cd: ..: Permission denied

[gtz42]

I'm running TrueNAS-12.0-U8.1, have a share /mnt/zfspool/share/subshare with normal ACLs configured for sharing via the GUI.

As root, everything works fine, but as a user, i can

Code:

truenas% cd /mnt/
truenas% cd zfspool/
truenas% cd share/
truenas% cd subshare/
truenas% cd ..
cd: ..: Permission denied
truenas% pwd
/mnt/zfspool/share/subshare
truenas% ls -la
ls: ..: Permission denied
total 216
drwxrwxrwx+  7 user  sgroup     15 May  6 17:27 .
-rwxrwxr-x+  1 user  sgroup  12292 Apr  3 13:40 .DS_Store
-rw-r-----   1 user  sgroup   1615 Dec  6  2021 file1
drwxrwx---+  4 user  user        9 Dec  3  2021 dir1
drwxrwxr-x+  3 user  sgroup     29 Jun 11 21:15 dir2
...
truenas% cd /mnt/zfspool/share
truenas% ls -l
total 44
drwxrwxrwx+ 7 user  sgroup  15 May  6 17:27 subshare
drwxrwxr-x+ 3 user  sgroup   4 Apr 19 12:15 subshare2

as root everything works fine:

Code:

root@truenas[/mnt/zfspool/share/subshare]# ls -la
total 227
drwxrwxrwx+  7 user  sgroup     15 May  6 17:27 .
drwxrwx---   4 user  sgroup      4 Mar 26 18:25 ..
-rwxrwxr-x+  1 user  sgroup  12292 Apr  3 13:40 .DS_Store
-rw-r-----   1 user  sgroup   1615 Dec  6  2021 file1
drwxrwx---+  4 user  user        9 Dec  3  2021 dir1
drwxrwxr-x+  3 user  sgroup     29 Jun 11 21:15 dir2
...
root@truenas[/mnt/zfspool/share/subshare]# getfacl ..
# file: ..
# owner: user
# group: sgroup
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
root@truenas[/mnt/zfspool/share/subshare]# cd ..
root@truenas[/mnt/zfspool/share]# getfacl .
# file: .
# owner: user
# group: sgroup
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
root@truenas[/mnt/zfspool/share]# getfacl subshare
# file: subshare
# owner: user
# group: sgroup
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow

I had used setfacl -b .., that removed all acls (I've no idea what they where) but did not help.

Any hints appriciated.

 

[anodos]

cd into the dir in question then run the command:
truss -o /tmp/truss.out stat ..

The attach here.

 

[anodos]

Oh, nevermind. I realized you were running as a regular user. You probably have removed execute on the path component.

 

[anodos]

What is output of id for your user?

 

[gtz42]

switched shell for user to bash, for better prompt:

Code:

[user@truenas /mnt]$ id
uid=1026(user) gid=1026(user) groups=1026(user),20(staff),1000(sgroup)

Code:

root@truenas[/mnt/zfspool/share]# stat -s .
st_dev=11512972917072854447 st_ino=34 st_mode=040777 st_nlink=4 st_uid=1026 st_gid=1000 st_rdev=18446744073709551615 st_size=4 st_atime=1613312724 st_mtime=1648315551 st_ctime=1655327961 st_birthtime=1606341671 st_blksize=4096 st_blocks=22 st_flags=2048
root@truenas[/mnt/zfspool/share]# cd subshare
root@truenas[/mnt/zfspool/share/subshare]# stat -s ..
st_dev=11512972917072854447 st_ino=34 st_mode=040777 st_nlink=4 st_uid=1026 st_gid=1000 st_rdev=18446744073709551615 st_size=4 st_atime=1613312724 st_mtime=1648315551 st_ctime=1655327961 st_birthtime=1606341671 st_blksize=4096 st_blocks=22 st_flags=2048

Code:

[user@truenas /mnt/zfspool/share]$ stat -s .
st_dev=11512972917072854447 st_ino=34 st_mode=040777 st_nlink=4 st_uid=1026 st_gid=1000 st_rdev=18446744073709551615 st_size=4 st_atime=1613312724 st_mtime=1648315551 st_ctime=1655327961 st_birthtime=1606341671 st_blksize=4096 st_blocks=22 st_flags=2048
[user@truenas /mnt/zfspool/share]$ cd subshare/
[user@truenas /mnt/zfspool/share/subshare]$ stat -s ..
stat: ..: stat: Permission denied

The difference between running as user vs root in truss.out is:

Code:

-fstatat(AT_FDCWD,"..",0x7fffffffe9b0,AT_SYMLINK_NOFOLLOW) ERR#13 'Permission denied'
+fstatat(AT_FDCWD,"..",{ mode=drwxrwxrwx ,inode=34,size=4,blksize=4096 },AT_SYMLINK_NOFOLLOW) = 0 (0x0)
+fstat(1,{ mode=crw--w---- ,inode=408,size=0,blksize=4096 }) = 0 (0x0)

followed by some lookups for the successful case as root.

 

[anodos]

Oh, I take it this is through an NFS mount and not local access (based on GIDs for your user in `id` output). Can you retest in an SSH session using the relevant users. Also use `getfacl -n` to show numeric ids (and give local `id` output on your server).

 

[gtz42]

All commands where executed on the truenas system, logged in via ssh.
Id’s are “high” because of NFS and historic reasons.

 

[anodos]

All commands where executed on the truenas system, logged in via ssh.
Id’s are “high” because of NFS and historic reasons.

Hmm... okay misread that last night. I can't reproduce. Can you PM me a debug?

 

[gtz42]

Sure, what do you need me to send you?

 

[anodos]

Sure, what do you need me to send you?

System->Advanced->Save Debug.