Solved FreeBSD 10.2 /var/empty permission

[wisdown]

Hey guys,

I'm testing the new release 10.2 and notice the /var/empty now is not read-only, this is correct on this release?

Doing manual install (no installer) on 10.1 all places I have researched say to keep write permission only on install and after system is installed set it to read-only, this behaviour changed on new release 10.2?

 

[protocelt]

As far as I'm aware, /var/empty on a running system should always have read only permissions set as it's sole use is to be an empty directory. From the hier(7) man page:

empty/         empty directory for use by programs that
               need a specifically empty directory. Used
               for instance by sshd(8) for privilege
               separation.

To my knowledge, this hasn't changed. Was your system installed using bsdinstall(8) as a generic install or manually?

 

[wisdown]

I did the install on an virtual machine using bsdinstall(8) as generic install from DVD ISO image:

ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/ISO-IMAGES/10.2/FreeBSD-10.2-RELEASE-amd64-dvd1.iso

I have noticed there more datasets made on this release 10.2, and then I'm checking they permissions for update my manual install.

From installer I have choose the last option and set 12 GB for encrypted swap.

 

[protocelt]

To check this, I just did a generic install of FreeBSD 10.2-RELEASE in a VirtualBox VM and the permissions were set correctly(555).

# ls -ldo /var/empty
dr-xr-xr-x  2 root  wheel  uarch 2 Aug 12 10:06 /var/empty

What is the output of ls -ldo /var/empty on your system?

 

[wisdown]

Mine is same:

# ls -ldo /var/empty
dr-xr-xr-x 2 root wheel uarch 3 Aug 20 16:09 /var/empty

Since there no dataset on default install to /var/empty (not allowing use zfs get all zroot/var/empty) was testing using root (probaly because this was able to write on folder because the wheel group), my mistake then so sorry.

 

[wisdown]

Final question:

The documentation of sshd(8) says:

/var/empty
chroot(2) directory used by sshd during privilege separation in
the pre-authentication phase. The directory should not contain
any files and must be owned by root and not group or world-
writable.

Note:

[...] must be owned by root and not group or world-writable.

So wheel group is correct be set as owner?

 

[protocelt]

The permissions are correct. The root user is the owner of the /var/empty directory, not the wheel group. I can see how this could be confusing though. File owner and group permissions are 2 separate permissions. In case it's useful to you, take a look at the this section of the FreeBSD Handbook for a good primer on UNIX permissions.