getfacl: .: Invalid argument

lonelywolf · Aug 6, 2024

Hello,

I've been using aide for quite some time without any problems as a way to detect tampering inside a jail, but lately I've been getting the following error:

Code:

(...)
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Pacific: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Samoa: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Indiana-Starke: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Arizona: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Aleutian: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Alaska: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Michigan: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Hawaii: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Eastern: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/East-Indiana: Invalid argument
WARNING: failed to get ACL of /usr/share/zoneinfo/US/Mountain: Invalid argument
(...)

This is what I get in the ACL:

Code:

~#  getfacl .
# file: .
# owner: root
# group: wheel
getfacl: .: Invalid argument

The ACL property of the share is set to posix:

Code:

zfs get all SSD/iocage/jails/nextcloud
NAME                        PROPERTY                VALUE                            SOURCE
(...)
SSD/iocage/jails/nextcloud  acltype                 [B]posix[/B]                            inherited from SSD

Does anyone know how to solve this?

SirDice · Aug 6, 2024

Code:

           posix     indicates POSIX ACLs should be used.  POSIX ACLs are
                     specific to Linux and are not functional on other
                     platforms.  POSIX ACLs are stored as an extended
                     attribute and therefore will not overwrite any existing
                     NFSv4 ACLs which may be set.

zfsprops(7)

It should be set to nfsv4

Code:

           nfsv4     default on FreeBSD, indicates that NFSv4-style ZFS ACLs
                     should be used.  These ACLs can be managed with the
                     getfacl(1) and setfacl(1).  The nfsv4 ZFS ACL type is not
                     yet supported on Linux.

Code:

root@maelcum:~ # zfs get acltype zroot
NAME       PROPERTY  VALUE     SOURCE
zroot      acltype   nfsv4     default
root@maelcum:~ # getfacl /usr/share/zoneinfo/US/Pacific
# file: /usr/share/zoneinfo/US/Pacific
# owner: root
# group: wheel
            owner@:r-----aARWcCos:-------:allow
            group@:r-----a-R-c--s:-------:allow
         everyone@:r-----a-R-c--s:-------:allow

lonelywolf · Aug 6, 2024

Thanks, I changed it to nfsv4 on all shares and that indeed solved the problem with the getfacl on / :

~ # getfacl .
# file: .
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow

However, I still get a warning on almost every file every time I run aide:

(...)
WARNING: failed to get ACL of /usr/local/bin/php-cgi: Invalid argument
(...)

Even when I'm able to retrieve the acl :

~ # getfacl /usr/local/bin/php-cgi
# file: /usr/local/bin/php-cgi
# owner: root
# group: wheel
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow

I doubt this is specific to aide..

ralphbsz · Aug 6, 2024

One possibility is that the file that aide is looking at is not the same file that you are using getfacl on. Perhaps the error message above is a bit misleading, and that file name is relative to something, not absolute. I would consider that misleading error message to be a bug.

In any case, it looks like a bug in aide. Can you look at the source code of aide for where it prints that error message, and see what it did right before? And trace back (or print out) the arguments to whatever call it made that caused it to report an error message?

T-Daemon · Aug 6, 2024

lonelywolf said:
However, I still get a warning on almost every file every time I run aide:

AIDE's port is configured to build --with-posix-acl.

ports/security/aide/Makefile

Rich (BB code):

CONFIGURE_ARGS+=--with-mhash \
        --with-zlib \
        --with-posix-acl \
        --with-e2fsattrs \
        --with-config_file=${PREFIX}/etc/aide.conf

It might be worth trying to build from ports without this argument.

lonelywolf · Aug 6, 2024

T-Daemon said:
AIDE's port is configured to build --with-posix-acl.

ports/security/aide/Makefile

Rich (BB code):

CONFIGURE_ARGS+=--with-mhash \ --with-zlib \ --with-posix-acl \ --with-e2fsattrs \ --with-config_file=${PREFIX}/etc/aide.conf

It might be worth trying to build from ports without this argument.

That might be the case indeed. However, AIDE was installed via pkg.:

~# pkg info aide
aide-0.18.6_1
Name : aide
Version : 0.18.6_1
Installed on : Tue Apr 23 22:32:59 2024 CEST
Origin : security/aide
Architecture : FreeBSD:13:amd64
Prefix : /usr/local
Categories : security
Licenses :
Maintainer : cy@FreeBSD.org
WWW : https://aide.github.io/
Comment : File and directory integrity checker
Shared Libs required:
libpcre2-8.so.0
libmhash.so.2
libe2p.so.2
Annotations :
FreeBSD_version: 1302001
build_timestamp: 2024-04-02T12:48:46+0000
built_by : poudriere-git-3.4.1-1-g1e9f97d6
port_checkout_unclean: no
port_git_hash : 9357f7e015c
ports_top_checkout_unclean: no
ports_top_git_hash: fab29a8c7cb
repo_type : binary
repository : FreeBSD
Flat size : 216KiB
Description :
AIDE is Advanced Intrusion Detection Environment, a file and
directory integrity checker.

It creates a database from the regular expression rules that it finds
from the config file(s). Once this database is initialized it can be
used to verify the integrity of the files. It has several message
digest algorithms (see below) that are used to check the integrity of
the file. All of the usual file attributes can also be checked for
inconsistencies. It can read databases from older or newer versions.

Since the default ACL on freebsd is nfsv4, as SirDice just mentioned above, then what sense does it make to build it using posix, whose use is only recommended for linux systems?

The dataset the jail is running in was using posix as ACL by default and AIDE still threw the same warning. I switched to nfsv4 following the suggestion above to see if the error message could be fixed, but the error is still there.

T-Daemon · Aug 7, 2024

lonelywolf said:
Since the default ACL on freebsd is nfsv4, as SirDice just mentioned above, then what sense does it make to build it using posix, whose use is only recommended for linux systems?

Possibly for compatibility with UFS installations? Perhaps the current port maintainer cy@ can answer.

lonelywolf said:
The dataset the jail is running in was using posix as ACL by default

UFS is by default ACL type "posix", ZFS by default "nfsv4". Where did that dataset get "posix" ACLs?

I did some testings:

UFS: aide official repository package installation, aide --init, no ACL warnings.

ZFS: aide official repository package installation, aide --init, for all files "WARNING: failed to get ACL of ..." are printed.

ZFS: aide installation from port --with-posix-acl removed, no ACL warnings.

Re-reading your opening post, you say

lonelywolf said:
I've been using aide for quite some time without any problems [...] but lately I've been getting the following error:

Did the problems occure on the same or different file system?

Is the AiDE version the same or different?

lonelywolf · Aug 7, 2024

Thank you for taking the time to help T-Daemon

T-Daemon said:
UFS is by default ACL type "posix", ZFS by default "nfsv4". Where did that dataset get "posix" ACLs?

I'm using Truenas Core, from what I gather this is the default ACL, didn't realize this is the case it until now.

T-Daemon said:
Did the problems occure on the same or different file system?

Is the AiDE version the same or different?

It happened on the same file system in the same share, the only thing that might have changed is the AIDE version, which is updated from time to time.

I'm relatively new to Freebsd, I'll have to check how to create an install version of AIDE and run it via the port instead of the pkg system. I'll try that, maybe that solves it, but I did not change anything beyond the version of AIDE and this did not occur before, could it be that this was changed with the latest update from Truenas, not sure.

lonelywolf · Aug 7, 2024

Well ports are a no-go for Truenas core:

root@nextcloud:/usr/ports/security/aide # make
/!\ ERROR: /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

No support will be provided if you silence this message by defining
ALLOW_UNSUPPORTED_SYSTEM.

*** Error code 1

Stop.
make: stopped in /usr/ports/security/aide

I guess I'm back to square one.

T-Daemon · Aug 8, 2024

lonelywolf said:
I guess I'm back to square one.

Not really. The error message tells how to proceed.

Code:

/usr/ports/security/aide # make install clean -DALLOW_UNSUPPORTED_SYSTEM

lonelywolf said:
Well ports are a no-go for Truenas core:

Normally we don't support TrueNAS here in FreeBSD forums.

GhostBSD, pfSense, TrueNAS, and all other FreeBSD Derivatives

Questions about 'derivative FreeBSDs', like GhostBSD DesktopBSD TrueNAS XigmaNAS OPNsense pfSense PacBSD BSD Router Project NomadBSD helloSystem should be asked on the forums and/or mailing lists for these specific products. See below for links. If you still think your questions should be...

forums.freebsd.org

lonelywolf · Aug 8, 2024

T-Daemon said:
Not really. The error message tells how to proceed.

Code:

/usr/ports/security/aide # make install clean -DALLOW_UNSUPPORTED_SYSTEM

I was a bit unsure to run it given the message, but went ahead after your post.
Compiled AIDE without the option set to the posix acl and now it works without any errors

The trick now will be to keep this version up to date as it is no longer maintained by pkg. I also deleted the ports collection as I have no other use for it atm, I hope this is a somewhat wise decision.

T-Daemon said:
Normally we don't support TrueNAS here in FreeBSD forums.

GhostBSD, pfSense, TrueNAS, and all other FreeBSD Derivatives

Questions about 'derivative FreeBSDs', like GhostBSD DesktopBSD TrueNAS XigmaNAS OPNsense pfSense PacBSD BSD Router Project NomadBSD helloSystem should be asked on the forums and/or mailing lists for these specific products. See below for links. If you still think your questions should be...

forums.freebsd.org

To be honest, I was aware of that, but that didn't stop you from giving me a helping hand, which I really appreciate.

I think at some point I will have to start thinking about migrating from Truenas core to a vanilla FreeBSD, as the base system is currently outdated and will soon be unsupported. I just don't dare use zfs with Linux. The problem is that the graphical interface makes perfect sense for NAS and it's hard to just let it go.
Decisions...

Thanks once again for all the help!

T-Daemon · Aug 8, 2024

By the way,

T-Daemon said:
UFS is by default ACL type "posix", ZFS by default "nfsv4".

ZFS can manage only "nfsv4" ACLs ("posix" not fuctional), UFS on the other hand can handle both:

"nfsv4" ACLs can be enabled on UFS as a file system parameter by tunefs(8):

Code:

    -N enable | disable
             Turn on/off the administrative NFSv4 ACL enable flag.

or as a mount(8) argument:

Code:

            nfsv4acls
                     Enable NFSv4 ACLs, which can be customized via the
                     setfacl(1) and getfacl(1) commands.  This flag is
                     mutually exclusive with acls flag.

getfacl: .: Invalid argument

Administrator