3

Oh my.. I just did a terrible mistake: chown -R root:root /usr. Mea [maxima] culpa.. I fixed sudo and pkexec already, but I want to be sure, there is no "sleeping" issue waiting on me in the future.

Could anyone please find out using simple command, what files / directories have 'special' permissions? I know about /usr/bin/sudo, /usr/bin/pkexec and /usr/lib/policykit-1 only. Thanks..

I'm using Debian 11..

Fantastic Mr. Fox
  • 51
  • 1
  • 1
    Potentially there are many more. And deamon in sbin may use other permissions. And local may have own user). In general: do not change anything in the distribution domain. And never give root user without knowing the files, it is a security problem. Now maybe some process gained root. How to solve: reinstall (force reinstall also with same version) packages – Giacomo Catenazzi Sep 15 '21 at 12:14

1 Answers1

6

In Debian, most files under /usr are supposed to be owned by root:root; your chown shouldn’t have broken your system beyond repair, as far as ownership is concerned. In particular, sudo, pkexec and /usr/lib/policykit-1 are owned by root:root.

However, as you determined, chown also clears “special” permissions (setuid etc.), which is what sudo and pkexec lost.

To restore the expected permissions, reinstall all your packages:

dpkg-query -W --showformat '${binary:Package}\n' |
xargs sudo apt-get --reinstall install

or, if you want to avoid upgrading to the current version of any of your installed packages,

dpkg-query -W --showformat '${binary:Package}=${Version}\n' |
xargs sudo apt-get --reinstall install
Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
  • Thanks.. It seems chown is not implemented correctly, because the command 'chown root:root' should ignore all files which are owned by 'root' and which belong to the 'root' group and it does not.. It changes the permissions too e.g. from (-rwSr-xr-x 1 root root /usr/bin/sudo) to (-rwXr-xr-x 1 root root /usr/bin/sudo)!!! – Fantastic Mr. Fox Sep 15 '21 at 14:19
  • Oh, yes, I forgot about that! When ownership is changed, “special” permissions are cleared... I’ll fix my answer. – Stephen Kitt Sep 15 '21 at 14:28
  • These dpkg* oneliners are simply brilliant. – Edward Sep 15 '21 at 17:37
  • [POSIX says](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/chown.html) "_Unless chown is invoked by a process with appropriate privileges, the set-user-ID and set-group-ID bits of a regular file shall be cleared upon successful completion_" is it not reasonable therefore to expect the OP's command to have left intact the setuid/setgid bits? – roaima Sep 15 '21 at 18:16
  • 1
    @roaima on current versions of Linux, [`chown` clears the bits even for `root`](https://man7.org/linux/man-pages/man2/chown.2.html). – Stephen Kitt Sep 15 '21 at 18:30
  • @StephenKitt Could be the following issue caused by wrong permissions too? 'gnome-session: gnome-session-check-accelerated: GL Helper exited with code 512 gnome-session: libEGL warning: DRI2: failed to authenticate'. I reinstalled libegl-dev w/ the same result. When I execute the helpers w/ the '--print-renderer' parm I get 'lvmpipe (LLVM 11.0.1, 128 bits)%'. Any idea?? – Fantastic Mr. Fox Sep 19 '21 at 09:22