AIX, user gets “pwd: The file access permissions do not allow the specified action.”

Just a short demonstration that file permissions matter on directories used as mount points under AIX6.1. Let’s say we have properly running system, the oracle software owner user “orand3″ can access everything (pwd and ls commands):

root@kopsxsap003d:# mount | grep 102_64
         /dev/nd3orabin   /oracle/ND3/102_64 jfs2   Dec 03 12:00 rw,log=/dev/loglv00
root@kopsxsap003d:# oslevel
6.1.0.0
root@kopsxsap003d:# ls -ald /oracle/ND3/102_64
drwxr-xr-x   74 orand3   dba            4096 Sep 28 06:44 /oracle/ND3/102_64
root@kopsxsap003d:# su - orand3
kopsxsap003d:orand3 1> cd /oracle/ND3/102_64
kopsxsap003d:orand3 2> pwd
/oracle/ND3/102_64
kopsxsap003d:orand3 3> ls | head
MOPatch
OPatch
OPatch_old
admin
assistants
bali
bin
ccr
ccr_stage
cdata
kopsxsap003d:orand3 4> logout
root@kopsxsap003d:#

Now we simulate how the underneath mount point permission affects the users after mounting:

root@kopsxsap003d:# umount /oracle/ND3/102_64
root@kopsxsap003d:# ls -ald /oracle/ND3/102_64
drwxr-xr-x    2 root     system          256 Aug 23 11:16 /oracle/ND3/102_64
root@kopsxsap003d:#

.
As you can see it changed ownership from orand3:dba to root:system after unmounting (because in reality after unmounting /oracle/ND3/102_64 is just a directory on higer level filesystem like /oracle or /oracle/ND3):

root@kopsxsap003d:# mount /oracle/ND3/102_64
root@kopsxsap003d:# ls -ald /oracle/ND3/102_64
drwxr-xr-x   74 orand3   dba            4096 Sep 28 06:44 /oracle/ND3/102_64
root@kopsxsap003d:# umount /oracle/ND3/102_64
root@kopsxsap003d:# ls -ald /oracle/ND3/102_64
drwxr-xr-x    2 root     system          256 Aug 23 11:16 /oracle/ND3/102_64

OK, we want to show how the normal (i.e. non-root users) react to mount point directory that is not allowing access for them:

root@kopsxsap003d:# chmod 700 /oracle/ND3/102_64
root@kopsxsap003d:# ls -ald /oracle/ND3/102_64
drwx------    2 root     system          256 Aug 23 11:16 /oracle/ND3/102_64
root@kopsxsap003d:# mount /oracle/ND3/102_64
root@kopsxsap003d:# ls -ald /oracle/ND3/102_64
drwxr-xr-x   74 orand3   dba            4096 Sep 28 06:44 /oracle/ND3/102_64

See?, after the mounting it changed to 755 orand3:dba , but underneath it is still root:system with 700. So what should do the AIX kernel perform ? Let’s see…

root@kopsxsap003d:# su - orand3
kopsxsap003d:orand3 1> cd /oracle/ND3/102_64
kopsxsap003d:orand3 2> pwd
<strong>pwd: The file access permissions do not allow the specified action.</strong>
kopsxsap003d:orand3 3> ls | head
MOPatch
OPatch
OPatch_old
admin
assistants
bali
bin
ccr
ccr_stage
cdata
kopsxsap003d:orand3 4> logout
root@kopsxsap003d:# umount /oracle/ND3/102_64
root@kopsxsap003d:# ls -ald /oracle/ND3/102_64
drwx------    2 root     system          256 Aug 23 11:16 /oracle/ND3/102_64
root@kopsxsap003d:#

As it was demonstrated underneath mount point permission DO HAVE an affect on non-root users for pwd command if they are not clearly visible. What’s even more interesting that typical libc routines for opening dir, reading dor – they works just fine. It is just a matter of pwd command.

Ok – let’s fix it…

root@kopsxsap003d:# chmod 755 /oracle/ND3/102_64
root@kopsxsap003d:# mount /oracle/ND3/102_64
root@kopsxsap003d:# su - orand3
kopsxsap003d:orand3 1> cd /oracle/ND3/102_64
kopsxsap003d:orand3 2> pwd
/oracle/ND3/102_64
kopsxsap003d:orand3 3>

So what is really pwd command doing?

kopsxsap003d:orand3 1> type pwd
pwd is a shell builtin.
kopsxsap003d:orand3 2> echo $SHELL
/usr/bin/csh
kopsxsap003d:orand3 3> /usr/bin/pwd
/oracle/ND3
kopsxsap003d:orand3 4>

So you have an interal pwd command (for shell) but also real command in /usr/bin. Let’s see what’s happening there:

root@kopsxsap003d:# umount /oracle/ND3/102_64
root@kopsxsap003d:# chmod 700 /oracle/ND3/102_64
root@kopsxsap003d:# mount /oracle/ND3/102_64
root@kopsxsap003d:# su - orand3
kopsxsap003d:orand3 1> cd /oracle/ND3/102_64
kopsxsap003d:orand3 2> pwd
pwd: The file access permissions do not allow the specified action.
kopsxsap003d:orand3 3> /usr/bin/pwd
pwd: The file access permissions do not allow the specified action.
kopsxsap003d:orand3 4> truss /usr/bin/pwd
execve("/usr/bin/pwd", 0x2FF22984, 0x20012ED8)   argc: 1
sbrk(0x00000000)                                = 0x2000104C
vmgetinfo(0x2FF21370, 7, 16)                    = 0
sbrk(0x00000000)                                = 0x2000104C
sbrk(0x00000004)                                = 0x2000104C
(..)
statx("/", 0x2FF21178, 176, 020)                = 0
statx("./", 0x2FF21178, 176, 020)               = 0
statx("./../", 0x2FF21010, 128, 010)            Err#13 EACCES
access("/usr/lib/nls/msg/en_US/libc.cat", 0)    = 0
_getpid()                                       = 8847484
kopen("/usr/lib/nls/msg/en_US/libc.cat", O_RDONLY) = 3
(..)
pwdkwrite(2, " p w d", 3)                               = 3
: kwrite(2, " :  ", 2)                          = 2
The file access permissions do not allow the specified action.kwrite(2, " T h e   f i l e   a c c".., 62)       = 62

