| View previous topic :: View next topic |
| Author |
Message |
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1099
|
 Posted: Tue Aug 21, 2018 1:18 pm Post subject: /var/empty created with wrong permissions |
 |
|
| One of my systems is wiped on reboot and starts out with no /var/empty so it is created automatically. The problem is it's created with group write permission and sshd won't start until I remove that. Can I tell the system to create /var/empty with the correct permissions? |
|
| Back to top |
|
 |
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Tue Aug 21, 2018 1:35 pm Post subject: Re: /var/empty created with wrong permissions |
|
|
| grant123 wrote: | | One of my systems is wiped on reboot and starts out with no /var/empty so it is created automatically. The problem is it's created with group write permission and sshd won't start until I remove that. Can I tell the system to create /var/empty with the correct permissions? |
grant123 ... that directory is provided by net-misc/openssh:
| Code: | % equery belongs -e /var/empty
* Searching for /var/empty ...
net-misc/openssh-7.7_p1-r6 (/var/empty)
% equery belongs -e /var/empty/.keep_net-misc_openssh-0
* Searching for /var/empty/.keep_net-misc_openssh-0 ...
net-misc/openssh-7.7_p1-r6 (/var/empty/.keep_net-misc_openssh-0) |
... so, you/I should probably ask: what's "wiping" it, and why?
best ... khay |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6220
Location: Dallas area
|
| Posted: Tue Aug 21, 2018 1:46 pm Post subject: |
|
|
you could modify the init.d script but khayyam is correct, it shouldn't be being deleted
| Code: | ls -la /var/empty
total 0
drwxr-xr-x 1 root root 48 Jun 27 04:15 .
drwxr-xr-x 1 root root 140 Oct 22 2015 ..
-rw-r--r-- 1 root root 0 Jun 27 04:15 .keep_net-misc_openssh-0 |
both the directory and the .keep* file is put there by openssh
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1099
|
| Posted: Tue Aug 21, 2018 1:47 pm Post subject: |
|
|
| Hi Khay, my script is wiping it along with everything else I found that could handle being wiped so the system starts as clean as possible. So basically openssh is creating the directory when it is missing but it's creating it with the wrong permissions. |
|
| Back to top |
|
|
Jaglover
Watchman
Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana
|
|
| Back to top |
|
|
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1099
|
| Posted: Tue Aug 21, 2018 1:50 pm Post subject: |
|
|
That would definitely work but I'm trying to get the freshest start I can. Shouldn't ssh know how to create the dir properly?
FWIW the dir was either created properly or ssh would start after creating it improperly in 7.5 but now not in 7.7. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6220
Location: Dallas area
|
| Posted: Tue Aug 21, 2018 2:17 pm Post subject: |
|
|
You shouldn't be deleting directories just because they're empty.
And any directory that has a .keep* file is there for a reason, it usually means that directory NEEDS to stay there.
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1099
|
| Posted: Tue Aug 21, 2018 2:45 pm Post subject: |
|
|
| Won't a new ssh user be hit with this the first time they install openssh? |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10732
Location: Somewhere over Atlanta, Georgia
|
| Posted: Tue Aug 21, 2018 2:51 pm Post subject: |
|
|
| Code: | secmt-service01 ~ # equery files openssh | grep empty
/var/empty
/var/empty/.keep_net-misc_openssh-0 |
Nope.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6220
Location: Dallas area
|
| Posted: Tue Aug 21, 2018 2:51 pm Post subject: |
|
|
| grant123 wrote: | | Won't a new ssh user be hit with this the first time they install openssh? |
"emerge openssh" installs "/var if it doesn't exist, /var/empty if it doesn't exist and then the .keep* file)
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1099
|
| Posted: Tue Aug 21, 2018 3:44 pm Post subject: |
|
|
| Ok, so openssh installation does it right but sshd execution does it wrong. |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10732
Location: Somewhere over Atlanta, Georgia
|
| Posted: Tue Aug 21, 2018 4:23 pm Post subject: |
|
|
Well mine doesn't exhibit this issue, so you've probably not found the root cause of what's cleaning up that directory. The proximate cause of the bad permissions appears to be in the sshd init script on this line: | Code: | | checkpath --directory "${RC_PREFIX%/}/var/empty" |
Change this to | Code: | | checkpath --directory --mode 0755 "${RC_PREFIX%/}/var/empty" |
and report results, please.
Although this probably works, I'm not convinced that it's the right thing to do. An init script shouldn't be required to recover from all (or maybe even any) package installation damage. Then again, it does undertake to create the directory if it's not there, so it should probably do it right.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6220
Location: Dallas area
|
| Posted: Tue Aug 21, 2018 4:34 pm Post subject: |
|
|
| John R. Graham wrote: | Well mine doesn't exhibit this issue, so you've probably not found the root cause of what's cleaning up that directory. The proximate cause of the bad permissions appears to be in the sshd init script on this line: | Code: | | checkpath --directory "${RC_PREFIX%/}/var/empty" |
Change this to | Code: | | checkpath --directory --mode 0755 "${RC_PREFIX%/}/var/empty" |
and report results, please.
Although this probably works, I'm not convinced that it's the right thing to do. An init script shouldn't be required to recover from all (or maybe even any) package installation damage. Then again, it does undertake to create the directory if it's not there, so it should probably do it right.
- John |
It probably should have always had the mode option, BUT most people don't run around deleting directories they're not supposed to so "the problem" hasn't shown up before.
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10732
Location: Somewhere over Atlanta, Georgia
|
| Posted: Tue Aug 21, 2018 4:37 pm Post subject: |
|
|
Concur.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1099
|
| Posted: Tue Aug 21, 2018 4:56 pm Post subject: |
|
|
| Yep that initscript mode fixes it. |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6220
Location: Dallas area
|
| Posted: Tue Aug 21, 2018 5:07 pm Post subject: |
|
|
| grant123 wrote: | | Yep that initscript mode fixes it. |
The next time you update openssh, the fix won't be there any more, you'll have to re-add it.
The proper thing to do was mentioned earlier, delete the files in the directory, but leave the directory alone.
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1099
|
| Posted: Tue Aug 21, 2018 5:15 pm Post subject: |
|
|
I realize that but I agree with John:
| Quote: | | Then again, it does undertake to create the directory if it's not there, so it should probably do it right. |
|
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10732
Location: Somewhere over Atlanta, Georgia
|
| Posted: Tue Aug 21, 2018 5:26 pm Post subject: |
|
|
So... going to earn some Gentoo Bugzilla cred? 
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1099
|
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10732
Location: Somewhere over Atlanta, Georgia
|
| Posted: Tue Aug 21, 2018 6:20 pm Post subject: |
|
|
Excellent! By the way, here are a few Bugzilla netiquette pointers. It's nice to:- Confirm which in-tree versions are affected by the issue.
- Describe the step-by-step method to reproduce the bug.
- Report actual error messages.
- Confirm which actual file(s) in the build needs to be patched.
- Provide a patch file.
None of these are absolutely necessary (although #1 - #3 are highly recommended) but their inclusion may get your bug quicker attention.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10732
Location: Somewhere over Atlanta, Georgia
|
| Posted: Thu Aug 23, 2018 8:40 pm Post subject: |
|
|
Well, that was fast. The fix is already in-tree and stable.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1099
|
| Posted: Thu Aug 23, 2018 8:52 pm Post subject: |
|
|
| Yeah I figured it was because this was a potential lock-out situation. But only if you're crazy enough to delete /var/empty/. |
|
| Back to top |
|
|
|
Networking & Security
