Page MenuHomeVyOS Platform

Permissions after image update
Closed, WontfixPublicBUG

Description

After

add system image http://ip/vyos-0.0.95-amd64.iso

I got:

/config# ls -la
total 44
drwxrwxr-x 1 root crontab   4096 Jun 18 16:28 .
drwxr-xr-x 1 root root      4096 Jun 18 16:28 ..
drwxrwsr-x 2 root crontab   4096 Jun 18 16:34 archive
drwxrwsr-x 2 root crontab   4096 Jan 30  2017 auth
-rwxrwxr-x 1 root vyattacfg 3742 Jun 18 16:34 config.boot
-rwxrwxr-x 1 root crontab   3624 Feb 20  2018 config.boot.2019-06-18-162820.pre-migration
drwxrwsr-x 2 root crontab   4096 Jan 30  2017 scripts
drwxrwsr-x 3 root crontab   4096 Jun 18 16:28 snmp
drwxrwsr-x 2 root crontab   4096 Jan 30  2017 support
drwxrwsr-x 3 root crontab   4096 Jan 30  2017 url-filtering
drwxrwsr-x 1 root crontab   4096 Feb  3  2017 user-data
-rwxrwxr-x 1 root crontab      0 Feb  2  2017 .vyatta_config
commit
Couldn't open /opt/vyatta/etc/config/archive/commits - Permission denied at /opt/vyatta/share/perl5/Vyatta/ConfigMgmt.pm line 108.
run-parts: /etc/commit/post-hooks.d/01vyatta-commit-revs.pl exited with return code 13
[edit]
vyos@hostname# sudo su -
root@hostname:~# ls -la /opt/vyatta/etc/config/archive/commits
-rwxrwxr-x 1 root crontab 458 Jun 18 16:28 /opt/vyatta/etc/config/archive/commits
root@hostname:~# ls -la /opt/vyatta/etc/config/archive/
total 80
drwxrwsr-x 2 root        crontab   4096 Jun 18 16:31 .
drwxrwxr-x 9 root        crontab   4096 Jun 18 16:28 ..
-rwxrwxr-x 1 root        crontab    458 Jun 18 16:28 commits
-rw-r--r-- 1 vyos        vyattacfg 3671 Jun 18 16:31 config.boot
-rw-r--r-- 1 vyos        vyattacfg 1536 Jun 18 16:31 config.boot.0.gz
-rwxrwxr-x 1 root        crontab   1466 Feb  3  2017 config.boot.10.gz
-rwxrwxr-x 1 radius_user crontab   1356 Feb  3  2017 config.boot.11.gz
-rwxrwxr-x 1 root        crontab   1342 Feb  2  2017 config.boot.12.gz
-rwxrwxr-x 1 root        crontab    275 Feb  2  2017 config.boot.13.gz
-rw-r--r-- 1 root        vyattacfg 1547 Jun 18 16:28 config.boot.1.gz
-rwxrwxr-x 1 radius_user crontab   1490 Feb 20  2018 config.boot.2.gz
-rwxrwxr-x 1 radius_user crontab   1472 Feb 20  2018 config.boot.3.gz
-rwxrwxr-x 1 root        crontab   1478 Feb 20  2018 config.boot.4.gz
-rwxrwxr-x 1 radius_user crontab   1472 Feb 19  2018 config.boot.5.gz
-rwxrwxr-x 1 root        crontab   1478 Feb  7  2017 config.boot.6.gz
-rwxrwxr-x 1        1000 crontab   1494 Feb  3  2017 config.boot.7.gz
-rwxrwxr-x 1        1000 crontab   1488 Feb  3  2017 config.boot.8.gz
-rwxrwxr-x 1        1000 crontab   1478 Feb  3  2017 config.boot.9.gz
-rw-r--r-- 1 root        crontab    109 Jun 18 16:28 lr.conf
-rwxrwxr-x 1 root        crontab     93 Jun 18 16:31 lr.state
root@hostname:~# chown vyos:vyattacfg /opt/vyatta/etc/config/archive/commits

Details

Difficulty level
Unknown (require assessment)
Version
1.2
Why the issue appeared?
Will be filled on close

Event Timeline

hexes created this task.Jun 18 2019, 5:07 PM
hagbard claimed this task.Jun 19 2019, 5:16 PM

Can you try with the latest rolling please, I can't reproduce your issue.

vyos@vyos# ls -la /opt/vyatta/etc/config/archive/
total 44
drwxrwsr-x 2 root vyattacfg 4096 Jun 19 17:10 .
drwxrwsr-x 8 root vyattacfg 4096 Jun 19 17:08 ..
-rw-rw-r-- 1 root vyattacfg  160 Jun 19 17:10 commits
-rw-r--r-- 1 vyos vyattacfg 1575 Jun 19 17:10 config.boot
-rw-r--r-- 1 vyos vyattacfg  735 Jun 19 17:10 config.boot.0.gz
-rw-r--r-- 1 vyos vyattacfg  821 Jun 19 17:10 config.boot.1.gz
-rw-r--r-- 1 vyos vyattacfg  735 Jun 19 17:08 config.boot.2.gz
-rw-r--r-- 1 root vyattacfg  704 Jun 19 17:08 config.boot.3.gz
-rw-r--r-- 1 root vyattacfg  316 Jun 19 17:08 config.boot.4.gz
-rw-r--r-- 1 root vyattacfg  110 Jun 19 17:08 lr.conf
-rw-r--r-- 1 root vyattacfg   93 Jun 19 17:10 lr.state

on VyOS 1.2.0-rolling+201906191432

hexes added a comment.Jun 20 2019, 1:53 PM

I don't use rolling, I build ISO myself. I'll try to use last git version.

hagbard closed this task as Invalid.Jun 20 2019, 5:09 PM
hexes reopened this task as Open.Aug 17 2019, 3:15 PM

On the fresh version builded today:

commit
Couldn't open /opt/vyatta/etc/config/archive/commits - Permission denied at /opt/vyatta/share/perl5/Vyatta/ConfigMgmt.pm line 108.
run-parts: /etc/commit/post-hooks.d/01vyatta-commit-revs.pl exited with return code 13

ls -la /config/
total 52
drwxrwxr-x 1 root frr       4096 Aug 17 20:08 .
drwxr-xr-x 1 root root      4096 Aug 17 20:08 ..
drwxrwsr-x 2 root frr       4096 Aug 17 20:12 archive
drwxrwsr-x 2 root frr       4096 Jun  9  2017 auth
-rwxrwxr-x 1 root vyattacfg 5089 Aug 17 20:08 config.boot
-rwxrwxr-x 1 root frr       4892 Apr  8  2018 config.boot.2019-08-17-150848.pre-migration
drwxrwsr-x 2 root frr       4096 Jun  9  2017 scripts
drwxrwsr-x 3 root frr       4096 Aug 17 20:08 snmp
drwxrwsr-x 2 root frr       4096 Jun  9  2017 support
drwxrwsr-x 3 root frr       4096 Jun  9  2017 url-filtering
drwxrwsr-x 1 root frr       4096 Jun  9  2017 user-data
-rwxrwxr-x 1 root frr          0 Aug 18  2017 .vyatta_config
hexes removed hagbard as the assignee of this task.Aug 20 2019, 5:46 AM
hexes added subscribers: dmbaturin, hagbard.
pasik added a subscriber: pasik.Aug 29 2019, 9:00 PM
syncer closed this task as Wontfix.Aug 31 2019, 12:51 AM
syncer claimed this task.
syncer edited projects, added Rejected; removed VyOS 1.2 Crux.
syncer added a subscriber: syncer.

can´t reproduce

hexes added a comment.Sep 3 2019, 2:32 PM

how could I show it to you? Which version have you try to update? I think simple chown in update script could fix it!
Also i think it could be compare with changing of list of users and thous IDs:
Old system list:

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
quagga:x:104:108:Vyatta Quagga routing suite,,,:/var/run/quagga/:/bin/false
ntp:x:105:112::/home/ntp:/bin/false
strongswan:x:106:65534::/var/lib/strongswan:/usr/sbin/nologin
uuidd:x:107:113::/run/uuidd:/bin/false
radvd:x:108:65534::/var/run/radvd:/bin/false
Debian-exim:x:109:115::/var/spool/exim4:/bin/false
messagebus:x:110:116::/var/run/dbus:/bin/false
hacluster:x:111:118:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
_lldpd:x:112:119::/var/run/lldpd:/bin/false
sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
pdns:x:114:120:PowerDNS,,,:/var/spool/powerdns:/bin/false
snmp:x:115:121::/var/lib/snmp:/usr/sbin/nologin
zabbix:x:116:122::/var/lib/zabbix/:/bin/false
tss:x:117:123::/var/lib/tpm:/usr/sbin/nologin
radius_user:x:1001:100:radius user,,,:/home/radius_user:/sbin/radius_shell
radius_priv_user:x:1002:109:radius privileged user,,,:/home/radius_priv_user:/sbin/radius_shell
vyos:x:1003:100::/home/vyos:/bin/vbash
remote:x:1004:100::/home/remote:/bin/vbash

A new one:

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
frr:x:104:111:Frr routing suite,,,:/nonexistent:/bin/false
ntp:x:105:112::/home/ntp:/bin/false
strongswan:x:106:65534::/var/lib/strongswan:/usr/sbin/nologin
uuidd:x:107:113::/run/uuidd:/bin/false
radvd:x:108:65534::/var/run/radvd:/bin/false
Debian-exim:x:109:115::/var/spool/exim4:/bin/false
messagebus:x:110:117::/var/run/dbus:/bin/false
hacluster:x:111:118:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
_lldpd:x:112:119::/var/run/lldpd:/bin/false
sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
snmp:x:114:120::/var/lib/snmp:/usr/sbin/nologin
pdns:x:115:122:PowerDNS,,,:/var/spool/powerdns:/bin/false
tftp:x:116:123:tftp daemon,,,:/srv/tftp:/bin/false
zabbix:x:117:124::/var/lib/zabbix/:/bin/false
minion:x:118:100:salt minion user,,,:/home/minion:/bin/vbash
tss:x:119:125::/var/lib/tpm:/usr/sbin/nologin
radius_user:x:1001:100:radius user,,,:/home/radius_user:/sbin/radius_shell
radius_priv_user:x:1002:107:radius privileged user,,,:/home/radius_priv_user:/sbin/radius_shell
remote:x:1003:100::/home/remote:/bin/vbash
vyos:x:1004:100::/home/vyos:/bin/vbash

2 extra users was added... So my opinion is to do chown is best way to keep backward compatibility. What do you think?

hexes added a comment.Sep 3 2019, 2:55 PM

Or may be you could tell me where I can include this commands? Also I need to setup correct owners for /config/user-data/zabbix/ dir, there is zabbix-proxy DB...

c-po added a subscriber: c-po.Sep 3 2019, 4:18 PM

Please test with latest rolling and not a custom build.