AIX, user gets “pwd: The file access permissions do not allow the specified action.”
AIX, user gets “pwd: The file access permissions do not allow the specified action.”
Just a short demonstration that file permissions matter on directories used as mount points under AIX6.1. Let’s say we have properly running system, the oracle software owner user “orand3″ can access everything (pwd and ls commands):
01.root@kopsxsap003d:# mount | grep 102_6402./dev/nd3orabin /oracle/ND3/102_64 jfs2 Dec 03 12:00 rw,log=/dev/loglv0003.root@kopsxsap003d:# oslevel04.6.1.0.005.root@kopsxsap003d:# ls -ald /oracle/ND3/102_6406.drwxr-xr-x 74 orand3 dba 4096 Sep 28 06:44 /oracle/ND3/102_6407.root@kopsxsap003d:# su - orand308.kopsxsap003d:orand3 1> cd /oracle/ND3/102_6409.kopsxsap003d:orand3 2> pwd10./oracle/ND3/102_6411.kopsxsap003d:orand3 3> ls | head12.MOPatch13.OPatch14.OPatch_old15.admin16.assistants17.bali18.bin19.ccr20.ccr_stage21.cdata22.kopsxsap003d:orand3 4> logout23.root@kopsxsap003d:#Now we simulate how the underneath mount point permission affects the users after mounting:
1.root@kopsxsap003d:# umount /oracle/ND3/102_642.root@kopsxsap003d:# ls -ald /oracle/ND3/102_643.drwxr-xr-x 2 root system 256 Aug 23 11:16 /oracle/ND3/102_644.root@kopsxsap003d:#.
As you can see it changed ownership from orand3:dba to root:system after unmounting (because in reality after unmounting /oracle/ND3/102_64 is just a directory on higer level filesystem like /oracle or /oracle/ND3):
1.root@kopsxsap003d:# mount /oracle/ND3/102_642.root@kopsxsap003d:# ls -ald /oracle/ND3/102_643.drwxr-xr-x 74 orand3 dba 4096 Sep 28 06:44 /oracle/ND3/102_644.root@kopsxsap003d:# umount /oracle/ND3/102_645.root@kopsxsap003d:# ls -ald /oracle/ND3/102_646.drwxr-xr-x 2 root system 256 Aug 23 11:16 /oracle/ND3/102_64OK, we want to show how the normal (i.e. non-root users) react to mount point directory that is not allowing access for them:
1.root@kopsxsap003d:# chmod 700 /oracle/ND3/102_642.root@kopsxsap003d:# ls -ald /oracle/ND3/102_643.drwx------ 2 root system 256 Aug 23 11:16 /oracle/ND3/102_644.root@kopsxsap003d:# mount /oracle/ND3/102_645.root@kopsxsap003d:# ls -ald /oracle/ND3/102_646.drwxr-xr-x 74 orand3 dba 4096 Sep 28 06:44 /oracle/ND3/102_64See?, after the mounting it changed to 755 orand3:dba , but underneath it is still root:system with 700. So what should do the AIX kernel perform ? Let’s see…
01.root@kopsxsap003d:# su - orand302.kopsxsap003d:orand3 1> cd /oracle/ND3/102_6403.kopsxsap003d:orand3 2> pwd04.<strong>pwd: The file access permissions do not allow the specified action.</strong>05.kopsxsap003d:orand3 3> ls | head06.MOPatch07.OPatch08.OPatch_old09.admin10.assistants11.bali12.bin13.ccr14.ccr_stage15.cdata16.kopsxsap003d:orand3 4> logout17.root@kopsxsap003d:# umount /oracle/ND3/102_6418.root@kopsxsap003d:# ls -ald /oracle/ND3/102_6419.drwx------ 2 root system 256 Aug 23 11:16 /oracle/ND3/102_6420.root@kopsxsap003d:#As it was demonstrated underneath mount point permission DO HAVE an affect on non-root users for pwd command if they are not clearly visible. What’s even more interesting that typical libc routines for opening dir, reading dor – they works just fine. It is just a matter of pwd command.
Ok – let’s fix it…
1.root@kopsxsap003d:# chmod 755 /oracle/ND3/102_642.root@kopsxsap003d:# mount /oracle/ND3/102_643.root@kopsxsap003d:# su - orand34.kopsxsap003d:orand3 1> cd /oracle/ND3/102_645.kopsxsap003d:orand3 2> pwd6./oracle/ND3/102_647.kopsxsap003d:orand3 3>So what is really pwd command doing?