(..)
_exit(1)
kopsxsap003d:orand3 5>

So the the truth is hidden in EACCES return code for the statx() syscall.

kopsxsap003d:orand3 11> cd /oracle/ND3/102_64
kopsxsap003d:orand3 12> ls | head
MOPatch
OPatch
OPatch_old
admin
assistants
bali
bin
ccr
ccr_stage
cdata
kopsxsap003d:orand3 13> ls -ald /oracle/ND3/102_64
drwxr-xr-x   74 orand3   dba            4096 Sep 28 06:44 /oracle/ND3/102_64
kopsxsap003d:orand3 14> ls -al /oracle/ND3/102_64/|head
ls: 0653-345 /oracle/ND3/102_64/..: Permission denied.
total 280
drwxr-xr-x   74 orand3   dba            4096 Sep 28 06:44 .
drwxr-x---   35 orand3   dba            4096 Aug 23 12:45 .patch_storage
drwxr-xr-x    2 orand3   dba             256 May 10 2010  MOPatch
drwxr-xr-x    7 orand3   dba            4096 Nov 16 2009  OPatch
drwxr-x---    5 orand3   dba             256 Aug 23 12:27 OPatch_old
drwxr-xr-x    3 orand3   dba             256 Aug 23 13:36 admin
drwxr-x---    7 orand3   dba             256 Aug 23 12:18 assistants
drwxr-x---    3 orand3   dba             256 Aug 23 12:18 bali
drwxr-xr-x    2 orand3   dba           16384 Aug 23 12:45 bin
kopsxsap003d:orand3 15> ls -al .
ls: 0653-341 The fil does not exist.
drwxr-xr-x   74 orand3   dba            4096 Sep 28 06:44 .
kopsxsap003d:orand3 16> ls -al .
ls: 0653-345 ./..: Permission denied.
total 280
drwxr-xr-x   74 orand3   dba            4096 Sep 28 06:44 .
drwxr-x---   35 orand3   dba            4096 Aug 23 12:45 .patch_storage
drwxr-xr-x    2 orand3   dba             256 May 10 2010  MOPatch
drwxr-xr-x    7 orand3   dba            4096 Nov 16 2009  OPatch
drwxr-x---    5 orand3   dba             256 Aug 23 12:27 OPatch_old
drwxr-xr-x    3 orand3   dba             256 Aug 23 13:36 admin
drwxr-x---    7 orand3   dba             256 Aug 23 12:18 assistants
drwxr-x---    3 orand3   dba             256 Aug 23 12:18 bali
[..]
kopsxsap003d:orand3 19> ls -ald .
drwxr-xr-x   74 orand3   dba            4096 Sep 28 06:44 .
kopsxsap003d:orand3 20> ls -ald ./..
ls: 0653-345 ./..: Permission denied.
kopsxsap003d:orand3 21> ls -ald ./../..
ls: 0653-345 ./../..: Permission denied.
kopsxsap003d:orand3 22> ls -ald /oracle/ND3/102_64
drwxr-xr-x   74 orand3   dba            4096 Sep 28 06:44 /oracle/ND3/102_64
kopsxsap003d:orand3 23>

As you saw if you are planning some non-root users (e.g. Oracle in this case) to properly work on mounted filesystems under AIX you need to have proper permissions on the mount point dir first before mounting. Ther e is no escape from this. All comes to the definition of the stat() faimiliy of system calls:

Description

       The stat subroutine obtains information about the file named by the Path parameter. Read, write, or execute
       permission for the named file is not required, but all directories listed in the path leading to the file must be
       <strong>searchable</strong>. The file information, which is a subset of the stat structure, is written to the area specified by the
       Buffer parameter.

“Searchable” for directory in UNIX means “+x” , so someone has to have execute bit set (+x) on the directory in order it to be searchable for system calls.

-J.

7 Responses to “AIX, user gets “pwd: The file access permissions do not allow the specified action.””

  1. Gerald says:

    Excellent post: it solved my problem and saved my day :-)

  2. Ajit Gunge says:

    Hi,
    I am getting the following error may be you can help me with this

    tar -xvf my_patch
    /dsd: The file access permissions do not allow the specified action.
    /dsd/user/XYZ: A file or directory in the path name does not exist.

    The my_patch file is a tar file that I have created on a different server that had the /dsd directory but where I am untarring it the directory does not exist.What is that I am missing here.

  3. Dmytro says:

    Many thanks!

    After hours of annoying digging mountpoint permissions appears to be root cause.

  4. Amritendu says:

    Fabulas man ….. very good explaination …..

  5. Walter says:

    I think this is a bug in AIX. What’s your meaning?

  6. admin says:

    I would say no, just wanted explain to co-worker the behaviour and possible culprit.

  7. Kacey says:

    You share interesting things here. I think that your website
    can go viral easily, but you must give it initial boost and i know
    how to do it, just search in google for – wcnu traffic
    increase