[SOLVED] Missing write permissions in /etc/pve/ directory

loneboat

Member
Jan 17, 2019
36
2
13
32
While troubleshooting another issue (couldn't access web gui), I discovered that the write permissions for most of my /etc/pve/ directory are absent on one of my nodes (XXXX):

Code:
root@XXXX:/etc/pve# ll
total 14K
drwxr-xr-x  2 root www-data    0 Dec 31  1969 .
drwxr-xr-x 87 root root      177 Nov 18 10:57 ..
-r--r-----  1 root www-data  451 Nov  9 00:50 authkey.pub
-r--r-----  1 root www-data  451 Nov  9 00:50 authkey.pub.old
-r--r-----  1 root www-data  501 Dec 31  1969 .clusterlog
-r--r-----  1 root www-data  521 Sep  9 13:01 corosync.conf
-r--r-----  1 root www-data   16 Dec 19  2018 datacenter.cfg
-rw-r-----  1 root www-data    2 Dec 31  1969 .debug
dr-xr-xr-x  2 root www-data    0 Mar 28  2019 firewall
dr-xr-xr-x  2 root www-data    0 Jul 15  2020 ha
lr-xr-xr-x  1 root www-data    0 Dec 31  1969 local -> nodes/XXXX
lr-xr-xr-x  1 root www-data    0 Dec 31  1969 lxc -> nodes/XXXX/lxc
-r--r-----  1 root www-data   37 Dec 31  1969 .members
dr-xr-xr-x  2 root www-data    0 Dec 19  2018 nodes
lr-xr-xr-x  1 root www-data    0 Dec 31  1969 openvz -> nodes/XXXX/openvz
dr-x------  2 root www-data    0 Dec 19  2018 priv
-r--r-----  1 root www-data 2.1K Dec 19  2018 pve-root-ca.pem
-r--r-----  1 root www-data 1.7K Dec 19  2018 pve-www.key
lr-xr-xr-x  1 root www-data    0 Dec 31  1969 qemu-server -> nodes/XXXX/qemu-server
-r--r-----  1 root www-data 1.5K Oct 27 09:24 replication.cfg
-r--r-----  1 root www-data  966 Dec 31  1969 .rrd
dr-xr-xr-x  2 root www-data    0 Jul 15  2020 sdn
-r--r-----  1 root www-data  557 Sep 17 16:13 storage.cfg
-r--r-----  1 root www-data  335 Sep 22 08:25 user.cfg
-r--r-----  1 root www-data  734 Dec 31  1969 .version
dr-xr-xr-x  2 root www-data    0 Jul 15  2020 virtual-guest
-r--r-----  1 root www-data 5.4K Dec 31  1969 .vmlist
-r--r-----  1 root www-data  263 Oct 27 09:24 vzdump.cron

A similar listing from a different node (YYYY) shows that most of the files/dirs have write permissions, at least for owner:

Code:
root@YYYY:~# ll /etc/pve
total 14K
drwxr-xr-x   2 root www-data    0 Dec 31  1969 .
drwxr-xr-x 107 root root      206 Nov 18 10:57 ..
-rw-r-----   1 root www-data  451 Nov 18 00:51 authkey.pub
-rw-r-----   1 root www-data  451 Nov 18 00:51 authkey.pub.old
-r--r-----   1 root www-data 8.4K Dec 31  1969 .clusterlog
-rw-r-----   1 root www-data  521 Sep  9 13:01 corosync.conf
-rw-r-----   1 root www-data   16 Dec 19  2018 datacenter.cfg
-rw-r-----   1 root www-data    2 Dec 31  1969 .debug
drwxr-xr-x   2 root www-data    0 Mar 28  2019 firewall
drwxr-xr-x   2 root www-data    0 Jul 15  2020 ha
lrwxr-xr-x   1 root www-data    0 Dec 31  1969 local -> nodes/YYYY
lrwxr-xr-x   1 root www-data    0 Dec 31  1969 lxc -> nodes/YYYY/lxc
-r--r-----   1 root www-data  313 Dec 31  1969 .members
drwxr-xr-x   2 root www-data    0 Dec 19  2018 nodes
lrwxr-xr-x   1 root www-data    0 Dec 31  1969 openvz -> nodes/YYYY/openvz
drwx------   2 root www-data    0 Dec 19  2018 priv
-rw-r-----   1 root www-data 2.1K Dec 19  2018 pve-root-ca.pem
-rw-r-----   1 root www-data 1.7K Dec 19  2018 pve-www.key
lrwxr-xr-x   1 root www-data    0 Dec 31  1969 qemu-server -> nodes/YYYY/qemu-server
-rw-r-----   1 root www-data 1.5K Oct 27 09:24 replication.cfg
-r--r-----   1 root www-data 9.1K Dec 31  1969 .rrd
drwxr-xr-x   2 root www-data    0 Jul 15  2020 sdn
-rw-r-----   1 root www-data  557 Sep 17 16:13 storage.cfg
-rw-r-----   1 root www-data  335 Sep 22 08:25 user.cfg
-r--r-----   1 root www-data  813 Dec 31  1969 .version
drwxr-xr-x   2 root www-data    0 Jul 15  2020 virtual-guest
-r--r-----   1 root www-data 5.5K Dec 31  1969 .vmlist
-rw-r-----   1 root www-data  263 Oct 27 09:24 vzdump.cron

It seems like this would have obviously big consequences, including some weird behavior I've been seeing.

How on earth could these permissions have been removed? I rarely log into this box directly via ssh, and I haven't done any poking around with permissions that I can think of.

This is on 7.0-11
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!