2.6, wrong permissions on "/var/"
-
The service refused to start:
root 18535 0.0 0.0 11012 2580 - Is Wed08 0:02.51 /usr/local/sbin/radvd -p /var/run/radvd.pid -C /var/etc/radvd.conf -m syslog
root 83714 0.0 0.0 11452 3044 - S 15:17 0:00.00 sh -c ps auxwww | grep radvd 2>&1
root 83921 0.0 0.0 11208 2704 - S 15:17 0:00.00 grep radvd
Shell Output - grep -A 10 -B 10 "bad ownership or modes" /var/log/*.log
/var/log/system.log:Feb 2 08:42:25 pfsense ladvd[15644]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 2 08:42:25 pfsense ladvd[15328]: child exited with return code 1
/var/log/system.log-Feb 2 08:42:25 pfsense ladvd[15328]: quitting
/var/log/system.log:Feb 6 18:56:44 pfsense ladvd[85373]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:56:44 pfsense ladvd[85313]: child exited with return code 1
/var/log/system.log-Feb 6 18:56:44 pfsense ladvd[85313]: quitting
/var/log/system.log:Feb 6 18:57:04 pfsense ladvd[94004]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:57:04 pfsense ladvd[93865]: child exited with return code 1
/var/log/system.log-Feb 6 18:57:04 pfsense ladvd[93865]: quitting
/var/log/system.log-Feb 6 18:57:50 pfsense php-fpm[31131]: /pkg_mgr_install.php: Configuration Change: admin@10.1.44.66 (Local Database): Creating restore point before package installation.
/var/log/system.log-Feb 6 18:57:50 pfsense check_reload_status[483]: Syncing firewall
/var/log/system.log-Feb 6 18:57:54 pfsense php[40524]: /etc/rc.packages: The command '/usr/local/etc/rc.d/ladvd.sh stop' returned exit code '1', the output was 'No matching processes were found'
/var/log/system.log-Feb 6 18:57:54 pfsense php[40524]: /etc/rc.packages: Configuration Change: (system): Intermediate config write during package removal for LADVD.
/var/log/system.log-Feb 6 18:57:54 pfsense check_reload_status[483]: Syncing firewall
/var/log/system.log-Feb 6 18:57:54 pfsense php[41402]: /etc/rc.packages: Beginning package installation for LADVD .
/var/log/system.log-Feb 6 18:57:54 pfsense php[41402]: /etc/rc.packages: Configuration Change: (system): Intermediate config write during package install for LADVD.
/var/log/system.log-Feb 6 18:57:54 pfsense check_reload_status[483]: Syncing firewall
/var/log/system.log-Feb 6 18:57:54 pfsense php[41402]: /etc/rc.packages: Configuration Change: (system): Overwrote previous installation of LADVD.
/var/log/system.log-Feb 6 18:57:54 pfsense php[41402]: /etc/rc.packages: Successfully installed package: LADVD.
/var/log/system.log-Feb 6 18:57:54 pfsense pkg-static[87086]: pfSense-pkg-LADVD reinstalled: 1.2.2_2 -> 1.2.2_2
/var/log/system.log-Feb 6 18:57:56 pfsense check_reload_status[483]: Reloading filter
/var/log/system.log-Feb 6 18:57:56 pfsense check_reload_status[483]: Starting packages
/var/log/system.log-Feb 6 18:57:57 pfsense php-fpm[31131]: /rc.start_packages: Restarting/Starting all packages.
/var/log/system.log:Feb 6 18:58:04 pfsense ladvd[19255]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:58:04 pfsense ladvd[18972]: child exited with return code 1
/var/log/system.log-Feb 6 18:58:04 pfsense ladvd[18972]: quitting
/var/log/system.log-Feb 6 18:58:05 pfsense vnstatd[50274]: Error: pidfile "/var/run/vnstat/vnstat.pid" lock failed (Resource temporarily unavailable), exiting.
/var/log/system.log-Feb 6 18:58:15 pfsense vnstatd[15983]: SIGTERM received, exiting.
/var/log/system.log:Feb 6 18:58:15 pfsense ladvd[82303]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:58:15 pfsense ladvd[82058]: child exited with return code 1
/var/log/system.log-Feb 6 18:58:15 pfsense ladvd[82058]: quitting
/var/log/system.log:Feb 6 18:58:15 pfsense ladvd[82460]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:58:15 pfsense ladvd[82329]: child exited with return code 1
/var/log/system.log-Feb 6 18:58:15 pfsense ladvd[82329]: quitting
/var/log/system.log-Feb 6 18:58:15 pfsense radiusd[35076]: Signalled to terminate
/var/log/system.log-Feb 6 18:58:15 pfsense radiusd[35076]: Exiting normally
/var/log/system.log-Feb 6 18:58:15 pfsense vnstatd[84197]: vnStat daemon 2.8 started. (pid:84197 uid:0 gid:0)
/var/log/system.log-Feb 6 18:58:15 pfsense tail_pfb[91233]: [pfBlockerNG] Firewall Filter Service stopped
/var/log/system.log-Feb 6 18:58:15 pfsense php_pfb[92083]: [pfBlockerNG] filterlog daemon stopped
/var/log/system.log-Feb 6 18:58:15 pfsense vnstatd[93039]: Error: pidfile "/var/run/vnstat/vnstat.pid" lock failed (Resource temporarily unavailable), exiting.
/var/log/system.log-Feb 6 18:58:15 pfsense tail_pfb[94644]: [pfBlockerNG] Firewall Filter Service started
Execute Shell Command
grep -A 10 -B 10 "bad ownership or modes" /var/log/*.log -
Unable to reproduce
Please show the Package / Services: LADVD / General page -
This post is deleted! -
I checked over a dozen different installs with various versions (most of them on 22.01 and 2.6.0 snapshots) and they all had the same expected permissions:
: ls -ld /var drwxr-xr-x 30 root wheel 30 Jan 31 15:20 /varSomething on your installation has altered the permissions on
/var/, it doesn't appear to be a general problem. -
-
I have two systems with exact same behaviour. After every reboot my /var directory has the same wrong permissions set.
Manually changing it to 0755 is fixing it till next reboot
EDIT: 2.6.0-RELEASE
-
hmm, checked again after reboot, no change on /var on permissions,
do you have a watchdog or a startup service which can change the permisions on reboot? -
-
same issue on pfsense plus.
workaround via shellcmd chmod 0755 /var -
J jimp moved this topic from CE 2.6.0 Development Snapshots (Retired) on
-
I know this is an old topic, but the problem persists even with the latest CE release 2.7.0-RELEASE. I have done some investigation and I am confident, I have been able to dig to the root of the issue:
1.) The problem with the incorrect permissions on /var seems to only occur in case pfSense is configured to use a RAM Disk for /var (configured under System->Advanced->Miscellaneous)
2.) In my view, the permissions are (most likely wrongly, but) deliberatly set to 1777 during pfSense's boot process and I can pinpoint it to a specific file/sequence of actions:If you follow the boot process on the console there is a message coming up showing
Setting up memory disks... doneshortly before the "pfsense" charcater artwork pops up. This message shown on the console only exists in a single file on the pfSense box and that's named "/etc/rc.embedded". In this shell script - after checking the requested size of the RAM disk against the available memory (call of function "ramdisk_check_size") - a call is made twice to "ramdisk_try_mount - once for "tmp" and also for "var" (both being passed as arguments). The relevant line reads:
... if ramdisk_check_size && ramdisk_try_mount tmp && ramdisk_try_mount var; then ...The function "ramdisk_try_mount" is part of the shell script "/etc/rc.ramdisk_functions.sh" and reads as follows:
... # Attempt to mount the given RAM disk (var or tmp) # Usage: # ramdisk_try_mount tmp # ramdisk_try_mount var ramdisk_try_mount () { NAME=$1 if [ ramdisk_check_size ]; then SIZE=$(eval echo \${${NAME}size})m /sbin/mount -o rw,size=${SIZE},mode=1777 -t tmpfs tmpfs /${NAME} return $? else return 1; fi } ...and here you go: the RAM disk for /var (and also /tmp) is specifically mounted as a tmpfs with a mode of 1777 (the "mode" parameter reading "mode=1777" is specific to the tmpfs file system mount call - see tmpfs(5): "Specifies the mode (in octal notation) of the root inode of the file system."):
drwxrwxrwt 15 root wheel 832 Nov 28 13:20 /varIn other words, in the resulting permissions, the sticky bit is set (denoted by the "t" at the end) and all permission bits are set for everybody. And exactly this is the mode LADVD is complaining about.
The exact same mode is also set for /tmp - but it appears, that did not create any issues so far or might even be the standard permission set on FreeBSD.
Thanks, Atom2
-
@jimp
Having done some further digging, the whole issues now makes even more sense:@pete35 said in 2.6, wrong permissions on "/var/":
it runs flawless before the update from 2.5.2
The switch from ufs on md devices to tmpfs is documented under redmine issue #12145. This change was introduced for release 2.6 and includes the (not specifically documented but) deliberate mode setting to 1777. So I'd consider this a regression - which as stated earlier only shows up in case /var is configured as a RAM disk.
Most likely there needs to be a distinction in the code between /var and /tmp in order to set the mode correctly for /var (i.e. 0755 instead of 1777).
Thanks Atom2
-
I opened https://redmine.pfsense.org/issues/15054 to fix up the permissions for
/varRAM disks.
