Critical file permission error causes VM Manager to fail

[bnvk]

I noticed the following and figured I should file an issue:

Whoops. A critical error has occured. This is most likely a bug in Qubes Manager.

OSError: [Erno 13] Permission denied: /var/lib/qubes/appvm/fedora-21-dvm/apps.icons/firefox.png"
at line 723 of file /usr/lib64/python2.7/site-packages/qubesmanager/main.py

And then in the "Details" dialogue was the following:

line: ret += get_disk_usage_one(os.lstat(os.path.join(dirpath, name)))
func: get_disk_usage
line no.: 116
file: /usr/lib64/python2.7/site-packages/qubes/qubesutils.py
----
line: return qubes.qubesutils.get_disk_usage(self.dir_path)
func: get_disk_utilization
line no.: 930
file: /usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py
----
line: self.value = self.vm.get_disk_utilization()/(1024*1024)
func: update
line no.: 649
file: /usr/lib64/python2.7/site-packages/qubesmanager/table_widgets.py
----
line: self.update()
func: __init__
line no.: 642
file: /usr/lib64/python2.7/site-packages/qubesmanager/table_widgets.py
----
line: self.size_widget = VmSizeOnDiskItem(vm)
func: __init__
line no.: 198
file: /usr/lib64/python2.7/site-packages/qubesmanager/main.py
----
line: vm_row = VmRowInTable(vm, row_no, self.table, self.blk_manager)
func: fill_table
line no.: 634
file: /usr/lib64/python2.7/site-packages/qubesmanager/main.py
----
line: self.fill_table()
func: update_table
line no.: 723
file: /usr/lib64/python2.7/site-packages/qubesmanager/main.py

I had been opening a file in a DisposableVM and then noticed this in the background so it may or may not be related- judging from FF icon error, probably not!

EDIT: it feels like it might be worth noting that the file I was trying to open in a DisposableVM was .csv file on USB thumbdrive and the file appeared to be corrupted and displayed an encoding error

[bnvk]

More details- later after I noticed the error posted above, I also noticed most of the VMs in the Qubes VM Manager were no longer visible. Upon restarting my computer (multiple times) upon entering Qubes, the same error shows up and the Qubes VM Manager fails to load. I updated title of issue!

[bnvk]

More details- later after I noticed the error posted above, I also noticed most of the VMs in the Qubes VM Manager were no longer visible. Upon restarting my computer (multiple times) upon entering Qubes, the same error shows up and the Qubes VM Manager fails to load. I updated title of issue!

[bnvk]

Additionally, this bug seems to be related (by time of occurrence) to many notifications no longer showing up in the notification menu, namely copy to global clipboard notifications.

@marmarek are you available to help me debug this? It is somewhat debilitating to my daily workflow + seems like a potentially interesting / critical bug!

[bnvk]

Additionally, this bug seems to be related (by time of occurrence) to many notifications no longer showing up in the notification menu, namely copy to global clipboard notifications.

@marmarek are you available to help me debug this? It is somewhat debilitating to my daily workflow + seems like a potentially interesting / critical bug!

[marmarek]

What are permissions in
/var/lib/qubes/appvm/fedora-21-dvm/apps.icons?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

What are permissions in
/var/lib/qubes/appvm/fedora-21-dvm/apps.icons?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[bnvk]

@marmarek thanks for responding. The permissions of /var/lib/qubes/appvm/fedora-21-dvm/apps.icons when typing ls -l are drw-rwS---

[bnvk]

@marmarek thanks for responding. The permissions of /var/lib/qubes/appvm/fedora-21-dvm/apps.icons when typing ls -l are drw-rwS---

[marmarek]

On Fri, Aug 28, 2015 at 07:11:52AM -0700, Brennan Novak wrote:

@marmarek thanks for responding. The permissions of /var/lib/qubes/appvm/fedora-21-dvm/apps.icons when typing ls -l are drw-rwS---

And the group is, I guess, root, right? It should be qubes...

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

On Fri, Aug 28, 2015 at 07:11:52AM -0700, Brennan Novak wrote:

@marmarek thanks for responding. The permissions of /var/lib/qubes/appvm/fedora-21-dvm/apps.icons when typing ls -l are drw-rwS---

And the group is, I guess, root, right? It should be qubes...

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[bnvk]

no, the user is my expected user and the group is qubes

[bnvk]

no, the user is my expected user and the group is qubes

[marmarek]

Ok... maybe something wrong with the directory itself (ls -ld)?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

Ok... maybe something wrong with the directory itself (ls -ld)?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[bnvk]

That was the permissions of the apps.icons directory. Here are more details to clarify:

/var/lib/qubes/appvms/fedora-21-dvm/ has permissions drwxrws--- user qubes

/var/lib/qubes/appvms/fedora-21-dvm/apps.icons/ has permissions drw-rwS--- user qubes

The permissions of my numerous appvm directories vary quite a bit.

Most of them are drwx------ user user
While some are drwxrwsr-x user qubes
And the disp1 is unique with drwx--S--- user qubes

[bnvk]

That was the permissions of the apps.icons directory. Here are more details to clarify:

/var/lib/qubes/appvms/fedora-21-dvm/ has permissions drwxrws--- user qubes

/var/lib/qubes/appvms/fedora-21-dvm/apps.icons/ has permissions drw-rwS--- user qubes

The permissions of my numerous appvm directories vary quite a bit.

Most of them are drwx------ user user
While some are drwxrwsr-x user qubes
And the disp1 is unique with drwx--S--- user qubes

[marmarek]

Ok, for now fix the permissions with chmod -R a+X /var/lib/qubes
(capital "X" there is important). And I'll try to find why those
permissions were wrong in the first place.

You'll probably need to also restart qubes manager to have it working
back.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[marmarek]

Ok, for now fix the permissions with chmod -R a+X /var/lib/qubes
(capital "X" there is important). And I'll try to find why those
permissions were wrong in the first place.

You'll probably need to also restart qubes manager to have it working
back.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[bnvk]

@marmarek that seemed to do the trick, thank so much! If it's at all helpful to debugging, many of the VMs that had user user ownership where VMs that I had installed from backups. Additionally, debian AppVMs were seemingly different ownership pattern

[bnvk]

@marmarek that seemed to do the trick, thank so much! If it's at all helpful to debugging, many of the VMs that had user user ownership where VMs that I had installed from backups. Additionally, debian AppVMs were seemingly different ownership pattern

[marmarek]

Hopefully fixed in marmarek/qubes-core-admin-linux@ccd8021

1. Fixed to not generate icons for "internal" VMs
2. Explicitly set umask to sane value

[marmarek]

Hopefully fixed in marmarek/qubes-core-admin-linux@ccd8021

1. Fixed to not generate icons for "internal" VMs
2. Explicitly set umask to sane value

[bnvk]

I've tested this exact step with the same corrupt .csv file and the error does not happen. Thanks @marmarek :)

[bnvk]

I've tested this exact step with the same corrupt .csv file and the error does not happen. Thanks @marmarek :)