starred/hardening
1
0
Fork 0
mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-27 09:45:54 +03:00
Code Issues 6 Projects Releases 4 Packages Wiki Activity

[GH-ISSUE #11] do_md(): open() for /var/lib/lxcfs/cgroup/* failed: Permission denied #5

New issue
Closed
opened 2026-03-03 13:58:14 +03:00 by kerem · 10 comments
kerem commented 2026-03-03 13:58:14 +03:00
Owner
Copy link

Originally created by @rmurillo21 on GitHub (Sep 12, 2017).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/11

do_md(): open() for /var/lib/lxcfs/cgroup/blkio/blkio.reset_stats failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/blkio/init.scope/blkio.reset_stats failed: Permission denied
...
I got a slew of these while running the script

Any suggestions?

Originally created by @rmurillo21 on GitHub (Sep 12, 2017). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/11 do_md(): open() for /var/lib/lxcfs/cgroup/blkio/blkio.reset_stats failed: Permission denied do_md(): open() for /var/lib/lxcfs/cgroup/blkio/init.scope/blkio.reset_stats failed: Permission denied ... I got a slew of these while running the script Any suggestions?
kerem closed this issue 2026-03-03 13:58:14 +03:00
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Sep 13, 2017):

Yeah, it's ugly but actually correct since aide or root don't have permissions to read the files.

--w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/devices/system.slice/virtualbox-guest-utils.service/devices.deny
--w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/devices/user.slice/devices.allow
--w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/devices/user.slice/devices.deny
--w--w--w- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/cgroup.event_control
--w--w--w- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/init.scope/cgroup.event_control
--w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/init.scope/memory.force_empty
---------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/init.scope/memory.pressure_level
--w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/memory.force_empty
---------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/memory.pressure_level
--w--w--w- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control
--w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/memory.force_empty
---------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/memory.pressure_level
--w--w--w- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/system.slice/acct.service/cgroup.event_control
<!-- gh-comment-id:329094487 --> @konstruktoid commented on GitHub (Sep 13, 2017): Yeah, it's ugly but actually correct since `aide` or `root` don't have permissions to read the files. ``` --w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/devices/system.slice/virtualbox-guest-utils.service/devices.deny --w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/devices/user.slice/devices.allow --w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/devices/user.slice/devices.deny --w--w--w- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/cgroup.event_control --w--w--w- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/init.scope/cgroup.event_control --w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/init.scope/memory.force_empty ---------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/init.scope/memory.pressure_level --w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/memory.force_empty ---------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/memory.pressure_level --w--w--w- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/cgroup.event_control --w------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/memory.force_empty ---------- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/system.slice/accounts-daemon.service/memory.pressure_level --w--w--w- 1 root root 0 Sep 13 08:18 /var/lib/lxcfs/cgroup/memory/system.slice/acct.service/cgroup.event_control ```
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@rmurillo21 commented on GitHub (Sep 14, 2017):

Thanks. Can you clarify? If the files cannot be changed due to permission, why does the hardening script attempt to change them?

<!-- gh-comment-id:329476455 --> @rmurillo21 commented on GitHub (Sep 14, 2017): Thanks. Can you clarify? If the files cannot be changed due to permission, why does the hardening script attempt to change them?
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Sep 14, 2017):

Ah, the script doesn't try to change them, it's Aide (http://aide.sourceforge.net/) trying to index and create a checksum of the files.

<!-- gh-comment-id:329480365 --> @konstruktoid commented on GitHub (Sep 14, 2017): Ah, the script doesn't try to change them, it's Aide (http://aide.sourceforge.net/) trying to index and create a checksum of the files.
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@rmurillo21 commented on GitHub (Sep 14, 2017):

Yes I understand thanks. Seem like the aide configuration should set the permissions, so that it could then read and checksum the file. As it stands, the script produces an error, and the files are not being tracked by aide.

<!-- gh-comment-id:329576846 --> @rmurillo21 commented on GitHub (Sep 14, 2017): Yes I understand thanks. Seem like the aide configuration should set the permissions, so that it could then read and checksum the file. As it stands, the script produces an error, and the files are not being tracked by aide.
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Sep 15, 2017):

aide shouldn't change permissions or modify the files in any way, its purpose is to take a checksum snapshot of a system and the lxc files has the correct permissions. There was some issues earlier but that's fixed, see https://github.com/lxc/lxcfs/pull/150.

Since it's fuse and changes constantly if containers are used, I've excluded the directory and Dockers similar /var/lib/docker, see github.com/konstruktoid/hardening@761ba2758a (diff-eb5e2ae3d).

<!-- gh-comment-id:329749850 --> @konstruktoid commented on GitHub (Sep 15, 2017): aide shouldn't change permissions or modify the files in any way, its purpose is to take a checksum snapshot of a system and the lxc files has the correct permissions. There was some issues earlier but that's fixed, see https://github.com/lxc/lxcfs/pull/150. Since it's fuse and changes constantly if containers are used, I've excluded the directory and Dockers similar /var/lib/docker, see https://github.com/konstruktoid/hardening/commit/761ba2758a39327afabc7ac1d365f26357c75bd9#diff-eb5e2ae3d9d1596c0cbe5ff57f414f85.
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@rmurillo21 commented on GitHub (Sep 25, 2017):

As a work around, could the script itself can set those to 444 to avoid the error and get actual checksums generated? Not aide, but the hardening script.

<!-- gh-comment-id:331938685 --> @rmurillo21 commented on GitHub (Sep 25, 2017): As a work around, could the script itself can set those to 444 to avoid the error and get actual checksums generated? Not aide, but the hardening script.
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Sep 26, 2017):

But that would actually be the wrong permissions.

<!-- gh-comment-id:332138336 --> @konstruktoid commented on GitHub (Sep 26, 2017): But that would actually be the wrong permissions.
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@rmurillo21 commented on GitHub (Sep 26, 2017):

ok sure - I am not certain what the correct set is, but given the correct permission set, should the script itself do the above? Seems a better result, and the files are then protected. OR is the error result better in some way? Just wondering.

<!-- gh-comment-id:332253707 --> @rmurillo21 commented on GitHub (Sep 26, 2017): ok sure - I am not certain what the correct set is, but given the correct permission set, should the script itself do the above? Seems a better result, and the files are then protected. OR is the error result better in some way? Just wondering.
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Sep 27, 2017):

Since aide will try to checksum a constantly changing filesystem, this would generate unnecessary work when verifying.

<!-- gh-comment-id:332448007 --> @konstruktoid commented on GitHub (Sep 27, 2017): Since `aide` will try to checksum a constantly changing filesystem, this would generate unnecessary work when verifying.
kerem commented 2026-03-03 13:58:15 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Oct 31, 2017):

Closing due to inactivity.

<!-- gh-comment-id:340707508 --> @konstruktoid commented on GitHub (Oct 31, 2017): Closing due to inactivity.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/github_actions/pozil/auto-assign-issue-3.0.0
renovate/github-codeql-action-4.x
v2.2.0
v2.1.0
v2.0.0
v1.0.0
v1.0
Labels
Clear labels   
Stale

   
bug

   
bug

   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
Stale
bug
bug
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hardening#5
No description provided.