[pve-devel] [PATCH manager] d/tmpfiles: fix permission regression for /run/pve directory

[pve-devel] [PATCH manager] d/tmpfiles: fix permission regression for /run/pve directory

[Fiona Ebner]

There is a regression regarding the permission for the /run/pve
directory. In Proxmox VE 8, the directory had root:root 0755
permissions, being auto-created as the lxc-syscalld runtime directory.
In Proxmox VE 9, the permissions were restricted to root:root 0750,
but this leads to an issue with remote migration, when pveproxy tries
to access the mtunnel socket:

pveproxy[2484]: connect to 'unix/:/run/pve/ct-112.mtunnel' failed: Permission denied

Relax the permissions again by allowing the www-data group
read-access, so that pveproxy can access the socket.

This aligns the permissions with what /run/pve-cluster has.

Reported-by: Hannes Laimer <h.laimer@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/tmpfiles | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/tmpfiles b/debian/tmpfiles
index 98b8fb96..1263300f 100644
--- a/debian/tmpfiles
+++ b/debian/tmpfiles
@@ -1,2 +1,2 @@
-#Type Path     Mode User Group Age Argument
-d     /run/pve 0750 root root  -   -
+#Type Path     Mode User Group     Age Argument
+d     /run/pve 0750 root www-data  -   -
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH manager] d/tmpfiles: fix permission regression for /run/pve directory

[Hannes Laimer]

gave this a quick spin and it did solve the problem, therefore:

Tested-by: Hannes Laimer <h.laimer@proxmox.com>

On 05.08.25 12:05, Fiona Ebner wrote:
> There is a regression regarding the permission for the /run/pve
> directory. In Proxmox VE 8, the directory had root:root 0755
> permissions, being auto-created as the lxc-syscalld runtime directory.
> In Proxmox VE 9, the permissions were restricted to root:root 0750,
> but this leads to an issue with remote migration, when pveproxy tries
> to access the mtunnel socket:
> 
> pveproxy[2484]: connect to 'unix/:/run/pve/ct-112.mtunnel' failed: Permission denied
> 
> Relax the permissions again by allowing the www-data group
> read-access, so that pveproxy can access the socket.
> 
> This aligns the permissions with what /run/pve-cluster has.
> 
> Reported-by: Hannes Laimer <h.laimer@proxmox.com>
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
>   debian/tmpfiles | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/debian/tmpfiles b/debian/tmpfiles
> index 98b8fb96..1263300f 100644
> --- a/debian/tmpfiles
> +++ b/debian/tmpfiles
> @@ -1,2 +1,2 @@
> -#Type Path     Mode User Group Age Argument
> -d     /run/pve 0750 root root  -   -
> +#Type Path     Mode User Group     Age Argument
> +d     /run/pve 0750 root www-data  -   -



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH manager] d/tmpfiles: fix permission regression for /run/pve directory

[Fabian Grünbichler]

Quoting Fiona Ebner (2025-08-05 12:03:24)
> There is a regression regarding the permission for the /run/pve
> directory. In Proxmox VE 8, the directory had root:root 0755
> permissions, being auto-created as the lxc-syscalld runtime directory.
> In Proxmox VE 9, the permissions were restricted to root:root 0750,
> but this leads to an issue with remote migration, when pveproxy tries
> to access the mtunnel socket:
> 
> pveproxy[2484]: connect to 'unix/:/run/pve/ct-112.mtunnel' failed: Permission denied
> 
> Relax the permissions again by allowing the www-data group
> read-access, so that pveproxy can access the socket.
> 
> This aligns the permissions with what /run/pve-cluster has.
> 
> Reported-by: Hannes Laimer <h.laimer@proxmox.com>
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
>  debian/tmpfiles | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/debian/tmpfiles b/debian/tmpfiles
> index 98b8fb96..1263300f 100644
> --- a/debian/tmpfiles
> +++ b/debian/tmpfiles
> @@ -1,2 +1,2 @@
> -#Type Path     Mode User Group Age Argument
> -d     /run/pve 0750 root root  -   -
> +#Type Path     Mode User Group     Age Argument
> +d     /run/pve 0750 root www-data  -   -
> -- 
> 2.47.2

the change itself LGTM, but note that pve-manager is lacking #DEBHELPER# in
debian/postinst, so the snippet that ensures the dir gets created at package
installation/upgrade time is missing.

FTR, the snippet looks like this:

# Automatically added by dh_installtmpfiles/13.24.2
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
       if [ -x "$(command -v systemd-tmpfiles)" ]; then
               systemd-tmpfiles ${DPKG_ROOT:+--root="$DPKG_ROOT"} --create pve-manager.conf || true
       fi
fi

the tmpfiles config above is also lacking `z` which would ensure that the
changed ownership actually is set on upgrades, as opposed to on the next
reboot?


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH manager] d/tmpfiles: fix permission regression for /run/pve directory

[Thomas Lamprecht]

Am 05.08.25 um 12:05 schrieb Fiona Ebner:
> There is a regression regarding the permission for the /run/pve
> directory. In Proxmox VE 8, the directory had root:root 0755
> permissions, being auto-created as the lxc-syscalld runtime directory.
> In Proxmox VE 9, the permissions were restricted to root:root 0750,
> but this leads to an issue with remote migration, when pveproxy tries
> to access the mtunnel socket:
> 
> pveproxy[2484]: connect to 'unix/:/run/pve/ct-112.mtunnel' failed: Permission denied
> 
> Relax the permissions again by allowing the www-data group
> read-access, so that pveproxy can access the socket.
> 
> This aligns the permissions with what /run/pve-cluster has.
> 
> Reported-by: Hannes Laimer <h.laimer@proxmox.com>
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
>  debian/tmpfiles | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
>

applied, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH manager] d/tmpfiles: fix permission regression for /run/pve directory

[Thomas Lamprecht]

Am 05.08.25 um 12:21 schrieb Fabian Grünbichler:
> # Automatically added by dh_installtmpfiles/13.24.2
> if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
>        if [ -x "$(command -v systemd-tmpfiles)" ]; then
>                systemd-tmpfiles ${DPKG_ROOT:+--root="$DPKG_ROOT"} --create pve-manager.conf || true
>        fi
> fi

That I applied.

> the tmpfiles config above is also lacking `z` which would ensure that the
> changed ownership actually is set on upgrades, as opposed to on the next
> reboot?
> 

As you tested and mentioned offlist, this does not seem to be necessary.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH manager] d/tmpfiles: fix permission regression for /run/pve directory

[Thomas Lamprecht]

On Tue, 05 Aug 2025 12:03:24 +0200, Fiona Ebner wrote:
> There is a regression regarding the permission for the /run/pve
> directory. In Proxmox VE 8, the directory had root:root 0755
> permissions, being auto-created as the lxc-syscalld runtime directory.
> In Proxmox VE 9, the permissions were restricted to root:root 0750,
> but this leads to an issue with remote migration, when pveproxy tries
> to access the mtunnel socket:
> 
> [...]

Applied, thanks!

[1/1] d/tmpfiles: fix permission regression for /run/pve directory
      commit: b659334438fb34db25879dec696f79e9c8b7e00b


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel