[SOLVED] Missing write permissions in /etc/pve/ directory

L

loneboat

Well-Known Member
Jan 17, 2019
39
3
48
35
While troubleshooting another issue (couldn't access web gui), I discovered that the write permissions for most of my /etc/pve/ directory are absent on one of my nodes (XXXX):

Code: 
root@XXXX:/etc/pve# ll
total 14K
drwxr-xr-x  2 root www-data    0 Dec 31  1969 .
drwxr-xr-x 87 root root      177 Nov 18 10:57 ..
-r--r-----  1 root www-data  451 Nov  9 00:50 authkey.pub
-r--r-----  1 root www-data  451 Nov  9 00:50 authkey.pub.old
-r--r-----  1 root www-data  501 Dec 31  1969 .clusterlog
-r--r-----  1 root www-data  521 Sep  9 13:01 corosync.conf
-r--r-----  1 root www-data   16 Dec 19  2018 datacenter.cfg
-rw-r-----  1 root www-data    2 Dec 31  1969 .debug
dr-xr-xr-x  2 root www-data    0 Mar 28  2019 firewall
dr-xr-xr-x  2 root www-data    0 Jul 15  2020 ha
lr-xr-xr-x  1 root www-data    0 Dec 31  1969 local -> nodes/XXXX
lr-xr-xr-x  1 root www-data    0 Dec 31  1969 lxc -> nodes/XXXX/lxc
-r--r-----  1 root www-data   37 Dec 31  1969 .members
dr-xr-xr-x  2 root www-data    0 Dec 19  2018 nodes
lr-xr-xr-x  1 root www-data    0 Dec 31  1969 openvz -> nodes/XXXX/openvz
dr-x------  2 root www-data    0 Dec 19  2018 priv
-r--r-----  1 root www-data 2.1K Dec 19  2018 pve-root-ca.pem
-r--r-----  1 root www-data 1.7K Dec 19  2018 pve-www.key
lr-xr-xr-x  1 root www-data    0 Dec 31  1969 qemu-server -> nodes/XXXX/qemu-server
-r--r-----  1 root www-data 1.5K Oct 27 09:24 replication.cfg
-r--r-----  1 root www-data  966 Dec 31  1969 .rrd
dr-xr-xr-x  2 root www-data    0 Jul 15  2020 sdn
-r--r-----  1 root www-data  557 Sep 17 16:13 storage.cfg
-r--r-----  1 root www-data  335 Sep 22 08:25 user.cfg
-r--r-----  1 root www-data  734 Dec 31  1969 .version
dr-xr-xr-x  2 root www-data    0 Jul 15  2020 virtual-guest
-r--r-----  1 root www-data 5.4K Dec 31  1969 .vmlist
-r--r-----  1 root www-data  263 Oct 27 09:24 vzdump.cron

A similar listing from a different node (YYYY) shows that most of the files/dirs have write permissions, at least for owner:

Code: 
root@YYYY:~# ll /etc/pve
total 14K
drwxr-xr-x   2 root www-data    0 Dec 31  1969 .
drwxr-xr-x 107 root root      206 Nov 18 10:57 ..
-rw-r-----   1 root www-data  451 Nov 18 00:51 authkey.pub
-rw-r-----   1 root www-data  451 Nov 18 00:51 authkey.pub.old
-r--r-----   1 root www-data 8.4K Dec 31  1969 .clusterlog
-rw-r-----   1 root www-data  521 Sep  9 13:01 corosync.conf
-rw-r-----   1 root www-data   16 Dec 19  2018 datacenter.cfg
-rw-r-----   1 root www-data    2 Dec 31  1969 .debug
drwxr-xr-x   2 root www-data    0 Mar 28  2019 firewall
drwxr-xr-x   2 root www-data    0 Jul 15  2020 ha
lrwxr-xr-x   1 root www-data    0 Dec 31  1969 local -> nodes/YYYY
lrwxr-xr-x   1 root www-data    0 Dec 31  1969 lxc -> nodes/YYYY/lxc
-r--r-----   1 root www-data  313 Dec 31  1969 .members
drwxr-xr-x   2 root www-data    0 Dec 19  2018 nodes
lrwxr-xr-x   1 root www-data    0 Dec 31  1969 openvz -> nodes/YYYY/openvz
drwx------   2 root www-data    0 Dec 19  2018 priv
-rw-r-----   1 root www-data 2.1K Dec 19  2018 pve-root-ca.pem
-rw-r-----   1 root www-data 1.7K Dec 19  2018 pve-www.key
lrwxr-xr-x   1 root www-data    0 Dec 31  1969 qemu-server -> nodes/YYYY/qemu-server
-rw-r-----   1 root www-data 1.5K Oct 27 09:24 replication.cfg
-r--r-----   1 root www-data 9.1K Dec 31  1969 .rrd
drwxr-xr-x   2 root www-data    0 Jul 15  2020 sdn
-rw-r-----   1 root www-data  557 Sep 17 16:13 storage.cfg
-rw-r-----   1 root www-data  335 Sep 22 08:25 user.cfg
-r--r-----   1 root www-data  813 Dec 31  1969 .version
drwxr-xr-x   2 root www-data    0 Jul 15  2020 virtual-guest
-r--r-----   1 root www-data 5.5K Dec 31  1969 .vmlist
-rw-r-----   1 root www-data  263 Oct 27 09:24 vzdump.cron

It seems like this would have obviously big consequences, including some weird behavior I've been seeing.

How on earth could these permissions have been removed? I rarely log into this box directly via ssh, and I haven't done any poking around with permissions that I can think of.

This is on 7.0-11
 
You must log in or register to reply here.
Top Bottom