I figured that a few scripts in /etc/init.d threw warnings about directories not having the right permissions/owners despite (as recommended) the script using checkpath together with -d, -m and -o to check for and, if required, correcting the pathes.

Noteable examples for such behaviour are
1.) /etc/init.d/asterisk: producing a message at every start after a boot that ${ast_rundir}'s owner is incorrect and
2.) /etc/init.d/icinga: threw a message that $(get_config temp_path)'s owner was not set correctly.

On investigation it turned out that checkpath function called from the scripts only sets the owner:group correctly for all arguments provided if the first directory argument supplied on the command line as one of many arguments does not already have the correct owner:group set.

This is easy to reproduce by using the following small shell-script stored in /tmp/mycheck:

----------------- start of /tmp/mycheck ----------------
#!/sbin/runscript

start() {
        ebegin Start directory creation
        checkpath -d -m 0755 -o ldap:ldap /tmp/a /tmp/b /tmp/c
        eend $?
}

stop() {
        ebegin Remove directories
        rm -r /tmp/a /tmp/b /tmp/c
        eend $?
}
----------------- end of /tmp/mycheck ----------------

Provided the directories /tmp/a /tmp/b and /tmp/c do _not_ exist,
# /tmp/mycheck start
creates three directories /tmp/a, /tmp/b, and /tmp/c with mode 0755, and user ldap:ldap.

If, however, the directory /tmp/a already existed and was already owned by ldap:ldap priot to executing
# /tmp/mycheck start
the directories /tmp/b and /tmp/c will still be created, but they are now owned by root:root instead of ldap:ldap. /tmp/a remains being owned by ldap:ldap.

NB: I have not investigated further whether that erratic behavious also holds for the files' mode.


The error messages described above for scripts in /etc/init.d stemed from the fact that those directories in /var/run had to be created (/var/run is stored on tmpfs) and were not the first argument whereas the first argument was usually stored on persistent storage and therefore already available with the right ownweship and mode.

A temporary fix was simple enough: I just ensured that in those scrips affected the first directory does not exist when checkpath is called and therefore needs to be created. This can be achievd by simply puting directories on tmpfs (e.g. /var/run or /run) as the first argument to checkpath.


Regards KK

================ output of emerge -- info =================
Portage 2.2.8-r1 (hardened/linux/amd64, gcc-4.7.3, glibc-2.17, 3.15.5-hardened-r1 x86_64)
=================================================================
System uname: Linux-3.15.5-hardened-r1-x86_64-Intel-R-_Xeon-R-_CPU_E31260L_@_2.40GHz-with-gentoo-2.2
KiB Mem:     4033408 total,   1593092 free
KiB Swap:   16777148 total,  16777148 free
Timestamp of tree: Thu, 24 Jul 2014 00:45:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.6, 3.3.3
dev-util/cmake:           2.8.12.2-r1
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.69
sys-devel/automake:       1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.13 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--quiet-build=y --buildpkg-exclude sys-kernel/hardened-sources"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://gd.tuwien.ac.at/opsys/linux/gentoo/ ftp://gd.tuwien.ac.at/opsys/linux/gentoo/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--quiet --progress"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage/"
USE="acl amd64 avx bash-completion berkdb bzip2 cli cracklib crypt cxx gdbm hardened iconv justify lm_sensors mmx mmxext modules multilib ncurses nls nptl openmp pam pax_kernel pcre readline session sse sse2 sse3 sse4_1 ssl ssse3 tcpd unicode urandom xattr xtpax zlib" ABI_X86="64" ELIBC="glibc" KERNEL="linux" LINGUAS="en" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby20" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS