Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
/var/empty created with wrong permissions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Tue Aug 21, 2018 1:18 pm    Post subject: /var/empty created with wrong permissions Reply with quote

One of my systems is wiped on reboot and starts out with no /var/empty so it is created automatically. The problem is it's created with group write permission and sshd won't start until I remove that. Can I tell the system to create /var/empty with the correct permissions?
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Tue Aug 21, 2018 1:35 pm    Post subject: Re: /var/empty created with wrong permissions Reply with quote

grant123 wrote:
One of my systems is wiped on reboot and starts out with no /var/empty so it is created automatically. The problem is it's created with group write permission and sshd won't start until I remove that. Can I tell the system to create /var/empty with the correct permissions?

grant123 ... that directory is provided by net-misc/openssh:

Code:
% equery belongs -e /var/empty
 * Searching for /var/empty ...
net-misc/openssh-7.7_p1-r6 (/var/empty)
% equery belongs -e /var/empty/.keep_net-misc_openssh-0
 * Searching for /var/empty/.keep_net-misc_openssh-0 ...
net-misc/openssh-7.7_p1-r6 (/var/empty/.keep_net-misc_openssh-0)

... so, you/I should probably ask: what's "wiping" it, and why?

best ... khay
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3688
Location: Dallas area

PostPosted: Tue Aug 21, 2018 1:46 pm    Post subject: Reply with quote

you could modify the init.d script but khayyam is correct, it shouldn't be being deleted

Code:
ls -la /var/empty
total 0
drwxr-xr-x 1 root root  48 Jun 27 04:15 .
drwxr-xr-x 1 root root 140 Oct 22  2015 ..
-rw-r--r-- 1 root root   0 Jun 27 04:15 .keep_net-misc_openssh-0


both the directory and the .keep* file is put there by openssh
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Tue Aug 21, 2018 1:47 pm    Post subject: Reply with quote

Hi Khay, my script is wiping it along with everything else I found that could handle being wiped so the system starts as clean as possible. So basically openssh is creating the directory when it is missing but it's creating it with the wrong permissions.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 6957
Location: Saint Amant, Acadiana

PostPosted: Tue Aug 21, 2018 1:48 pm    Post subject: Reply with quote

So let your script to wipe the contents of /var/empty, not the directory itself.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Tue Aug 21, 2018 1:50 pm    Post subject: Reply with quote

That would definitely work but I'm trying to get the freshest start I can. Shouldn't ssh know how to create the dir properly?

FWIW the dir was either created properly or ssh would start after creating it improperly in 7.5 but now not in 7.7.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3688
Location: Dallas area

PostPosted: Tue Aug 21, 2018 2:17 pm    Post subject: Reply with quote

You shouldn't be deleting directories just because they're empty.
And any directory that has a .keep* file is there for a reason, it usually means that directory NEEDS to stay there.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Tue Aug 21, 2018 2:45 pm    Post subject: Reply with quote

Won't a new ssh user be hit with this the first time they install openssh?
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Aug 21, 2018 2:51 pm    Post subject: Reply with quote

Code:
secmt-service01 ~ # equery files openssh | grep empty
/var/empty
/var/empty/.keep_net-misc_openssh-0
Nope.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3688
Location: Dallas area

PostPosted: Tue Aug 21, 2018 2:51 pm    Post subject: Reply with quote

grant123 wrote:
Won't a new ssh user be hit with this the first time they install openssh?


"emerge openssh" installs "/var if it doesn't exist, /var/empty if it doesn't exist and then the .keep* file)
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Tue Aug 21, 2018 3:44 pm    Post subject: Reply with quote

Ok, so openssh installation does it right but sshd execution does it wrong.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Aug 21, 2018 4:23 pm    Post subject: Reply with quote

Well mine doesn't exhibit this issue, so you've probably not found the root cause of what's cleaning up that directory. The proximate cause of the bad permissions appears to be in the sshd init script on this line:
Code:
checkpath --directory "${RC_PREFIX%/}/var/empty"

Change this to
Code:
checkpath --directory --mode 0755 "${RC_PREFIX%/}/var/empty"
and report results, please.

Although this probably works, I'm not convinced that it's the right thing to do. An init script shouldn't be required to recover from all (or maybe even any) package installation damage. Then again, it does undertake to create the directory if it's not there, so it should probably do it right.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3688
Location: Dallas area

PostPosted: Tue Aug 21, 2018 4:34 pm    Post subject: Reply with quote

John R. Graham wrote:
Well mine doesn't exhibit this issue, so you've probably not found the root cause of what's cleaning up that directory. The proximate cause of the bad permissions appears to be in the sshd init script on this line:
Code:
checkpath --directory "${RC_PREFIX%/}/var/empty"

Change this to
Code:
checkpath --directory --mode 0755 "${RC_PREFIX%/}/var/empty"
and report results, please.

Although this probably works, I'm not convinced that it's the right thing to do. An init script shouldn't be required to recover from all (or maybe even any) package installation damage. Then again, it does undertake to create the directory if it's not there, so it should probably do it right.

- John


It probably should have always had the mode option, BUT most people don't run around deleting directories they're not supposed to so "the problem" hasn't shown up before.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Aug 21, 2018 4:37 pm    Post subject: Reply with quote

Concur.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Tue Aug 21, 2018 4:56 pm    Post subject: Reply with quote

Yep that initscript mode fixes it.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3688
Location: Dallas area

PostPosted: Tue Aug 21, 2018 5:07 pm    Post subject: Reply with quote

grant123 wrote:
Yep that initscript mode fixes it.


The next time you update openssh, the fix won't be there any more, you'll have to re-add it.

The proper thing to do was mentioned earlier, delete the files in the directory, but leave the directory alone.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Tue Aug 21, 2018 5:15 pm    Post subject: Reply with quote

I realize that but I agree with John:

Quote:
Then again, it does undertake to create the directory if it's not there, so it should probably do it right.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Aug 21, 2018 5:26 pm    Post subject: Reply with quote

So... going to earn some Gentoo Bugzilla cred? :wink:

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Tue Aug 21, 2018 5:48 pm    Post subject: Reply with quote

https://bugs.gentoo.org/664192
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Aug 21, 2018 6:20 pm    Post subject: Reply with quote

Excellent! By the way, here are a few Bugzilla netiquette pointers. It's nice to:
  1. Confirm which in-tree versions are affected by the issue.
  2. Describe the step-by-step method to reproduce the bug.
  3. Report actual error messages.
  4. Confirm which actual file(s) in the build needs to be patched.
  5. Provide a patch file.
None of these are absolutely necessary (although #1 - #3 are highly recommended) but their inclusion may get your bug quicker attention.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Thu Aug 23, 2018 8:40 pm    Post subject: Reply with quote

Well, that was fast. The fix is already in-tree and stable.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Thu Aug 23, 2018 8:52 pm    Post subject: Reply with quote

Yeah I figured it was because this was a potential lock-out situation. But only if you're crazy enough to delete /var/empty/.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum