Wrong group permission on /opt/vyatta/config/active/

Bugs
1

After rebooting VyOS box, when I’m editing configuration (any command at all), it returns the following error on screen:

[edit]
ivan@vyos# set firewall name test rule 10 description test

  Set failed

After digging about this error I’ve found that permissions are wrong on directory /opt/vyatta/config/active/

I’ve figured out that it really has the wrong permission:

ivan@vyos:~$ ls -la /opt/vyatta/config/active/
total 0
drwxrwxr-x 11 root vyattacfg 220 Oct 20 18:16 .
drwxrwxr-x  4 root vyattacfg 100 Oct 20 18:12 ..
drwxrwxr-x  6 root root      120 Oct 20 18:16 firewall
drwxrwxr-x  3 root root       60 Oct 20 18:16 high-availability
drwxrwxr-x  6 root root      120 Oct 20 18:16 interfaces
drwxrwxr-x  4 root root       80 Oct 20 18:16 nat
drwxrwxr-x  4 root root       80 Oct 20 18:16 pki
drwxrwxr-x  3 root root       60 Oct 20 18:16 policy
drwxrwxr-x  5 root root      100 Oct 20 18:16 protocols
drwxrwxr-x  6 root root      120 Oct 20 18:16 service
drwxrwxr-x 12 root root      240 Oct 20 18:16 system

The group of all directories and files should be vyattacfg but after rebooting its owner is root. After fixing permission it starts working as expected:

sudo chgrp -R vyattacfg /opt/vyatta/config/active/

I can’t tell on which version this bug has appeared, but I’ve noted it on the custom image I’ve created today.

Thanks,
Ivan Apolonio

2

Latest rolling (1.4-rolling-202210180800)
Everything seems to be fine.

set firewall name test rule 10 action 'accept'
set firewall name test rule 10 description 'test'

vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
[edit]

The permissions look fine:

vyos@vyos# ls -la /opt/vyatta/config/active/
total 0
drwxrwxr-x 7 root vyattacfg 140 Oct 21 02:00 .
drwxrwxr-x 4 root vyattacfg 100 Oct 21 01:57 .
drwxrwxr-x 3 vyos vyattacfg 60 Oct 21 02:00 .
drwxrwxr-x 4 vyos vyattacfg 80 Oct 21 02:00 interfaces
drwxrwxr-x 3 vyos vyattacfg 60 Oct 21 02:00 protocols
drwxrwxr-x 3 vyos vyattacfg 60 Oct 21 02:00 service
drwxrwxr-x 10 vyos vyattacfg 200 Oct 21 02:00 system
3

It seems you have some custom scripts which executed not from group vyattacfg

4

By reading your reply I can confirm that problem is being caused after VRRP transition.

I just set VRRP scripts, following the VyOS documentation at High availability — VyOS 1.4.x (sagitta) documentation

set high-availability vrrp group vlan5 transition-script backup '/config/scripts/vrrp-fail.sh'
set high-availability vrrp group vlan5 transition-script fault '/config/scripts/vrrp-fail.sh'
set high-availability vrrp group vlan5 transition-script master '/config/scripts/vrrp-master.sh'

These script files looks to have the correct permissions:

ivan@vyos:~$ ls -la /config/scripts/
total 20
drwxrwsr-x 2 root vyattacfg 4096 Oct 18 14:50 .
drwxrwxr-x 7 root vyattacfg 4096 Oct 20 18:11 ..
-rwxrwxr-x 1 root vyattacfg  183 Oct 18 14:37 vrrp-fail.sh
-rwxrwxr-x 1 root vyattacfg  183 Oct 18 14:48 vrrp-master.sh
-rwxrwxr-x 1 root vyattacfg  230 Sep 13 12:08 vyos-postconfig-bootup.script

Here is the content of vrrp-fail.sh script:

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
set protocols bgp neighbor 192.168.100.1 shutdown
set protocols bgp neighbor 192.168.200.1 shutdown
commit
exit

What am I doing wrong?
Thanks

5

From the docs: Command Scripting — VyOS 1.4.x (sagitta) documentation

Add next code to your scripts to ensure correct permissions:

if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
6

Thanks! By adding this at begin of my script, solved the problem:

#!/bin/vbash
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
source /opt/vyatta/etc/functions/script-template
configure
set protocols bgp neighbor 192.168.100.1 shutdown
set protocols bgp neighbor 192.168.200.1 shutdown
commit
exit

I’d suggest to modify the script samples in documentation to include this block before the commands that are executed automatically, such as vrrp transition scripts.

Thanks again!

1 Like
7

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.