Problem Statement
How do you troubleshoot permission denied errors? Describe the systematic approach to identifying and fixing permission issues.
Explanation
Start by identifying what operation failed and what user performed it. Check file permissions with ls -l filename, showing owner, group, and permissions. Check user's identity and groups with id username or whoami and groups. Match user's groups against file's group to understand access level. Check if special permissions (setuid, setgid, sticky bit) are involved with ls -l.
Verify directory permissions in the path. To access a file, you need execute permission on all parent directories. Example: accessing /home/user/data/file.txt requires execute on /, /home, /home/user, and /home/user/data, plus read on file.txt. Use namei -l /path/to/file to show permissions for entire path, identifying where access fails.
Check ACLs with getfacl filename if '+' appears in ls -l output. ACLs might grant or deny access beyond standard permissions. Check SELinux context with ls -Z filename if SELinux is enabled - wrong context causes permission denied even with correct file permissions. Verify with getenforce showing Enforcing/Permissive/Disabled. Check audit logs at /var/log/audit/audit.log for SELinux denials.
Common fixes: chmod to adjust file permissions, chown to change ownership, chgrp to change group, usermod -aG to add user to required group (requires logout/login), setfacl to add specific user/group access, chcon or restorecon to fix SELinux contexts. For directories, ensure execute permission. For shared access, consider creating shared group, setting group ownership, and using 2770 permissions (rwxrws--- with setgid).
Preventive measures: use umask to set default permissions for new files (e.g., umask 0022 for 644 files, 755 directories), document permission schemes, establish ownership standards for shared directories, use group-based access control over ACLs when possible for simplicity, and test permission changes before applying to production. Understanding permission inheritance and defaults prevents future issues.
Practice Sets
This question appears in the following practice sets: