From owner-freebsd-jail@freebsd.org  Sun Dec 11 15:05:07 2016
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F18F0C721CB
 for <freebsd-jail@mailman.ysv.freebsd.org>;
 Sun, 11 Dec 2016 15:05:07 +0000 (UTC)
 (envelope-from kayasaman@gmail.com)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com
 [IPv6:2a00:1450:400c:c09::231])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 85A7A18BE
 for <freebsd-jail@freebsd.org>; Sun, 11 Dec 2016 15:05:07 +0000 (UTC)
 (envelope-from kayasaman@gmail.com)
Received: by mail-wm0-x231.google.com with SMTP id a197so28598194wmd.0
 for <freebsd-jail@freebsd.org>; Sun, 11 Dec 2016 07:05:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=subject:to:references:from:message-id:date:user-agent:mime-version
 :in-reply-to:content-transfer-encoding;
 bh=7ndckuHq+08KBMotPHAn8NaEpHT2MBZ6jbsBjNXMrhU=;
 b=PuNoIpyy/+ugc0Si7srdeukOWb3RfHug9BuX3YSXg92Pz2ZU4qjEiRaxRXeFL8waJh
 7K2Z8wQcAe0JWZ0YHNrIwyY7acWAoToqc3Tu98v9YukkrdC+jysUMashIFVgD9C1vRUB
 VXneb/M1cQVq/yJRl3bQ/Z/dJA9lmFIJxBN2pTxo1OiAQdaC8iD0UH1yYJFSya+yfRmV
 nmg6Lo4vAc9XMNFwx1Mc3dv+1oY0syBt3QVJSz+U0X9c1FHmmCZGACH2G4JyUa0mE+sw
 xPnDGrRKCLihNsrGbKTGraVv9wWtcIOmbdgHT48o9RGbOe0mjF0XK3xz18WfNTXyrf0l
 z9SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-transfer-encoding;
 bh=7ndckuHq+08KBMotPHAn8NaEpHT2MBZ6jbsBjNXMrhU=;
 b=JfszayAwPwN/tXW9MSQliLgRQxl0wM37xXHxoM2nSaHHaDeNmm4+PWMmxWlsjMCA3v
 DcGLgu/OPT3fiwXmBHGSlq4qBE4cTLlMsDGgqypKDBIy4+uKbiM4TRdQU7hOSJQX7tgA
 NeenZOHECe4f3p3xnC8S8XRC4EAxBnCrNZ7FmShdxC/5r+u6JR65S4aTjXtW3wBYxc1J
 hX1bjjhw8PI+K1G1fUcrIeI7Etooi4ige0xGnr3ez+2YjsGtNC4vsIii3opXEFmloPaU
 L82Wv3LNCqyL7OcTPfdTAergfiX+XoYID2bTXzKNyCj14IaCto3I63aa2SPifru6LLZ5
 JiFg==
X-Gm-Message-State: AKaTC01aeix28w1Crs56y0uv+drVnYG2KKYPXrG4PIccmZo+3IEV7I2x9maeu0SMkN8TqA==
X-Received: by 10.28.22.193 with SMTP id 184mr14641627wmw.100.1481468704768;
 Sun, 11 Dec 2016 07:05:04 -0800 (PST)
Received: from x220.optiplex-networks.com (optiplexnetworks.plus.com.
 [212.159.80.17])
 by smtp.googlemail.com with ESMTPSA id ei2sm52543810wjd.47.2016.12.11.07.05.03
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 11 Dec 2016 07:05:04 -0800 (PST)
Subject: Re: Getting "Permission Denied" issues after migrating jails
To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail@freebsd.org
References: <aca136d9-e7bd-6b15-27dd-570966cb33bb@gmail.com>
 <584D6A13.9010502@quip.cz>
From: Kaya Saman <kayasaman@gmail.com>
Message-ID: <78892b93-0a7d-b84a-6599-ce094735c9eb@gmail.com>
Date: Sun, 11 Dec 2016 15:05:03 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <584D6A13.9010502@quip.cz>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Dec 2016 15:05:08 -0000

Thanks a lot Miroslav :-)

I found the issue eventually.....

For some reason it turns out the /var directory got set to 700 
permissions after the rsync.....

a simple chmod 755 /var fixed the issue, however, it looks like all 5 of 
my jails had the same problem?

on vuln.xml the permissions were fine 444. Well took till 4am to sort 
out, I ended up rebuilding all my ports too just to be safe of sym link 
and permission issues.

Regards,

Kaya


On 12/11/2016 03:00 PM, Miroslav Lachman wrote:
> Kaya Saman wrote on 2016/12/10 15:33:
>
>> which suggests fixing the noexec flags. On the actual ZFS dataset the
>> exec=on parameter is already set meaning that this must be a local issue
>> and something to do with the "chflags" command but I can't recall or
>> even find any clue on which files to run the command on and parameters
>> to use in "man chflags".
>
> Run ls -lo /var/db/pkg/vuln.xml to view permissions.
>
> You can use something like this to check all files with specified flag
>
> find /path/to/jail/ -flags +schg -exec ls -lo {} +
>
> Then check what is your kern_securelevel settings in host and in a 
> jails rc.conf. You cannot modify files witch flags is securelevel is 
> higher than 0.
>
> Miroslav Lachman
>