2.6, wrong permissions on "/var/"

pete35

Pfsense 2.6RC, cant start LADVD anymore,

it logs in Systemlog: bad ownership or modes for chroot directory component "/var/"

it runs flawless before the update from 2.5.2

Any ideas how to solve that?

viktor_g

Please provide more details:

ps auxwww | grep radvd output
grep -A 10 -B 10 "bad ownership or modes" /var/log/*.log output
Any other additional information that might be helpful

pete35

@viktor_g

The service refused to start:

root 18535 0.0 0.0 11012 2580 - Is Wed08 0:02.51 /usr/local/sbin/radvd -p /var/run/radvd.pid -C /var/etc/radvd.conf -m syslog
root 83714 0.0 0.0 11452 3044 - S 15:17 0:00.00 sh -c ps auxwww | grep radvd 2>&1
root 83921 0.0 0.0 11208 2704 - S 15:17 0:00.00 grep radvd

Shell Output - grep -A 10 -B 10 "bad ownership or modes" /var/log/*.log

/var/log/system.log:Feb 2 08:42:25 pfsense ladvd[15644]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 2 08:42:25 pfsense ladvd[15328]: child exited with return code 1
/var/log/system.log-Feb 2 08:42:25 pfsense ladvd[15328]: quitting
/var/log/system.log:Feb 6 18:56:44 pfsense ladvd[85373]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:56:44 pfsense ladvd[85313]: child exited with return code 1
/var/log/system.log-Feb 6 18:56:44 pfsense ladvd[85313]: quitting
/var/log/system.log:Feb 6 18:57:04 pfsense ladvd[94004]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:57:04 pfsense ladvd[93865]: child exited with return code 1
/var/log/system.log-Feb 6 18:57:04 pfsense ladvd[93865]: quitting
/var/log/system.log-Feb 6 18:57:50 pfsense php-fpm[31131]: /pkg_mgr_install.php: Configuration Change: admin@10.1.44.66 (Local Database): Creating restore point before package installation.
/var/log/system.log-Feb 6 18:57:50 pfsense check_reload_status[483]: Syncing firewall
/var/log/system.log-Feb 6 18:57:54 pfsense php[40524]: /etc/rc.packages: The command '/usr/local/etc/rc.d/ladvd.sh stop' returned exit code '1', the output was 'No matching processes were found'
/var/log/system.log-Feb 6 18:57:54 pfsense php[40524]: /etc/rc.packages: Configuration Change: (system): Intermediate config write during package removal for LADVD.
/var/log/system.log-Feb 6 18:57:54 pfsense check_reload_status[483]: Syncing firewall
/var/log/system.log-Feb 6 18:57:54 pfsense php[41402]: /etc/rc.packages: Beginning package installation for LADVD .
/var/log/system.log-Feb 6 18:57:54 pfsense php[41402]: /etc/rc.packages: Configuration Change: (system): Intermediate config write during package install for LADVD.
/var/log/system.log-Feb 6 18:57:54 pfsense check_reload_status[483]: Syncing firewall
/var/log/system.log-Feb 6 18:57:54 pfsense php[41402]: /etc/rc.packages: Configuration Change: (system): Overwrote previous installation of LADVD.
/var/log/system.log-Feb 6 18:57:54 pfsense php[41402]: /etc/rc.packages: Successfully installed package: LADVD.
/var/log/system.log-Feb 6 18:57:54 pfsense pkg-static[87086]: pfSense-pkg-LADVD reinstalled: 1.2.2_2 -> 1.2.2_2
/var/log/system.log-Feb 6 18:57:56 pfsense check_reload_status[483]: Reloading filter
/var/log/system.log-Feb 6 18:57:56 pfsense check_reload_status[483]: Starting packages
/var/log/system.log-Feb 6 18:57:57 pfsense php-fpm[31131]: /rc.start_packages: Restarting/Starting all packages.
/var/log/system.log:Feb 6 18:58:04 pfsense ladvd[19255]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:58:04 pfsense ladvd[18972]: child exited with return code 1
/var/log/system.log-Feb 6 18:58:04 pfsense ladvd[18972]: quitting
/var/log/system.log-Feb 6 18:58:05 pfsense vnstatd[50274]: Error: pidfile "/var/run/vnstat/vnstat.pid" lock failed (Resource temporarily unavailable), exiting.
/var/log/system.log-Feb 6 18:58:15 pfsense vnstatd[15983]: SIGTERM received, exiting.
/var/log/system.log:Feb 6 18:58:15 pfsense ladvd[82303]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:58:15 pfsense ladvd[82058]: child exited with return code 1
/var/log/system.log-Feb 6 18:58:15 pfsense ladvd[82058]: quitting
/var/log/system.log:Feb 6 18:58:15 pfsense ladvd[82460]: bad ownership or modes for chroot directory component "/var/"
/var/log/system.log-Feb 6 18:58:15 pfsense ladvd[82329]: child exited with return code 1
/var/log/system.log-Feb 6 18:58:15 pfsense ladvd[82329]: quitting
/var/log/system.log-Feb 6 18:58:15 pfsense radiusd[35076]: Signalled to terminate
/var/log/system.log-Feb 6 18:58:15 pfsense radiusd[35076]: Exiting normally
/var/log/system.log-Feb 6 18:58:15 pfsense vnstatd[84197]: vnStat daemon 2.8 started. (pid:84197 uid:0 gid:0)
/var/log/system.log-Feb 6 18:58:15 pfsense tail_pfb[91233]: [pfBlockerNG] Firewall Filter Service stopped
/var/log/system.log-Feb 6 18:58:15 pfsense php_pfb[92083]: [pfBlockerNG] filterlog daemon stopped
/var/log/system.log-Feb 6 18:58:15 pfsense vnstatd[93039]: Error: pidfile "/var/run/vnstat/vnstat.pid" lock failed (Resource temporarily unavailable), exiting.
/var/log/system.log-Feb 6 18:58:15 pfsense tail_pfb[94644]: [pfBlockerNG] Firewall Filter Service started
Execute Shell Command
grep -A 10 -B 10 "bad ownership or modes" /var/log/*.log

viktor_g

Unable to reproduce
Please show the Package / Services: LADVD / General page

pete35

This post is deleted!

jimp

I checked over a dozen different installs with various versions (most of them on 22.01 and 2.6.0 snapshots) and they all had the same expected permissions:

: ls -ld /var
drwxr-xr-x  30 root  wheel  30 Jan 31 15:20 /var

Something on your installation has altered the permissions on /var/, it doesn't appear to be a general problem.

pete35

@jimp
@viktor_g

Changed permissions of /var to 0755, ladvd is up and running.
Excuse me, i should have checked this before.
No clue, why permissons are different.
Thank you!

revolt112

@pete35

I have two systems with exact same behaviour. After every reboot my /var directory has the same wrong permissions set.

Manually changing it to 0755 is fixing it till next reboot

EDIT: 2.6.0-RELEASE

pete35

@revolt112

hmm, checked again after reboot, no change on /var on permissions,
do you have a watchdog or a startup service which can change the permisions on reboot?

pete35

@jimp
@viktor_g

The /var directory reverts to the false permission after a reboot. Had this situation today. A fresh installation doesn´t behave like that. So we need to find out , which process changed that permissions.

ashtonianagain

same issue on pfsense plus.
workaround via shellcmd chmod 0755 /var

Atom2

I know this is an old topic, but the problem persists even with the latest CE release 2.7.0-RELEASE. I have done some investigation and I am confident, I have been able to dig to the root of the issue:

1.) The problem with the incorrect permissions on /var seems to only occur in case pfSense is configured to use a RAM Disk for /var (configured under System->Advanced->Miscellaneous)
2.) In my view, the permissions are (most likely wrongly, but) deliberatly set to 1777 during pfSense's boot process and I can pinpoint it to a specific file/sequence of actions:

If you follow the boot process on the console there is a message coming up showing

Setting up memory disks... done

shortly before the "pfsense" charcater artwork pops up. This message shown on the console only exists in a single file on the pfSense box and that's named "/etc/rc.embedded". In this shell script - after checking the requested size of the RAM disk against the available memory (call of function "ramdisk_check_size") - a call is made twice to "ramdisk_try_mount - once for "tmp" and also for "var" (both being passed as arguments). The relevant line reads:

...
if ramdisk_check_size && ramdisk_try_mount tmp && ramdisk_try_mount var; then
...

The function "ramdisk_try_mount" is part of the shell script "/etc/rc.ramdisk_functions.sh" and reads as follows:

...
# Attempt to mount the given RAM disk (var or tmp)
# Usage:
#   ramdisk_try_mount tmp
#   ramdisk_try_mount var
ramdisk_try_mount () {
        NAME=$1
        if [ ramdisk_check_size ]; then
                SIZE=$(eval echo \${${NAME}size})m
                /sbin/mount -o rw,size=${SIZE},mode=1777 -t tmpfs tmpfs /${NAME}
                return $?
        else
                return 1;
        fi
}
...

and here you go: the RAM disk for /var (and also /tmp) is specifically mounted as a tmpfs with a mode of 1777 (the "mode" parameter reading "mode=1777" is specific to the tmpfs file system mount call - see tmpfs(5): "Specifies the mode (in octal notation) of the root inode of the file system."):

drwxrwxrwt  15 root  wheel  832 Nov 28 13:20 /var

In other words, in the resulting permissions, the sticky bit is set (denoted by the "t" at the end) and all permission bits are set for everybody. And exactly this is the mode LADVD is complaining about.

The exact same mode is also set for /tmp - but it appears, that did not create any issues so far or might even be the standard permission set on FreeBSD.

Thanks, Atom2

Atom2

@jimp
Having done some further digging, the whole issues now makes even more sense:

@pete35 said in 2.6, wrong permissions on "/var/":

it runs flawless before the update from 2.5.2

The switch from ufs on md devices to tmpfs is documented under redmine issue #12145. This change was introduced for release 2.6 and includes the (not specifically documented but) deliberate mode setting to 1777. So I'd consider this a regression - which as stated earlier only shows up in case /var is configured as a RAM disk.

Most likely there needs to be a distinction in the code between /var and /tmp in order to set the mode correctly for /var (i.e. 0755 instead of 1777).

Thanks Atom2

jimp

I opened https://redmine.pfsense.org/issues/15054 to fix up the permissions for /var RAM disks.