1.kopsxsap003d:orand3 1> type pwd2.pwd is a shell builtin.3.kopsxsap003d:orand3 2> echo $SHELL4./usr/bin/csh5.kopsxsap003d:orand3 3> /usr/bin/pwd6./oracle/ND37.kopsxsap003d:orand3 4>So you have an interal pwd command (for shell) but also real command in /usr/bin. Let’s see what’s happening there:
01.root@kopsxsap003d:# umount /oracle/ND3/102_6402.root@kopsxsap003d:# chmod 700 /oracle/ND3/102_6403.root@kopsxsap003d:# mount /oracle/ND3/102_6404.root@kopsxsap003d:# su - orand305.kopsxsap003d:orand3 1> cd /oracle/ND3/102_6406.kopsxsap003d:orand3 2> pwd07.pwd: The file access permissions do not allow the specified action.08.kopsxsap003d:orand3 3> /usr/bin/pwd09.pwd: The file access permissions do not allow the specified action.10.kopsxsap003d:orand3 4> truss /usr/bin/pwd11.execve("/usr/bin/pwd", 0x2FF22984, 0x20012ED8) argc: 112.sbrk(0x00000000) = 0x2000104C13.vmgetinfo(0x2FF21370, 7, 16) = 014.sbrk(0x00000000) = 0x2000104C15.sbrk(0x00000004) = 0x2000104C16.(..)17.statx("/", 0x2FF21178, 176, 020) = 018.statx("./", 0x2FF21178, 176, 020) = 019.statx("./../", 0x2FF21010, 128, 010) Err#13 EACCES20.access("/usr/lib/nls/msg/en_US/libc.cat", 0) = 021._getpid() = 884748422.kopen("/usr/lib/nls/msg/en_US/libc.cat", O_RDONLY) = 323.(..)24.pwdkwrite(2, " p w d", 3) = 325.: kwrite(2, " : ", 2) = 226.The file access permissions do not allow the specified action.kwrite(2, " T h e f i l e a c c".., 62) = 6227. 28.(..)29._exit(1)30.kopsxsap003d:orand3 5>So the the truth is hidden in EACCES return code for the statx() syscall.
01.kopsxsap003d:orand3 11> cd /oracle/ND3/102_6402.kopsxsap003d:orand3 12> ls | head03.MOPatch04.OPatch05.OPatch_old06.admin07.assistants08.bali09.bin10.ccr11.ccr_stage12.cdata13.kopsxsap003d:orand3 13> ls -ald /oracle/ND3/102_6414.drwxr-xr-x 74 orand3 dba 4096 Sep 28 06:44 /oracle/ND3/102_6415.kopsxsap003d:orand3 14> ls -al /oracle/ND3/102_64/|head16.ls: 0653-345 /oracle/ND3/102_64/..: Permission denied.17.total 28018.drwxr-xr-x 74 orand3 dba 4096 Sep 28 06:44 .19.drwxr-x--- 35 orand3 dba 4096 Aug 23 12:45 .patch_storage20.drwxr-xr-x 2 orand3 dba 256 May 10 2010 MOPatch21.drwxr-xr-x 7 orand3 dba 4096 Nov 16 2009 OPatch22.drwxr-x--- 5 orand3 dba 256 Aug 23 12:27 OPatch_old23.drwxr-xr-x 3 orand3 dba 256 Aug 23 13:36 admin24.drwxr-x--- 7 orand3 dba 256 Aug 23 12:18 assistants25.drwxr-x--- 3 orand3 dba 256 Aug 23 12:18 bali26.drwxr-xr-x 2 orand3 dba 16384 Aug 23 12:45 bin27.kopsxsap003d:orand3 15> ls -al .28.ls: 0653-341 The fil does not exist.29.drwxr-xr-x 74 orand3 dba 4096 Sep 28 06:44 .30.kopsxsap003d:orand3 16> ls -al .31.ls: 0653-345 ./..: Permission denied.32.total 28033.drwxr-xr-x 74 orand3 dba 4096 Sep 28 06:44 .34.drwxr-x--- 35 orand3 dba 4096 Aug 23 12:45 .patch_storage35.drwxr-xr-x 2 orand3 dba 256 May 10 2010 MOPatch36.drwxr-xr-x 7 orand3 dba 4096 Nov 16 2009 OPatch37.drwxr-x--- 5 orand3 dba 256 Aug 23 12:27 OPatch_old38.drwxr-xr-x 3 orand3 dba 256 Aug 23 13:36 admin39.drwxr-x--- 7 orand3 dba 256 Aug 23 12:18 assistants40.drwxr-x--- 3 orand3 dba 256 Aug 23 12:18 bali41.[..]42.kopsxsap003d:orand3 19> ls -ald .43.drwxr-xr-x 74 orand3 dba 4096 Sep 28 06:44 .44.kopsxsap003d:orand3 20> ls -ald ./..45.ls: 0653-345 ./..: Permission denied.46.kopsxsap003d:orand3 21> ls -ald ./../..47.ls: 0653-345 ./../..: Permission denied.48.kopsxsap003d:orand3 22> ls -ald /oracle/ND3/102_6449.drwxr-xr-x 74 orand3 dba 4096 Sep 28 06:44 /oracle/ND3/102_6450.kopsxsap003d:orand3 23>As you saw if you are planning some non-root users (e.g. Oracle in this case) to properly work on mounted filesystems under AIX you need to have proper permissions on the mount point dir first before mounting. Ther e is no escape from this. All comes to the definition of the stat() faimiliy of system calls:
1.Description2. 3.The stat subroutine obtains information about the file named by the Path parameter. Read, write, or execute4.permission for the named file is not required, but all directories listed in the path leading to the file must be5.<strong>searchable</strong>. The file information, which is a subset of the stat structure, is written to the area specified by the6.Buffer parameter.“Searchable” for directory in UNIX means “+x” , so someone has to have execute bit set (+x) on the directory in order it to be searchable for system calls.
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word