I was at a customer’s site the other day, and ran into an issue that I could not really understand.
When logging in on my Linux box, a server I was setting up for a small application, I got the following error message when logging in, as the first thing on my terminal:
Could not chdir to home directory /app/prd/kmggroup: Permission denied
The background is that the application I am setting up has it’s home directory in a non-standard location. Let us call the user kmggroup, just for kicks, and that the home directory is /app/prd/kmggroup. Logging into this user directly, using a password should be banned anyways as it is an anonymous user that owns an application. I will write about my prefered way of logging in as anonymous users (e.g oracle, apache, kmgapp, whatever) in a different post.
At this point, my user “landed” in “/”, but it was still possible to do a “cd /app/prd/kmggroup” to go to that directory. Very annoying, though.
It took me a little while to figure out, as I had just ordered a virtual machine, no preference of flavor. I got a RedHat server, and for me there is not much to say about that.
kmggroup@server.org:/usr/local/samba/etc $cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.0 (Santiago)
I debugged my .bash_profile, the /etc/passwd file, the /etc/profile, tweaking it a bit (adding “echo bappen” to the startup scripts here and there). I realized that the error message appeared even before the /etc/profile script was ran, so I got a bit curious.
After searching the topic on the world wide information network, also known as the Internet, I slowly realized that this has to do with the SELinux, namely the context settings for the directories.
SELinux is dreaded by the un-initiated, and there are few admins out there who really know how to set it up and live with it properly. (I am one of those, mainly un-initiated).
Enough said about that. Here is my solution to solve the problem, without messing up someone else’s system.
My directories were set up like this:
kmggroup@server.org:/app/prd/kmggroup $ls --context -d /app /app/prd /app/prd/kmggroup
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /app
drwxr-xr-x. kmggroup kmggroup unconfined_u:object_r:default_t:s0 /app/prd
drwxr-xr-x. kmggroup kmggroup unconfined_u:object_r:default_t:s0 /app/prd/kmggroup
Normally, /home is set to the following context:
kmggroup@server.org:/app/prd/kmggroup $ls --context -d /home /home/*
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home
drwx------. apa apa unconfined_u:object_r:user_home_dir_t:s0 /home/apa
My “/app/prd/kmggroup” directory is “special”, as we set it up in a non-default location, where the context was not set yet.
So, a couple of chcon later, the problem was solved:
sudo chcon -t home_root_t /app
sudo chcon -t home_root_t /app/prd
sudo chcon -t user_home_dir_t /app/prd/kmggroup
kmggroup@server.org:/app/prd/kmggroup $ls --context -d /app /app/prd /app/prd/kmggroup
drwxr-x---. kmggroup kmggroup unconfined_u:object_r:home_root_t:s0 /app
drwxr-x---. kmggroup kmggroup unconfined_u:object_r:home_root_t:s0 /app/prd
drwx------. kmggroup kmggroup unconfined_u:object_r:user_home_dir_t:s0 /app/prd/kmggroup
The error message does not appear, and my user ends up in his homedir. After telling the sysadmin at the site, he told me that they are not using SELinux (for good reasons in their environment), he had just forgotten to turn it off before giving me the box.
We both had a good laugh about it.
Have a nice day! //magnus