-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions check is broken for MacOS Catalina (/tmp
folder stored in System Volume)
#554
Comments
Thanks for reporting this, and for investigating so thoroughly and providing so much detail – very clear and helpful! (But I'm sorry you were pulling out your hair!) This problem is fixed in not-yet-published commit 334ed86, which will be included in the next Tunnelblick beta release (later this week, I hope). That commit fixes the check that Tunnelblick does on /tmp. The check failed because the group owner on Catalina is "admin". On all prior versions of macOS and OS X, it was "root". I assume the change was to help accommodate the new read only system volume which you noted. Other than this group ownership change, the read only system volume doesn't affect this check. I'm hoping it doesn't affect Tunnelblick at all, but we'll see… I think this issue will be automatically closed when the commit is published to GitHub. (Edited 2019-10-11 to correct the reference to the commit which fixed the problem, 334ed86.] |
This is fixed in Tunnelblick 3.8.0beta03. |
Hey, thanks for fixing this so quickly. Really appreciate swift investigation & triage. Thanks for a great project! |
Hi, I'm seeing this issue with Tunnelblick 3.8.2 (build 5480) on macOS 10.15.3. The output of
If there is anything else you would like me to check (or if you would like me to open a new issue), do let me know. Thanks |
@georgemp - An unmodified macOS 10.15.3 shows the following output from lrwxr-xr-x@ 1 root admin 11 Jan 26 12:49 /tmp -> private/tmp com.apple.rootless 0 drwxr-xr-x 6 root wheel 192 Feb 4 05:36 /private drwxrwxrwt 6 root wheel 192 May 6 08:40 /private/tmp Tunnelblick 3.8.2 works fine on it (and on 10.15.4) and doesn't complain. Are you sure Tunnelblick is complaining about /tmp or /private/tmp? Please include a screenshot of the error window and if possible, relevant messages from the Console Log. |
Interesting. Here's a screenshot of the error message. After quitting and relaunching, here are my logs
Before you spend too much time on this, I'm running this on a hackintosh with OpenCore. It might very well be an issue with my setup I guess. |
@georgemp - I'm sorry and apologize: I failed to notice a missing "t" in the permissions of your /private/tmp. You wrote: drwxrwxrwx 4 root wheel 128 May 6 17:24 /private/tmp I wrote that it should be: drwxrwxrwt 6 root wheel 192 May 6 08:40 /private/tmp But I failed to note the difference. You can repair this problem with sudo chmod 01777 /private/tmp (That's part of a command shown on System Folder Security; you don't need the rest of the command because the ownership of /private/tmp is OK.) I can't say with certainty that some of the hackintosh support software is responsible for the incorrect permssions, but that would be my assumption. Similarly, I assume that setting the permissions to the correct value won't interfere with the hackintosh support software, but I can't be certain. Details Tunnelblick checks that /private/tmp is owned by root:wheel (0:0) and has permissions of 1777 (octal). These ownership and permission values were obtained by clean installs of various versions of macOS. The first octal digit (in this case "1") is rarely seen and is ignored in almost all discussions of permissions, which focus on the read/write/execute permissions held in the last three octal digits (in this case "777"). The "1" in the "1777" refers to the "sticky bit".
|
@georgemp - About the log you posted: That log (/var/log/Tunnelblick/tunnelblickd.log) is for "tunnelblickd", which is a privileged daemon that Tunnelblick uses to perform certain operations that require root privileges. The Tunnelblick program logs to the normal system log. See The Console Log for details about that log. |
Thanks for the quick reply. The logs from system log are
Running Logs after running the command
|
Hey, I'm running the MacOS Catalina developer beta (10.15 Beta (19A487l)) and I've spent way too many hours pulling my hair out over this issue. Hope we can investigate and fix before the public release this fall.
MacOS Catalina comes with a "dedicated system volume" which complicates permissions a bit:
When starting up Tunnelblick each time, I was granted with this message which you have to actively click "continue" through before using it:
This becomes a pain when you have Tunnelblick set up to start a server in the background on reboot, since it won't actually start until clicking continue here. I tried everything to fix this error, including the following resources:
I believe this issue actually stems from this read-only "Data" partition in Catalina:
ls -lah /System/Volumes/Data/private/tmp total 0 drwxrwxrwt 3 root wheel 96B Jun 23 14:27 ./ drwxr-xr-x 6 root wheel 192B Jun 23 14:26 ../ lrwxr-xr-x 1 root wheel 12B Jun 23 14:27 tmp@ -> /private/tmp
It's impossible to change the permissions for this directory and running
rm -rf /tmp
and recreating it with the correct permissions as suggested in one of the above StackOverflow answers fails.Is it possible to update Tunnelblick's default
tmp
directory checks to match the new permissions model in Catalina so we don't throw this error (which is a red herring)?The text was updated successfully, but these errors were encountered: