3

I am having a very strange permission issue when trying to access any of the files in a certain directory as a specific user (adventho). This has been working fine for several months and I just recently noticed that I have been getting these errors and I haven't changed anything in the system for a while. This is what happens when trying to access any of the files as the user:

# su adventho
adventho@snail:/root
$ stat /home/adventho/public_html/hotelimg/187-1-1403380618.jpg
stat: cannot stat `/home/adventho/public_html/hotelimg/187-1-1403380618.jpg': Permission denied

However I can access it fine as root:

root@snail:~# stat /home/adventho/public_html/hotelimg/187-1-1403380618.jpg
  File: `/home/adventho/public_html/hotelimg/187-1-1403380618.jpg'
  Size: 528535          Blocks: 1040       IO Block: 4096   regular file
Device: 906h/2310d      Inode: 918000      Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1030/adventho)   Gid: ( 1008/adventho)
Access: 2014-12-15 17:23:44.318374774 -0500
Modify: 2014-06-21 15:56:58.000000000 -0400
Change: 2014-10-23 16:44:57.502377342 -0400
 Birth: -

In fact, doing an ls -la on the directory produces a bunch of "?" in the output, even for . and ..:

d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
-????????? ? ? ? ?            ? 106-1-1239840962_800_600_180_135.jpg
-????????? ? ? ? ?            ? 106-1-1239840962_800_600_240_180.jpg
-????????? ? ? ? ?            ? 106-1-1239840962_800_600.jpg
-????????? ? ? ? ?            ? 106-2-1239840963_800_600_180_135.jpg
-????????? ? ? ? ?            ? 106-2-1239840963_800_600_240_180.jpg
-????????? ? ? ? ?            ? 106-2-1239840963_800_600.jpg
-????????? ? ? ? ?            ? 106-3-1239840964_800_600_180_135.jpg
-????????? ? ? ? ?            ? 106-3-1239840964_800_600_240_180.jpg
-????????? ? ? ? ?            ? 106-3-1239840964_800_600.jpg

But if I do ls -ld hotelimg/ I get an output:

drw-rw-r-- 2 adventho www-data 69632 Dec 15 17:23 hotelimg/

If I add anything after the slash, I get permission denied:

$ ls -ld hotelimg/../index.php
ls: cannot access hotelimg/../some_existent_file: Permission denied
$ ls -ld hotelimg/.
ls: cannot access hotelimg/.: Permission denied
$ ls -ld hotelimg/../
ls: cannot access hotelimg/../: Permission denied

I tried doing an strace on the ls and this is the output:

$ strace ls /home/adventho/public_html/hotelimg/187-1-1403380618.jpg
execve("/bin/ls", ["ls", "/home/adventho/public_html/hotel"...], [/* 13 vars */]) = 0
brk(0)                                  = 0x1db6000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f931a148000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26612, ...}) = 0
mmap(NULL, 26612, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f931a141000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260f\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=126232, ...}) = 0
mmap(NULL, 2226160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9319d0b000
mprotect(0x7f9319d29000, 2093056, PROT_NONE) = 0
mmap(0x7f9319f28000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d000) = 0x7f9319f28000
mmap(0x7f9319f2a000, 2032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9319f2a000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/librt.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220!\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=31744, ...}) = 0
mmap(NULL, 2128856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9319b03000
mprotect(0x7f9319b0a000, 2093056, PROT_NONE) = 0
mmap(0x7f9319d09000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f9319d09000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libacl.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\"\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=35320, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f931a140000
mmap(NULL, 2130560, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f93198fa000
mprotect(0x7f9319902000, 2093056, PROT_NONE) = 0
mmap(0x7f9319b01000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f9319b01000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\357\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1603600, ...}) = 0
mmap(NULL, 3717176, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f931956e000
mprotect(0x7f93196f0000, 2097152, PROT_NONE) = 0
mmap(0x7f93198f0000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x182000) = 0x7f93198f0000
mmap(0x7f93198f5000, 18488, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f93198f5000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14768, ...}) = 0
mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f931936a000
mprotect(0x7f931936c000, 2097152, PROT_NONE) = 0
mmap(0x7f931956c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f931956c000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\\\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=131107, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f931a13f000
mmap(NULL, 2208672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f931914e000
mprotect(0x7f9319165000, 2093056, PROT_NONE) = 0
mmap(0x7f9319364000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f9319364000
mmap(0x7f9319366000, 13216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9319366000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libattr.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\25\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18672, ...}) = 0
mmap(NULL, 2113880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9318f49000
mprotect(0x7f9318f4d000, 2093056, PROT_NONE) = 0
mmap(0x7f931914c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f931914c000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f931a13e000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f931a13c000
arch_prctl(ARCH_SET_FS, 0x7f931a13c7a0) = 0
mprotect(0x7f931914c000, 4096, PROT_READ) = 0
mprotect(0x7f9319364000, 4096, PROT_READ) = 0
mprotect(0x7f931956c000, 4096, PROT_READ) = 0
mprotect(0x7f93198f0000, 16384, PROT_READ) = 0
mprotect(0x7f9319b01000, 4096, PROT_READ) = 0
mprotect(0x7f9319d09000, 4096, PROT_READ) = 0
mprotect(0x7f9319f28000, 4096, PROT_READ) = 0
mprotect(0x61a000, 4096, PROT_READ)     = 0
mprotect(0x7f931a14a000, 4096, PROT_READ) = 0
munmap(0x7f931a141000, 26612)           = 0
set_tid_address(0x7f931a13ca70)         = 22762
set_robust_list(0x7f931a13ca80, 0x18)   = 0
futex(0x7fff8335414c, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f931a13c7a0) = -1 EAGAIN (Resource temporarily unavailable)
rt_sigaction(SIGRTMIN, {0x7f9319153ad0, [], SA_RESTORER|SA_SIGINFO, 0x7f931915d0a0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f9319153b60, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f931915d0a0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
statfs("/sys/fs/selinux", 0x7fff833540a0) = -1 ENOENT (No such file or directory)
statfs("/selinux", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=1440781, f_bfree=1145015, f_bavail=1071826, f_files=366480, f_ffree=337819, f_fsid={-205162666, 1274914527}, f_namelen=255, f_frsize=4096}) = 0
brk(0)                                  = 0x1db6000
brk(0x1dd7000)                          = 0x1dd7000
open("/proc/filesystems", O_RDONLY)     = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f931a147000
read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 1024) = 385
read(3, "", 1024)                       = 0
close(3)                                = 0
munmap(0x7f931a147000, 4096)            = 0
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=110939968, ...}) = 0
mmap(NULL, 110939968, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f931257c000
close(3)                                = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TIOCGWINSZ, {ws_row=39, ws_col=153, ws_xpixel=0, ws_ypixel=0}) = 0
stat("/home/adventho/public_html/hotelimg/187-1-1403380618.jpg", 0x1db70d0) = -1 EACCES (Permission denied)
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2570, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f931a147000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2570
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f931a147000, 4096)            = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "ls: ", 4ls: )                     = 4
write(2, "cannot access /home/adventho/pub"..., 70cannot access /home/adventho/public_html/hotelimg/187-1-1403380618.jpg) = 70
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, ": Permission denied", 19: Permission denied)     = 19
write(2, "\n", 1
)                       = 1
close(1)                                = 0
close(2)                                = 0
exit_group(2)                           = ?

I notice that it mentions selinux, however it is not installed. Just to be double sure, I installed policycoreutils (which installed 55 other packages) and executed sestatus and the output was "disabled". Everything that has ever been installed on the server (with the only exception of lfd/csf) has been from the repositories.

I am stumped as to what is causing these permission denied errors.

Mike
  • 459
  • 1
    drw-rw-r-- 2 adventho www-data 69632 Dec 15 17:23 hotelimg/ - no execute permissions? – muru Dec 15 '14 at 23:45
  • 1
    Hmm... That solved it. Why would I need execute permissions on the directory to be able to view a file in it? – Mike Dec 15 '14 at 23:47

2 Answers2

6

Read permissions on a directory only allow you to list its contents. To actually be able to access the contents, you need execute permissions. Conversely, having only execute permissions will allow you to access the contents, but not list them. See Execute vs Read bit. How do directory permissions in Linux work?

muru
  • 72,889
2

Directories have two ways of operation. The first is to read or browse a directory, also known as running the ls command, and the other is executing a directory. Executing is required to open a file or directory in the requested directory. Executing is doing an inode lookup for the requested name and you don't have to be able to read the directory for that.

In your case the directory hotelimg is missing the execute permissions. Adding those with 'chmod +x hotelimg' should solve the permission issues.

hspaans
  • 562