Ufw firewall warning

Hi there,

I have been seeking a firewall to use in Manjaro and I decided to go with ufw with the instructions on Manjaro Wiki. I set it up. However, when I check the status with

# ufw status verbose

I end up receiving the warning below:

WARN: uid is 0 but ‘/usr’ is owned by 1001

I want to learn what this warning is about and how I could address this issue.

I am using ufw strictly in command line because the gui interface gufw apparently not working on my pinebook pro sway environment; I am guessing a wayland compatibility problem.

I would appreciate if this warning would be explained to me and how this can be addressed.

I have been checking out alternatives and I realized there is firewalld, which I can install if the warning with ufw is serious.

Hi @pines,

That only looks like a warning to me. And generally, warning are just kind of FYI, information, and if everything is working, then you don’t need to worry. Or that’s how I understand it, anyway.

However, upon further research, I came across this page that states:

I do not use Ubuntu on a Raspberry Pi but on Debian and on Raspbian the /lib directory has this modes:

rpi ~$ ls -ld /lib
drwxr-xr-x 11 root root 4096 Aug  7 22:34 /lib

Ubuntu is a Debian derivate like Raspbian so it should have the same modes. You can correct it with this commands:

rpi ~$ sudo chmod 755 /lib
rpi ~$ sudo chown root:root /lib

I know this isn’t Ubuntu or Debian, but maybe it points you in the right direction.

I hope this helps some!

Thank you for the detailed information. I am hesitant to try, but good to know it is something to do with permissions.

I am ok with trying firewalld but it seems a bit more detailed and giving other kinds of warnings/errors with a few missing packages when I check status with systemd status.

The first thing to do is confirm this warning.

$ ls -dl /usr

drwxr-xr-x 1 root root 64 Jun  6 07:26 /usr

If the warning is correct, you will see something other than root root.

If you see 1001, it is owned by a user account which no longer exists.
If some combination of letters, that is the account name which owns the directory.

This is something that needs to be fixed.

Ok, I issue the command and the output is below:

drwxr-xr-x - 1001 6 Jun 6:41 /usr

I do not see any user mention for root or another user; however, uid is showing up as 1001 indeed.

I do not want to modify the permissions of /usr on my own; I do not know which user account is associated with uid 1001 either. This is making me scratch my head.

I am tempting to switch to firewalld in this situation. The catch is that it is more detailed and I will need to install a few more packages that makes systemd complain about them missing.

Now that you have confirmed the warning, you need to assess how deep the issue.

$ ls -l /usr

drwxr-xr-x 1 root root  66578 Jun  6 07:26 bin
drwxr-xr-x 1 root root  18968 Jun  6 07:26 include
drwxr-xr-x 1 root root 127352 Jun  6 07:26 lib
drwxr-xr-x 1 root root     72 Sep 21  2020 local
lrwxrwxrwx 1 root root      3 Feb 25 08:29 sbin -> bin
drwxr-xr-x 1 root root   4232 Jun  5 21:54 share
drwxr-xr-x 1 root root      0 Mar 31 16:51 src

Again, looking for the owner and group root root.
If you see 1001 on these too, it is more than a warning, you have a real issue that must be fixed for proper operation and security.

The output is of ls is below:

drwxr-xr-x - root 6 Jun 6:40  bin
drwxr-xr-x - root 6 Jun 6:40  include
drwxr-xr-x - root 6 Jun 6:40  lib
drwxr-xr-x - 1001 16 May 23:07  local
lrwxrwxrwx 3 root 25 Feb 9:29  sbin → bin
drwxr-xr-x - 1001 30 May 22:44  share
drwxr-xr-x - root 25 Feb 9:29  src

The local and share directories have uid 1001 whereas the rest are root. Just for the records, I have not touched on any system files permissions or groups.

What can I do in this situation? Would you suggest switching to another firewall?

Ah, fortunately the issue should be easy enough to fix. However, if you are not comfortable with issuing commands to alter the permissions, you should consider starting over with a fresh image.

Likelihood is that the new image comes with the same permission scheme. So, I don’t understand how a new image can fix it?

I am somewhat familiar with command line. However, I do not want to change the permissions without knowing it won’t break anything else.

The file ownership is wrong, something changed them. A fresh image will not have 1001 as the owner and group for these directories.

This is not the first time I am seeing this warning in Manjaro. I installed ufw in both xfce and kde in the past. I saw the same warning from ufw.

Would you recommend changing the firewall to firewalld? Or is this more of a file permission problem and not relevant to the firewall?

This would be relevant to ufw only if that installation/configuration is what is changing the ownership, which is unlikely but possible.

Let me try to explain the significance of this issue.

If you install any package that creates the next in line account, 1001 is likely the next to be created, as your user account id 1000. That account will now own /usr. That is a significant security issue.
Additionally, /usr/local/ and /usr/share are what they sound like. They contain files that other users will want/need access to, with improper ownership they may not be able to access them and this is not dependent on an new user account being added. This issue exists for you now.

I should add, some applications/process run as different user accounts, these are considered system accounts and are created when you install the software.

Hmm I see.

I have installed a few packages from AUR. Apart from this, I can assure you that I never used I installed any packages explicitly; of course being hacked is a possibility. As far as I remember (I am not sure on this), this warning was being issued in fresh installed Manjaro systems with XFCE and KDE.

I checked out the users in my system. There is a user named “nobody” with standard account type. I did not create this user. And I don’t see details, e.g. uid of the user in Manjaro Settings Manager.

I have a backup os already installed, albeit not manjaro. Would you recommend switching to that at this stage?

Apart from the Aur packages, I currently have chromium-widevine on docker; maybe it is the problem.

As I have indicated, this warning was being issued to me after fresh installs with xfce and kde. I know this because setting up a firewall is generally one of the first actions I take after making a fresh install. So, there were not docker applications or AUR when I was getting the warning afaik.

ufw should be run as root:

[ray@pi4 ~]$ ufw status verbose
ERROR: You need to be root to run this script

Are you able to run it with out the sudo command? If so what is the output of the id command? Mine:

uid=1000(ray) gid=1000(ray) groups=1000(ray),3(sys),90(network),98(power),985(users),986(video),988(storage),991(lp),993(input),995(audio),998(wheel)

I can’t issue the command without sudo. So, I issue

$ sudo ufw status verbose

as user and I have the warning

WARN: uid is 0 but ‘/usr’ is owned by 1001

The output of the id command:

uid=1000(ssahin) gid=1000(ssahin) groups=1000(ssahin),3(sys),90(network),98(power),984(users),985(video),987(storage),991(lp),993(input),995(audio),998(wheel)

Looks like some program got installed with the path of /usr/local & /usr/share and changed the permissions. Look in /etc/group and see if 1001 is there:

cat /etc/group | grep 1001

Also check in /usr/local/bin and see if there is a bin there with the id of 1001. /usr/local and it’s child directories usually has programs that you have installed yourself. Generally arch package bin’s are installed in /usr/bin.

ls -la /usr/local/bin


cat /etc/group | grep 1001

brings me nothing. As a matter of fact:

cd /etc/group


bash: cd: /etc/group: Not a directory

However, checking out

ls -al /usr/local/bin

gives me

Permissions Size User Date Modified Name
drwxr-xr-x - 1001 16 May 23:07  .
drwxr-xr-x - 1001 16 May 23:07  …
.rwxr-xr-x 4.5k 1001 16 May 23:07  install_chromium_widevine.sh
.rwxr-xr-x 1.9k 1001 16 May 23:07  launch_chromium_widevine.sh

These shell scripts come with a default Manjaro Sway Edition installaion. What is happening here?