Package: mandos-client Version: 1.8.3-3 Severity: important Hi!
This is a pretty minimal, fresh buster. It has also dropbear-initramfs installed so that may also be to blame. During boot, mandos' plugin-runner can't run the plugins: | ~ # /lib/mandos/plugin-runner: fexecve for /lib/mandos/plugins.d/mandos-client: Permission denied | /lib/mandos/plugin-runner: fexecve for /lib/mandos/plugins.d/splashy: Permission denied | /lib/mandos/plugin-runner: fexecve for /lib/mandos/plugins.d/usplash: Permission denied Turns out, lots of directories are owned by root and not accessible by other processes, among them: | ~ # find / -xdev -type d ! -perm +001 | grep usr | grep -v modules/ | /usr/lib64 | /usr/lib/x86_64-linux-gnu | /usr/lib/udev | /usr/lib/udev/rules.d | /usr/lib/systemd | /usr/lib/systemd/network | /usr/lib/modules | /usr/lib/modprobe.d | /usr/lib/mandos/plugins.d | /usr/lib/mandos/plugin-helpers | /usr/lib/cryptsetup Changing some permissions makes plugin-runner able to run its plugins: --- mandos 2019-04-08 10:57:20.082839532 +0000 +++ /usr/share/initramfs-tools/hooks/mandos 2019-04-08 10:59:25.794634878 +0000 @@ -264,7 +264,7 @@ ยท # Reset some other things to sane permissions which we have # inadvertently affected with our umask setting. -for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin; do +for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin /usr/lib64 /usr/lib/x86_64-linux-gnu "${PLUGINDIR}" "${PLUGINHELPERDIR}"; do if [ -d "${DESTDIR}$dir" ]; then chmod a+rX "${DESTDIR}$dir" fi (this is of course not a real fix, since we can't just hardcode the lib directory.) -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `- https://www.debian.org/