FreeNAS 11.2 web interface down after messing with system dataset permissions

LQkkeN · Dec 25, 2019

After going through a vigorous process of SMB user permission management, I found myself with black screens in all my jail shells. I figured I must had reduced/broken iocage's permissions at some point during said quest, so I messed a bit about with the permissions of the dataset the jails are in. Incidentally, the system dataset is in the same dataset and then suddenly: white screen nginx 404

When the system boots, it first complains about the inability to mount a number of backups on another pool. I don't think that is related, but I figured I'd mention it. Those errors go like this: cannot mount '/mnt/*': failed to create mountpoint

Then it continues to obtain an IP and finally throws this: The web interface could not be accessed.

The VMs are running and I can SSH into it. The SMB shares are even running. Everything seems fine except the jails and nginx not serving the web interface.

I'm thinking I broke the permissions on some critical part of FreeNAS in charge of serving the web interface as well as running jails. Now I'm wondering how to restore those permissions. Is there perhaps some way to restore system dataset permissions to default? Any help is appreciated!

I'm running FreeNAS 11.2-STABLE.

LQkkeN · Dec 25, 2019

This guy seems to have done about the same as me: https://redmine.ixsystems.com/issues/79653#note-18

LQkkeN · Dec 25, 2019

I dug this out of /var/log/nginx/error.log: nginx: 2019/12/25 21:10:30 [crit] 3321#100506: *5 stat() "/usr/local/www/webui/" failed (13: Permission denied)

LQkkeN · Dec 25, 2019

My permissions are identical to what this guy posts is correct, though: https://www.ixsystems.com/community/threads/broke-web-gui.72379/#post-501140

Something else must be preventing nginx from accessing them. As if nginx lost privileges

LQkkeN · Dec 25, 2019

This guy writes

Nginx need to have +x access on all directories leading to the site's root directory.

Nginx: stat() failed (13: permission denied)

I am using the default config while adding the specific directory with nginx installed on my ubuntu 12.04 machine. server { #listen 80; ## listen for ipv4; this line is default and impl...

stackoverflow.com

My /usr/local/www directory had 770, which caused the error. I changed it to 755 and the web interface is back up.

LQkkeN · Dec 25, 2019

Back to the original issue of the jails not working. This is all I see when I shell into a newly created 11.2 jail:

From the FreeNAS shell I can execute iocage exec {jail} ls and it will give me a list of files as expected. So something is working.

LQkkeN · Dec 25, 2019

The /usr directory is empty.

LQkkeN · Dec 25, 2019

The /usr directory is empty.

I was a bit too fast there. The /usr/local directory is empty.

LQkkeN · Dec 25, 2019

I'm getting this from /var/logs/messages:

Code:

ec 25 18:54:36 test newsyslog[87529]: logfile first created
Dec 25 18:54:36 test syslogd: kernel boot file is /boot/kernel/kernel
Dec 25 18:54:45 test login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions
Dec 25 18:54:45 test login: pam_start(): system error
Dec 25 18:59:57 test rtsold[87335]: <rtsock_input_ifannounce> interface epair0bremoved
Dec 25 18:59:57 test dhclient[87266]: connection closed
Dec 25 18:59:57 test dhclient[87266]: exiting.
Dec 25 18:59:57 test syslogd: exiting on signal 15
Dec 25 19:00:24 test syslogd: kernel boot file is /boot/kernel/kernel
Dec 25 19:00:28 test login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions
Dec 25 19:00:28 test login: pam_start(): system error
Dec 25 19:03:57 test dhclient[88850]: connection closed
Dec 25 19:03:57 test dhclient[88850]: exiting.
Dec 25 19:03:57 test syslogd: exiting on signal 15
Dec 25 19:04:00 test syslogd: kernel boot file is /boot/kernel/kernel
Dec 25 19:04:04 test login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions
Dec 25 19:04:04 test login: pam_start(): system error
Dec 25 19:06:12 test dhclient[90156]: connection closed
Dec 25 19:06:12 test dhclient[90156]: exiting.
Dec 25 19:06:12 test syslogd: exiting on signal 15
Dec 25 19:06:15 test syslogd: kernel boot file is /boot/kernel/kernel
Dec 25 19:06:18 test login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions
Dec 25 19:06:18 test login: pam_start(): system error
Dec 25 19:07:45 test login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions
Dec 25 19:07:45 test login: pam_start(): system error
Dec 25 19:11:56 test dhclient[91201]: connection closed
Dec 25 19:11:56 test dhclient[91201]: exiting.
Dec 25 19:11:56 test syslogd: exiting on signal 15
Dec 25 19:11:59 test syslogd: kernel boot file is /boot/kernel/kernel
Dec 25 19:11:59 test limits: _secure_path: /etc/login.conf is world writable
Dec 25 19:11:59 test limits: login_getclass: unknown class 'daemon'
Dec 25 19:11:59 test /usr/sbin/cron[93128]: _secure_path: /etc/login.conf is world writable
Dec 25 19:11:59 test /usr/sbin/cron[93128]: login_getclass: unknown class 'daemon'
Dec 25 19:11:59 test /usr/sbin/cron[93128]: _secure_path: /etc/login.conf is world writable
Dec 25 19:11:59 test /usr/sbin/cron[93128]: login_getclass: unknown class 'daemon'
Dec 25 19:11:59 test /usr/sbin/cron[93128]: _secure_path: /etc/login.conf is world writable
Dec 25 19:11:59 test /usr/sbin/cron[93128]: login_getclass: unknown class 'daemon'
Dec 25 19:11:59 test /usr/sbin/cron[93128]: _secure_path: /etc/login.conf is world writable
Dec 25 19:11:59 test /usr/sbin/cron[93128]: login_getclass: unknown class 'daemon'
Dec 25 19:11:59 test /usr/sbin/cron[93128]: _secure_path: /etc/login.conf is world writable
Dec 25 19:11:59 test /usr/sbin/cron[93128]: login_getclass: unknown class 'daemon'
Dec 25 19:11:59 test /usr/sbin/cron[93128]: _secure_path: /etc/login.conf is world writable
Dec 25 19:11:59 test /usr/sbin/cron[93128]: login_getclass: unknown class 'daemon'
Dec 25 19:11:59 test /usr/sbin/cron[93128]: _secure_path: /etc/login.conf is world writable
Dec 25 19:11:59 test /usr/sbin/cron[93128]: login_getclass: unknown class 'daemon'
Dec 25 19:12:02 test login: _secure_path: /etc/login.conf is world writable
Dec 25 19:12:02 test login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions
Dec 25 19:12:02 test login: pam_start(): system error
Dec 25 19:18:24 test syslogd: exiting on signal 15
Dec 25 21:51:21 test syslogd: kernel boot file is /boot/kernel/kernel
Dec 25 21:51:24 test login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions
Dec 25 21:51:24 test login: pam_start(): system error
Dec 25 21:51:56 test login: in openpam_check_desc_owner_perms(): /etc/pam.d/login: insecure ownership or permissions
Dec 25 21:51:56 test login: pam_start(): system error

LQkkeN · Dec 25, 2019

I was able to fix this by revoking group write access on the jail dataset.

Important Announcement for the TrueNAS Community.

FreeNAS 11.2 web interface down after messing with system dataset permissions

LQkkeN

Dabbler

LQkkeN

Dabbler

LQkkeN

Dabbler

LQkkeN

Dabbler

LQkkeN

Dabbler

Nginx: stat() failed (13: permission denied)

LQkkeN

Dabbler

LQkkeN

Dabbler

LQkkeN

Dabbler

LQkkeN

Dabbler

LQkkeN

Dabbler

Similar threads