chown may clear the setuid and setgid bits on Caché executables
I was recently troubleshooting a problem on a Linux (RHEL) instance of 2016.1 at a site. For policy reasons their sysadmins wanted to update the Caché installation so it used network accounts for its cacheusr and iscagent users and groups instead of the locally-created ones that had been set up during original install of Caché.
To do this they ran various commands including chown
Afterwards non-root users couldn't obtain a terminal session using the csession command. Instead they receive this message:
cache: Permission denied
It turned out that the chown command cleared important setuid and setgid bits that had previously been set on certain files in the bin directory.
By consulting a working instance we were able to reinstate the correct bits.
I'm posting this article in case the information is useful to others in the future (including myself, when I forget that I once knew it).
Comments
Just for clarification, this is known behaviour:
info coreutils 'chown invocation':
The `chown' command sometimes clears the set-user-ID or set-group-ID
permission bits. This behavior depends on the policy and functionality
of the underlying `chown' system call, which may make system-dependent
file mode modifications outside the control of the `chown' command.
For example, the `chown' command might not affect those bits when
invoked by a user with appropriate privileges, or when the bits signify
some function other than executable permission (e.g., mandatory
locking). When in doubt, check the underlying system behavior.And for a little description of how these are relevant see http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY…
http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY…