Fix ignored mode of tmpfs mount on /tmp
A readonly raspberry pi with
/tmp mounted in fstab as
mode=1777 had mode
0755 after boot. This caused
several programs such as dhcpcd not to work correctly.
The same issue is also desribed in http://superuser.com/questions/1103101/how-can-i-mount-a-tmpfs-to-tmp-via-fstab-writable-to-anyone and http://unix.stackexchange.com/questions/289377/fstab-doenst-read-mode-value
proc /proc proc defaults 0 0 /dev/mmcblk0p1 /boot vfat ro,defaults 0 2 #noatime important, so time is not from future at boot with old clock time... /dev/mmcblk0p2 / ext4 ro,defaults,noatime 0 1 tmpfs /var/log tmpfs nodev,nosuid 0 0 tmpfs /tmp tmpfs nodev,nosuid,mode=1755 0 0
debian/raspbian version (raspbian jessie lite 2016-09-23):
uname -a Linux raspberrypi 4.4.26-v7+ #915 SMP Thu Oct 20 17:08:44 BST 2016 armv7l GNU/Linux lsb_release -a No LSB modules are available. Distributor ID: Raspbian Description: Raspbian GNU/Linux 8.0 (jessie) Release: 8.0 Codename: jessie
Create the file
[Unit] Description=Set tmp mode and report it DefaultDependencies=no Before=network.target dhcpcd5.service After=tmp.mount [Service] Type=oneshot # will be marked as active, even when command finished RemainAfterExit=yes ExecStart=/bin/bash -c 'echo "old tmp mode"; ls -alh / | grep tmp; chmod 1777 /tmp; echo "new tmp mode"; ls -alh / | grep tmp' [Install] WantedBy=multi-user.target
sudo systemctl daemon-reload sudo systemctl enable tmpmode.service sudo reboot
check output and see if it was working after reboot
sudo sytemctl status tmpmode.service
Find the issue
As systemd provides many capabilities, the suspicion was that a systemd service changes the permissions after boot. (Similar to https://bugzilla.redhat.com/show_bug.cgi?id=807672).
So to find all sytemd services in contact with tmp, a grep was used:
grep "tmp" -R /usr/lib/systemd/* # no output grep "tmp" -R /lib/systemd/* # many lines of interesting output
The interesting files now were:
$ cat /lib/systemd/systemd-logind-launch #!/bin/sh if ! mountpoint -q /sys/fs/cgroup; then mount -t tmpfs -o uid=0,gid=0,mode=0755,size=1024 none /sys/fs/cgroup fi if ! mountpoint -q /sys/fs/cgroup/systemd; then mkdir -p /sys/fs/cgroup/systemd mount -t cgroup -o nosuid,noexec,nodev,none,name=systemd systemd /sys/fs/cgroup/systemd fi mkdir -p /run/systemd # necessary for unprivileged LXC containers ulimit -S -n 16384 || true ulimit -H -n 16384 || true exec /lib/systemd/systemd-logind
but it only mounted another thing.
Going on to
Checking output logs of sytemd:
$ sudo journalctl # then type "/tmp" and hit enter # use n and p to find next and previous hit ... Nov 09 14:30:03 raspberrypi systemd: Mounting /tmp... Nov 09 14:30:03 raspberrypi systemd: tmp.mount: Directory /tmp to mount over is not empty, mou Nov 09 14:30:03 raspberrypi systemd: Mounting /var/log... Nov 09 14:30:03 raspberrypi systemd: var-log.mount: Directory /var/log to mount over is not em Nov 09 14:30:03 raspberrypi systemd: Mounting /boot... Nov 09 14:30:03 raspberrypi echo: >/tmp/random-seed Nov 09 14:30:03 raspberrypi systemd: Mounted /var/log. Nov 09 14:30:03 raspberrypi systemd: Mounted /tmp. Nov 09 14:30:03 raspberrypi systemd: Mounted /boot. ...
so /tmp is mounted
$ sudo systemctl status tmp.mount -l ● tmp.mount - /tmp Loaded: loaded (/etc/fstab; disabled) Active: active (mounted) since Wed 2016-11-09 14:30:03 UTC; 1h 3min ago Where: /tmp What: tmpfs Docs: man:fstab(5) man:systemd-fstab-generator(8) Process: 212 ExecMount=/bin/mount -n tmpfs /tmp -t tmpfs -o nodev,nosuid,mode=1777 (code=exited, status=0/SUCCESS) Nov 09 15:35:01 raspberrypi systemd: Mounting /tmp... Nov 09 15:35:01 raspberrypi systemd: tmp.mount: Directory /tmp to mount over is not empty, mounting anyway. Nov 09 15:35:01 raspberrypi systemd: Mounted /tmp.
So now the idea was to use the audit package to record permission changes (https://access.redhat.com/solutions/10107), but the kernel of raspberry had the audit disabled (https://github.com/raspberrypi/linux/issues/1352). I did not want to recompile it.
So what is changing the ownership of the folder?
I did not find a root reason, just created a script to change the ownership back
start it before the failing dhcpcd