I have been seeking a firewall to use in Manjaro and I decided to go with ufw with the instructions on Manjaro Wiki. I set it up. However, when I check the status with
# ufw status verbose
I end up receiving the warning below:
WARN: uid is 0 but ‘/usr’ is owned by 1001
I want to learn what this warning is about and how I could address this issue.
I am using ufw strictly in command line because the gui interface gufw apparently not working on my pinebook pro sway environment; I am guessing a wayland compatibility problem.
I would appreciate if this warning would be explained to me and how this can be addressed.
I have been checking out alternatives and I realized there is firewalld, which I can install if the warning with ufw is serious.
That only looks like a warning to me. And generally, warning are just kind of FYI, information, and if everything is working, then you don’t need to worry. Or that’s how I understand it, anyway.
However, upon further research, I came across this page that states:
I do not use Ubuntu on a Raspberry Pi but on Debian and on Raspbian the /lib directory has this modes:
rpi ~$ ls -ld /lib
drwxr-xr-x 11 root root 4096 Aug 7 22:34 /lib
Ubuntu is a Debian derivate like Raspbian so it should have the same modes. You can correct it with this commands:
Thank you for the detailed information. I am hesitant to try, but good to know it is something to do with permissions.
I am ok with trying firewalld but it seems a bit more detailed and giving other kinds of warnings/errors with a few missing packages when I check status with systemd status.
If the warning is correct, you will see something other than root root.
If you see 1001, it is owned by a user account which no longer exists.
If some combination of letters, that is the account name which owns the directory.
I do not see any user mention for root or another user; however, uid is showing up as 1001 indeed.
I do not want to modify the permissions of /usr on my own; I do not know which user account is associated with uid 1001 either. This is making me scratch my head.
I am tempting to switch to firewalld in this situation. The catch is that it is more detailed and I will need to install a few more packages that makes systemd complain about them missing.
Now that you have confirmed the warning, you need to assess how deep the issue.
$ ls -l /usr
drwxr-xr-x 1 root root 66578 Jun 6 07:26 bin
drwxr-xr-x 1 root root 18968 Jun 6 07:26 include
drwxr-xr-x 1 root root 127352 Jun 6 07:26 lib
drwxr-xr-x 1 root root 72 Sep 21 2020 local
lrwxrwxrwx 1 root root 3 Feb 25 08:29 sbin -> bin
drwxr-xr-x 1 root root 4232 Jun 5 21:54 share
drwxr-xr-x 1 root root 0 Mar 31 16:51 src
Again, looking for the owner and group root root.
If you see 1001 on these too, it is more than a warning, you have a real issue that must be fixed for proper operation and security.
drwxr-xr-x - root 6 Jun 6:40 bin
drwxr-xr-x - root 6 Jun 6:40 include
drwxr-xr-x - root 6 Jun 6:40 lib
drwxr-xr-x - 1001 16 May 23:07 local
lrwxrwxrwx 3 root 25 Feb 9:29 sbin → bin
drwxr-xr-x - 1001 30 May 22:44 share
drwxr-xr-x - root 25 Feb 9:29 src
The local and share directories have uid 1001 whereas the rest are root. Just for the records, I have not touched on any system files permissions or groups.
What can I do in this situation? Would you suggest switching to another firewall?
Ah, fortunately the issue should be easy enough to fix. However, if you are not comfortable with issuing commands to alter the permissions, you should consider starting over with a fresh image.
This would be relevant to ufw only if that installation/configuration is what is changing the ownership, which is unlikely but possible.
Let me try to explain the significance of this issue.
If you install any package that creates the next in line account, 1001 is likely the next to be created, as your user account id 1000. That account will now own /usr. That is a significant security issue.
Additionally, /usr/local/ and /usr/share are what they sound like. They contain files that other users will want/need access to, with improper ownership they may not be able to access them and this is not dependent on an new user account being added. This issue exists for you now.
I should add, some applications/process run as different user accounts, these are considered system accounts and are created when you install the software.
I have installed a few packages from AUR. Apart from this, I can assure you that I never used I installed any packages explicitly; of course being hacked is a possibility. As far as I remember (I am not sure on this), this warning was being issued in fresh installed Manjaro systems with XFCE and KDE.
I checked out the users in my system. There is a user named “nobody” with standard account type. I did not create this user. And I don’t see details, e.g. uid of the user in Manjaro Settings Manager.
Apart from the Aur packages, I currently have chromium-widevine on docker; maybe it is the problem.
As I have indicated, this warning was being issued to me after fresh installs with xfce and kde. I know this because setting up a firewall is generally one of the first actions I take after making a fresh install. So, there were not docker applications or AUR when I was getting the warning afaik.
Looks like some program got installed with the path of /usr/local & /usr/share and changed the permissions. Look in /etc/group and see if 1001 is there:
cat /etc/group | grep 1001
Also check in /usr/local/bin and see if there is a bin there with the id of 1001. /usr/local and it’s child directories usually has programs that you have installed yourself. Generally arch package bin’s are installed in /usr/bin.