Hi,
This is really bizarre, I’m hoping someone has a clever idea for me.
Basically: I have a fresh Rocky 9 install. I did a minimal install and added a handful of packages. I enabled one of the security profiles when installing, so SELinux is running. The system is headless now so all access is via ssh.
The system has a handful of users, one of which is able to use sudo and become root.
I’ve been setting up the system and had basically no problems (I used CentOS 6 and 7 and briefly 8 so am generally familiar with the RHEL way of doing stuff). No problems until I tried to ssh in and clone a git repo, as one of the normal (non-root) users; then I got this unusual error:
fatal: cannot copy '/usr/share/git-core/templates/hooks/fsmonitor-watchman.sample' to '/home/[user]/[directory]/.git/hooks/fsmonitor-watchman.sample': Operation not permitted
I checked some obvious things:
- The user is able to enter /usr/share/git-core/templates/hooks/ and list all of the files in the directory; all files in the directory give read access to everyone (they’re all 0755)
- The user is clearly able to read and write files in its own home directory
- The user is able to view (using e.g. vim or cat) every file in that directory except that one
- As root, the file is accessible normally
So it’s weird. Permissions/access on that file are not different than the other ones in that directory. For fun, as root, I copied the file to the user’s home directory, chown’ed it to the user, chmod 0666, and the user still can’t open it (e.g. if I try to cat the file, cat says “Operation not permitted”).
After some digging, I found out what’s different about the file: it’s a perl script. Specifically, it starts with
#!/usr/bin/perl
To summarize what I’ve found after some more digging:
- Every user that isn’t root on this system exhibits the same behavior
- If I have a file, for example, test.pl, with the contents
use warnings;
print("Hello\n");
… I can view, edit, create, and execute it as any user (by executing perl test.pl
), no problem
- Any user that is not root is not able to view, edit, or execute any file that starts with the perl shebang
- If I make a copy of the offending git script, the copy has the same problems
- If I delete the shebang line from that file, the problem magically goes away
- If, as the user, I create a file that starts with the perl shebang, once I save the file I can not re-open, view, or execute it
- Files with, for example, a bash shebang, give no problems. Only perl
- As far as I can tell, SELinux is not involved. I don’t see any DENY messages in audit.log, audit2why doesn’t see anything amiss, and if I temporarily switch it to permissive, the behavior doesn’t change
- Perl itself seems to work fine; as root I can do things and as non-root users I can write, edit, and execute perl scripts as long as they don’t start with the shebang
- There’s no noise in any log files that I can see; nothing in the systemd journal, nothing in audit.log, nothing in /var/log/messages
I’ve spent at least half an hour searching the web for anything like this but don’t see anything useful. I’ve used Linux on and off for nearly 25 years now and though I wouldn’t claim to be an expert I hope that I haven’t missed anything stupidly obvious, though at this point if I did I’ll be happy to take my lumps and move on.
Any thoughts?
Thanks!