Bug 253858 - security/trousers ERROR: TCSD config file (/usr/local/etc/tcsd.conf) must be user/group root/_tss
Summary: security/trousers ERROR: TCSD config file (/usr/local/etc/tcsd.conf) must be ...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Only Me
Assignee: Mateusz Piotrowski
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-26 01:38 UTC by unitrunker
Modified: 2022-11-04 11:06 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (hrs)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description unitrunker 2021-02-26 01:38:11 UTC 
tcsd reports the following error at boot:

Feb 25 19:45:15 thinkpad TCSD[972]: TrouSerS ERROR: TCSD config file (/usr/local/etc/tcsd.conf) must be user/group root/_tss

ls -la /usr/local/etc/tcsd.conf reports:

-rw------  1 _tss  _tss  7031 Aug 21  2020 /usr/local/etc/tcsd.conf

I applied 'chown root: /usr/local/etc/tcsd.conf' and rebooted. The same error message appears.

Checking /usr/local/etc/rc.d/tcsd I see the following line:

/usr/sbin/chown _tss:_tss /usr/local/etc/tcsd.conf

This leaves tcsd unusable.
Comment 1 unitrunker 2021-02-26 01:58:10 UTC 
A possible work-around in /usr/local/etc/rc.d/tcsd:

tcsd_precmd()
{
	/usr/bin/install -d -m 0700 -o root -g _tss \
	    /var/run/tpm /var/run/ima /usr/local/var/lib/tpm
	/usr/sbin/chown root:_tss \
	    /usr/local/etc/tcsd.conf
	/bin/chmod 0640 \
	    /usr/local/etc/tcsd.conf
}
Comment 2 unitrunker 2021-02-26 02:45:43 UTC 
Above work-around seems to work. However, I see the following error when starting tcsd:

Feb 25 21:40:34 thinkpad TCSD[TDDL]: - TrouSerS ioctl: (25) