able to stat all the dirs by virtue of the group
field.
> It happens whether or not telnetd is wrapped with tcpwrappers, it happens
> despite telnetd being run as root, and it happens even with a very liberal
> set of permissions on any file I could conceive of being used in the login
> process.
Except the parent directory of cwd. :)
Dave
--
Bedford County, PA -- 47,000 polite, friendly Appalachians,
4,000 of whom have concealed-carry permits.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808050405.AAA17521>