Can't cd into another user's directory (permission denied) even though I'm logged in as root

Question

I'm logged in as root into a Centos7 server, yet I'm unable to cd into certain directories from other users. I keep getting a "Permission Denied" error.

Is there anyway to access those directories as root? I've tried to change permissions with "chmod" but it gives me an "Operation not permitted" error.

Thanks.

EDIT: Here's the output of the findmnt command

TARGET                                SOURCE      FSTYPE     OPTIONS
/                                     /dev/mapper/centos-root
                                                  xfs        rw,relatime,seclabel,attr2,inode64,sunit=512,sw
├─/sys                                sysfs       sysfs      rw,nosuid,nodev,noexec,relatime,seclabel
│ ├─/sys/kernel/security              securityfs  securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup                    tmpfs       tmpfs      ro,nosuid,nodev,noexec,seclabel,mode=755
│ │ ├─/sys/fs/cgroup/systemd          cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,xattr,release_a
│ │ ├─/sys/fs/cgroup/devices          cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,devices
│ │ ├─/sys/fs/cgroup/cpu,cpuacct      cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,cpuacct,cpu
│ │ ├─/sys/fs/cgroup/net_cls,net_prio cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,net_prio,net_cl
│ │ ├─/sys/fs/cgroup/blkio            cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,blkio
│ │ ├─/sys/fs/cgroup/cpuset           cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,cpuset
│ │ ├─/sys/fs/cgroup/hugetlb          cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,hugetlb
│ │ ├─/sys/fs/cgroup/pids             cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,pids
│ │ ├─/sys/fs/cgroup/memory           cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,memory
│ │ ├─/sys/fs/cgroup/perf_event       cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,perf_event
│ │ └─/sys/fs/cgroup/freezer          cgroup      cgroup     rw,nosuid,nodev,noexec,relatime,freezer
│ ├─/sys/fs/pstore                    pstore      pstore     rw,nosuid,nodev,noexec,relatime
│ ├─/sys/firmware/efi/efivars         efivarfs    efivarfs   rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/selinux                   selinuxfs   selinuxfs  rw,relatime
│ ├─/sys/kernel/debug                 debugfs     debugfs    rw,relatime
│ └─/sys/kernel/config                configfs    configfs   rw,relatime
├─/proc                               proc        proc       rw,nosuid,nodev,noexec,relatime
│ ├─/proc/sys/fs/binfmt_misc          systemd-1   autofs     rw,relatime,fd=31,pgrp=1,timeout=0,minproto=5,m
│ │ └─/proc/sys/fs/binfmt_misc        binfmt_misc binfmt_mis rw,relatime
│ └─/proc/fs/nfsd                     nfsd        nfsd       rw,relatime
├─/dev                                devtmpfs    devtmpfs   rw,nosuid,seclabel,size=16200576k,nr_inodes=405
│ ├─/dev/shm                          tmpfs       tmpfs      rw,nosuid,nodev,seclabel
│ ├─/dev/pts                          devpts      devpts     rw,nosuid,noexec,relatime,seclabel,gid=5,mode=6
│ ├─/dev/hugepages                    hugetlbfs   hugetlbfs  rw,relatime,seclabel
│ └─/dev/mqueue                       mqueue      mqueue     rw,relatime,seclabel
├─/run                                tmpfs       tmpfs      rw,nosuid,nodev,seclabel,mode=755
│ ├─/run/user/10155                   tmpfs       tmpfs      rw,nosuid,nodev,relatime,seclabel,size=3243272k
│ ├─/run/user/0                       tmpfs       tmpfs      rw,nosuid,nodev,relatime,seclabel,size=3243272k
│ ├─/run/user/10143                   tmpfs       tmpfs      rw,nosuid,nodev,relatime,seclabel,size=3243272k
│ ├─/run/user/10000                   tmpfs       tmpfs      rw,nosuid,nodev,relatime,seclabel,size=3243272k
│ └─/run/user/42                      tmpfs       tmpfs      rw,nosuid,nodev,relatime,seclabel,size=3243272k
├─/boot                               /dev/sda2   xfs        rw,relatime,seclabel,attr2,inode64,sunit=512,sw
│ └─/boot/efi                         /dev/sda1   vfat       rw,relatime,fmask=0077,dmask=0077,codepage=437,
├─/home                               /dev/mapper/centos-home
                                                  xfs        rw,relatime,seclabel,attr2,inode64,sunit=512,sw
│ └─/home/MAINUSERDIR                   IP-address-here:/home/MAINUSERDIR
                                                  nfs4       rw,relatime,vers=4.1,rsize=1048576,wsize=104857
├─/var/lib/nfs/rpc_pipefs             sunrpc      rpc_pipefs rw,relatime
├─/var/lib/snapd/snap/snapd/7264      /dev/loop0  squashfs   ro,nodev,relatime,context=system_u:object_r:sna
├─/var/lib/snapd/snap/core18/1754     /dev/loop1  squashfs   ro,nodev,relatime,context=system_u:object_r:sna
└─/var/lib/snapd/snap/snapd/7777      /dev/loop3  squashfs   ro,nodev,relatime,context=system_u:object_r:sna

This may be relevant https://unix.stackexchange.com/q/101263/4778 particularly mandatory access control.Do you have app-armour or selinux enabled? — ctrl-alt-delor, Jun 08 '20 at 21:35
I most often see this regarding the gvfs fuse mount in a users /run/user/####/ directory. — jsbillings, Jun 09 '20 at 01:05
@ctrl-alt-delor selinux is indeed enabled, but even disabling it does not seem to change anything. — johnymm, Jun 09 '20 at 16:58
@KamilMaciorowski I don't think so, although I'm not entirely sure what that is. — johnymm, Jun 09 '20 at 16:58
Edit question to tell us the full-name of the directory and the output from findmnt. — ctrl-alt-delor, Jun 09 '20 at 17:24
I've edited my question to include the output of findmnt. As for the directories that I can't access, there are multiple ones for each user, but they all seem to be directories that are generated automatically by some process or other. For instance, the .ssh directory or the .cache/mozilla etc... None seem to be directories that the user would have created manually. — johnymm, Jun 09 '20 at 18:04

score 2 · Answer 1 · edited May 10 '22 at 19:14

If you need to have the root user work with user home directories, I would check the /etc/exports on the NFS server and add the option no_root_squash.

A better solution might be to log into your NFS server and navigate to what is being shared out as root and then make the changes you need to on the server itself instead of through the NFS mount.

Additional Info:
It looks to me like user home directories are mounted to an NFS share at 10.22.99.51

│ └─/home/MAINUSERDIR  IP-address-here:/home/MAINUSERDIR nfs4 rw,relatime,vers=4.1,rsize=1048576,wsize=104857

By default, root (UID 0) is changed to an anonymous user (UID 65534), using an option called root_squash. You can find more information with man 5 exports or at https://linux.die.net/man/5/exports

nfsd bases its access control to files on the server machine on the uid and gid provided in each NFS RPC request. The normal behavior a user would expect is that she can access her files on the server just as she would on a normal file system. This requires that the same uids and gids are used on the client and the server machine. This is not always true, nor is it always desirable.

Very often, it is not desirable that the root user on a client machine is also treated as root when accessing files on the NFS server. To this end, uid 0 is normally mapped to a different id: the so-called anonymous or nobody uid. This mode of operation (called 'root squashing') is the default, and can be turned off with no_root_squash.

Can't cd into another user's directory (permission denied) even though I'm logged in as root

1 Answers1