traverse path permissions / namei

traverse path permissions / namei

  • Written by
    Walter Doekes
  • Published on

How does one traverse a long path to quickly find out where you lack permissions?

So, I wanted to test some stuff in Debian/Buster. I already had an LXC container through LXD. I just needed to get some source files to the right place.

lxd$ sudo zfs list | grep buster
data/containers/buster-builder  692M  117G  862M
  /var/snap/lxd/common/lxd/storage-pools/data/containers/buster-builder
lxd$ sudo zfs mount data/containers/buster-builder

Make sure there's somewhere where I can write:

lxd$ sudo mkdir \
  /var/snap/lxd/common/lxd/storage-pools/data/containers/buster-builder/rootfs/home/osso/walter
lxd$ sudo chown walter \
  /var/snap/lxd/common/lxd/storage-pools/data/containers/buster-builder/rootfs/home/osso/walter

Awesome. Time to rsync some files there.

otherhost$ rsync -va --progress FILES \
  lxd:/var/snap/lxd/common/lxd/storage-pools/data/containers/buster-builder/rootfs/home/osso/walter/
rsync: [Receiver] ERROR: cannot stat destination
  "/var/snap/lxd/common/lxd/storage-pools/data/containers/buster-builder/rootfs/home/osso/walter/":
  Permission denied (13)

Drat! Missing perms.

Now comes the nifty part. Instead of doing an ls -ld on each individual component, there is a simple tool which name I keep forgetting: namei

lxd$ namei -l \
  /var/snap/lxd/common/lxd/storage-pools/data/containers/buster-builder/rootfs/home/osso/walter
f: /var/snap/lxd/common/lxd/storage-pools/data/containers/buster-builder/rootfs/home/osso/walter
drwxr-xr-x root   root    /
drwxr-xr-x root   root    var
drwxr-xr-x root   root    snap
drwxr-xr-x root   root    lxd
drwxr-xr-x root   root    common
drwx--x--x lxd    nogroup lxd
drwx--x--x root   root    storage-pools
drwx--x--x root   root    data
drwx--x--x root   root    containers
d--x------ 100000 root    buster-builder
                          rootfs - Permission denied

Okay. No permissions on buster-builder then.

lxd$ sudo chmod 701 \
  /var/snap/lxd/common/lxd/storage-pools/data/containers/buster-builder

Repeat the namei call, and now all is well. Time for that rsync.


Back to overview Newer post: k8s / lightweight redirect Older post: migrating vm interfaces / eth0 to ens18