Package: mandos-client
Version: 1.8.3-3
Severity: important
Hi!
This is a pretty minimal, fresh buster. It has also dropbear-initramfs
installed so that may also be to blame.
During boot, mandos' plugin-runner can't run the plugins:
| ~ # /lib/mandos/plugin-runner: fexecve for
/lib/mandos/plugins.d/mandos-client: Permission denied
| /lib/mandos/plugin-runner: fexecve for /lib/mandos/plugins.d/splashy:
Permission denied
| /lib/mandos/plugin-runner: fexecve for /lib/mandos/plugins.d/usplash:
Permission denied
Turns out, lots of directories are owned by root and not accessible by
other processes, among them:
| ~ # find / -xdev -type d ! -perm +001 | grep usr | grep -v modules/
| /usr/lib64
| /usr/lib/x86_64-linux-gnu
| /usr/lib/udev
| /usr/lib/udev/rules.d
| /usr/lib/systemd
| /usr/lib/systemd/network
| /usr/lib/modules
| /usr/lib/modprobe.d
| /usr/lib/mandos/plugins.d
| /usr/lib/mandos/plugin-helpers
| /usr/lib/cryptsetup
Changing some permissions makes plugin-runner able to run its plugins:
--- mandos 2019-04-08 10:57:20.082839532 +0000
+++ /usr/share/initramfs-tools/hooks/mandos 2019-04-08 10:59:25.794634878
+0000
@@ -264,7 +264,7 @@
ยท
# Reset some other things to sane permissions which we have
# inadvertently affected with our umask setting.
-for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin; do
+for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin /usr/lib64
/usr/lib/x86_64-linux-gnu "${PLUGINDIR}" "${PLUGINHELPERDIR}"; do
if [ -d "${DESTDIR}$dir" ]; then
chmod a+rX "${DESTDIR}$dir"
fi
(this is of course not a real fix, since we can't just hardcode the lib
directory.)
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
