# /var/empty created with wrong permissions

## grant123

One of my systems is wiped on reboot and starts out with no /var/empty so it is created automatically.  The problem is it's created with group write permission and sshd won't start until I remove that.  Can I tell the system to create /var/empty with the correct permissions?

----------

## khayyam

 *grant123 wrote:*   

> One of my systems is wiped on reboot and starts out with no /var/empty so it is created automatically.  The problem is it's created with group write permission and sshd won't start until I remove that.  Can I tell the system to create /var/empty with the correct permissions?

 

grant123 ... that directory is provided by net-misc/openssh:

```
% equery belongs -e /var/empty

 * Searching for /var/empty ...

net-misc/openssh-7.7_p1-r6 (/var/empty)

% equery belongs -e /var/empty/.keep_net-misc_openssh-0

 * Searching for /var/empty/.keep_net-misc_openssh-0 ...

net-misc/openssh-7.7_p1-r6 (/var/empty/.keep_net-misc_openssh-0)
```

... so, you/I should probably ask: what's "wiping" it, and why?

best ... khay

----------

## Anon-E-moose

you could modify the init.d script but khayyam is correct, it shouldn't be being deleted

```
ls -la /var/empty

total 0

drwxr-xr-x 1 root root  48 Jun 27 04:15 .

drwxr-xr-x 1 root root 140 Oct 22  2015 ..

-rw-r--r-- 1 root root   0 Jun 27 04:15 .keep_net-misc_openssh-0
```

both the directory and the .keep* file is put there by openssh

----------

## grant123

Hi Khay, my script is wiping it along with everything else I found that could handle being wiped so the system starts as clean as possible.  So basically openssh is creating the directory when it is missing but it's creating it with the wrong permissions.

----------

## Jaglover

So let your script to wipe the contents of /var/empty, not the directory itself.

----------

## grant123

That would definitely work but I'm trying to get the freshest start I can.  Shouldn't ssh know how to create the dir properly?

FWIW the dir was either created properly or ssh would start after creating it improperly in 7.5 but now not in 7.7.

----------

## Anon-E-moose

You shouldn't be deleting directories just because they're empty. 

And any directory that has a .keep* file is there for a reason, it usually means that directory NEEDS to stay there.

----------

## grant123

Won't a new ssh user be hit with this the first time they install openssh?

----------

## John R. Graham

```
secmt-service01 ~ # equery files openssh | grep empty

/var/empty

/var/empty/.keep_net-misc_openssh-0
```

Nope.

- John

----------

## Anon-E-moose

 *grant123 wrote:*   

> Won't a new ssh user be hit with this the first time they install openssh?

 

"emerge openssh" installs "/var if it doesn't exist, /var/empty if it doesn't exist and then the .keep* file)

----------

## grant123

Ok, so openssh installation does it right but sshd execution does it wrong.

----------

## John R. Graham

Well mine doesn't exhibit this issue, so you've probably not found the root cause of what's cleaning up that directory. The proximate cause of the bad permissions appears to be in the sshd init script on this line:

```
checkpath --directory "${RC_PREFIX%/}/var/empty"
```

Change this to

```
checkpath --directory --mode 0755 "${RC_PREFIX%/}/var/empty"
```

and report results, please.

Although this probably works, I'm not convinced that it's the right thing to do. An init script shouldn't be required to recover from all (or maybe even any) package installation damage. Then again, it does undertake to create the directory if it's not there, so it should probably do it right.

- John

----------

## Anon-E-moose

 *John R. Graham wrote:*   

> Well mine doesn't exhibit this issue, so you've probably not found the root cause of what's cleaning up that directory. The proximate cause of the bad permissions appears to be in the sshd init script on this line:
> 
> ```
> checkpath --directory "${RC_PREFIX%/}/var/empty"
> ```
> ...

 

It probably should have always had the mode option,  BUT most people don't run around deleting directories they're not supposed to so "the problem" hasn't shown up before.

----------

## John R. Graham

Concur.

- John

----------

## grant123

Yep that initscript mode fixes it.

----------

## Anon-E-moose

 *grant123 wrote:*   

> Yep that initscript mode fixes it.

 

The next time you update openssh, the fix won't be there any more, you'll have to re-add it.

The proper thing to do was mentioned earlier, delete the files in the directory, but leave the directory alone.

----------

## grant123

I realize that but I agree with John:

 *Quote:*   

> Then again, it does undertake to create the directory if it's not there, so it should probably do it right.

 

----------

## John R. Graham

So... going to earn some Gentoo Bugzilla cred?   :Wink: 

- John

----------

## grant123

https://bugs.gentoo.org/664192

----------

## John R. Graham

Excellent! By the way, here are a few Bugzilla netiquette pointers. It's nice to:Confirm which in-tree versions are affected by the issue.

Describe the step-by-step method to reproduce the bug.

Report actual error messages.

Confirm which actual file(s) in the build needs to be patched.

Provide a patch file.None of these are absolutely necessary (although #1 - #3 are highly recommended) but their inclusion may get your bug quicker attention.

- John

----------

## John R. Graham

Well, that was fast. The fix is already in-tree and stable.

- John

----------

## grant123

Yeah I figured it was because this was a potential lock-out situation.  But only if you're crazy enough to delete /var/empty/.

----------

