Permission issue after update 15-12-22

Couple of days ago I had those warnings, one is new to me

[2022-12-15T16:01:32+0200] [ALPM] warning: directory permissions differ on /usr/share/polkit-1/rules.d/
filesystem: 750  package: 755

what in inside is the following:

ls -al /usr/share/polkit-1/rules.d/
total 36
drwxr-x--- 1 root polkitd 448 Dec 15 16:01 .
drwxr-xr-x 1 root root     64 Nov 26 02:02 ..
-rw-r--r-- 1 root root    326 Oct 26 18:07 50-default.rules
-rw-r--r-- 1 root root    383 Dec 15 16:01 gamemode.rules
-rw-r--r-- 1 root root    182 Oct 21 20:46 org.a11y.brlapi.rules
-rw-r--r-- 1 root root    769 Nov 18 00:18 org.freedesktop.Flatpak.rules
-rw-r--r-- 1 root root    252 Dec  7 21:51 org.freedesktop.fwupd.rules
-rw-r--r-- 1 root root    287 Oct 25 20:31 org.freedesktop.GeoClue2.rules
-rw-r--r-- 1 root root    257 Dec  2 16:57 org.freedesktop.packagekit.rules
-rw-r--r-- 1 root root    595 May 26  2022 org.gtk.vfs.file-operations.rules
-rw-r--r-- 1 root root    527 Dec  9 21:01 systemd-networkd.rules

those can be changed but I’m didn’t opt-to do it yet since I’m already have this persistent warning:

[ALPM] warning: directory permissions differ on /boot/
filesystem: 700  package: 755

and ls -al

ls -al /boot                       
total 380088
drwx------ 5 root root      4096 Jan  1  1970 .
drwxr-xr-x 1 root root       216 Nov 26 02:02 ..
drwx------ 5 root root      4096 Dec  4 01:41 EFI
-rwx------ 1 root root 218054894 Dec 19 10:35 initramfs-5.15-x86_64-fallback.img
-rwx------ 1 root root 154649022 Dec 19 10:35 initramfs-5.15-x86_64.img
-rwx------ 1 root root   5678080 Nov  8 21:02 intel-ucode.img
-rwx------ 1 root root        22 Dec 14 15:18 linux515-x86_64.kver
drwx------ 3 root root      4096 Dec 19 10:42 loader
drwx------ 2 root root      4096 Nov 27 03:45 memtest86+
-rwx------ 1 root root  10793088 Dec 19 10:35 vmlinuz-5.15-x86_64

tried chmod -R 755 /boot as root, unmonting and do the command on /boot the remounting gives and /boot with 755 permission, but don’t persist after a reboot. so since 700 permission on /boot doesn’t look bad for me, and those warnings can be ignored, my question is are there any guidelines for permission for / and it subsidiaries, especially /home. thanks alot.

For the default permissions of /boot i suggest you to look at your /etc/fstab where it is mounted by default at boot most likely.
It most likely has an umask= option that force it…
Posting the contents of that file within block-code tags as usual would help

PS: Warnings normally won’t hurt but it sure is irritating…

Mine are 750 too. The warning is harmless.

The additional permissions on /boot don’t really matter, unless you want to view its contents as a non-root user, in which case 700 is too restrictive. 755 is a sane value.

Two things here…

• The -R option is wrong, because you don’t want the permissions changed recursively and indiscriminately. Besides, the contents of /boot are never read by anything while the system is running, because /boot is only ever read and possibly written to by the boot loader, which runs with (a kind of) root privileges — actually, at that point of the boot process, there is no distinction yet between root and non-root, because the kernel hasn’t even been loaded yet.

• The only time the permissions on /boot — which is itself a directory entry in the root directory — do not survive a reboot is if your root filesystem is mounted read-only, which should never happen by default, but which can happen if the filesystem was uncleanly shut down and has errors. You should therefore fix those errors with fsck from a live USB/CD/DVD session.

The first-level directories in the root directory should all be owned root:root and have 755 permissions, except for…

• /tmp, which should have 1777 permissions, i.e. drwxrwxrwt; and…
• /root, which in Manjaro is set up with 750 permissions but which should best be given 700 permissions.

Your home directory is your own domain, and you can do with that as you please, albeit that this may cause problems with regard to your desktop environment and applications. Your home directory itself can have 700 permissions if you feel this is more secure.

But when changing permissions, do bear in mind that -R means “recursive”. You do not want to give execute permission on every file in your home directory.

Only sideways related, I’ve written the following elaborate tutorial on permissions, and I recommend that you’d read it.

/boot would normally have a Linux-native filesystem on it, in which case the permissions are stored in the individual inodes of the files and directories. It is only necessary to specify permissions at mount time — and thus in /etc/fstab — for non-POSIX filesystems such as vfat and ntfs.

Of course, if the OP is using the EFI partition as /boot — some boot loaders require this — then the permissions on its contents must indeed be set at mount time.

But even then still, changing the permissions on the /boot directory itself should survive a reboot, and OP claims they do not, which leads me to believe that OP’s root filesystem is mounted read-only, and if that is the case, then the filesystem is most likely damaged — the kernel will automatically remount a damaged ext3/ext4 filesystem as read-only.

@Aragorn the OP was talking about permissions for “group” and “other” that are eliminated, that is something different as read-only

The OP also mentioned that the permissions didn’t survive a reboot even-though they were manually set at run-time , hence why it is (IMHO) related to mount options umask used at boot time

I personally prefer to use umask=0007,gid=sudo

edit: The above gives access to the main user without root’ing, but prevents it at same time for other users, because the main user is by default member of the sudo group…

So I went to see my /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a device; this may
# be used with UUID= as a more robust way to name devices that works even if
# disks are added and removed. See fstab(5).
#
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
UUID=55AA-B60D                            /boot          vfat    umask=0077 0 2
UUID=62fa3c67-883a-4cc0-828a-fd366728813e /              btrfs   subvol=/@,defaults,noatime,discard=async,compress=no,space_cache=v2,max_inline=256,commit=120 0 0
UUID=62fa3c67-883a-4cc0-828a-fd366728813e /var/cache     btrfs   subvol=/@cache,defaults,noatime,discard=async,compress=no,space_cache=v2,max_inline=256,commit=120 0 0
UUID=62fa3c67-883a-4cc0-828a-fd366728813e /var/log       btrfs   subvol=/@log,defaults,noatime,discard=async,compress=no,space_cache=v2,max_inline=256,commit=120 0 0
UUID=fd4fad24-0f44-4554-839a-aefb8ace7574 /home          btrfs   defaults,noatime,discard=async,compress=no,space_cache=v2,max_inline=256,commit=120 0 0

umask=0077 is not clear for me since chmod use (different?) numerical order, can you refer me to umask permission manual or any similar thing. thanks for the response.

I did. But you have to actually read it.

IIRC, umask is the reverse of chmod. So a umask of 077 is the equivalent of a chmod of 700

See: man umask

In short the bits that are set will be cleared from the actual permissions of the file/dir that is accessed…

• The only time the permissions on /boot — which is itself a directory entry in the root directory — do not survive a reboot is if your root filesystem is mounted read-only, which should never happen by default, but which can happen if the filesystem was uncleanly shut down and has errors. You should therefore fix those errors with fsck from a live USB/CD/DVD session.

in the /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a device; this may
# be used with UUID= as a more robust way to name devices that works even if
# disks are added and removed. See fstab(5).
#
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
UUID=55AA-B60D                            /boot          vfat    umask=0077 0 2

so the fsck is already enabled, no issues here, an /boot on a vfat, which has broken on me before so I always keep fsck on /boot to avoid such things, but I wonder why or how the /usr/share/polkit-1/rules.d/ changed/have been changed from the global Filesystem permission, to what is now? can packages change permission without asking or notifying user beforehand.
thanks for the response.

Is it safe?

I’m not sure, but in theory, I think that it can indeed happen, under certain circumstances — Arch-style packages are compressed .tar archives, which do store permission information — albeit that for most part, the filesystem package is what sets the permissions.

But bear in mind that you are on the Unstable branch, and it is called that for a reason.

Thanks alot, that was very helpful

Note however when using my umask=0007,gid=sudo, you probably need to change 2 files, else your kernel install will barf and error-out…
(I’m on Kubuntu at moment which needed it, so no idea if it is the same on Manjaro)

1. 85-initrd.install.diff

   --- /usr/lib/kernel/install.d/85-initrd.install	2022-10-11 18:51:25.000000000 +0300
   +++ 85-initrd.install	2022-12-15 15:36:55.745535970 +0300
   @@ -27,7 +27,7 @@
   
    if [ -e "$INITRD_SRC" ]; then
        [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo "Installing '$INITRD_SRC' as '$INITRD_DEST'"
   -    install -m 0644 -o root -g root "$INITRD_SRC" "$INITRD_DEST" || {
   +    install -m 0644 -o root -p "$INITRD_SRC" "$INITRD_DEST" || {
            echo "Could not copy '$INITRD_SRC' to '$INITRD_DEST'." >&2
            exit 1
        }
   

2. 90-loaderentry.install.diff

   --- /usr/lib/kernel/install.d/90-loaderentry.install	2022-08-08 12:10:00.000000000 +0300
   +++ 90-loaderentry.install	2022-12-15 15:37:31.189304088 +0300
   @@ -99,7 +99,7 @@
        exit 1
    fi
   
   -install -g root -o root -m 0644 "$KERNEL_IMAGE" "$ENTRY_DIR_ABS/linux" || {
   +install -m 0644 -o root -p "$KERNEL_IMAGE" "$ENTRY_DIR_ABS/linux" || {
        echo "Error: could not copy '$KERNEL_IMAGE' to '$ENTRY_DIR_ABS/linux'." >&2
        exit 1
    }
   @@ -115,7 +115,7 @@
   
        initrd_basename="${initrd##*/}"
        [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo "Installing $ENTRY_DIR_ABS/$initrd_basename"
   -    install -g root -o root -m 0644 "$initrd" "$ENTRY_DIR_ABS/$initrd_basename" || {
   +    install -m 0644 -o root -p "$initrd" "$ENTRY_DIR_ABS/$initrd_basename" || {
            echo "Error: could not copy '$initrd' to '$ENTRY_DIR_ABS/$initrd_basename'." >&2
            exit 1
        }
   

These patches are best applied by copying the originals into /etc/kernel/install.d first, so the modified versions will override the originals at call-time…

I see Owner:Root, Permissions:644 (Am I right?) for both kernel image and init, interesting indeed. I’ll see if I should change mounting permissions for / and /boot specifically to 700 just for uniformity. thanks for the insight.

Especially for the root dir / i would highly suggest to NOT do that

I mistakenly put it there thanks for noticing also meant 755 not 700

The 0644 means (rw-r--r--) which is proper for the files installed,

755 means (rwxr-xr-x) not sure if that is needed nor wanted, especially with the umask used at mount time…

Plus keep in mind that the umask says REMOVE these bits instead in contrary to the normal file permissions…

Thus if you use 755 as umask you will be left with only write bits, if they are available for the group and others, else nothing for no one…

I was looking for the equivalent of 755 in umask as not to lock necessary permission from showing correctly for booting processes, also -m is for umask correct?

wrong see the man page of that command

Will do, thanks alot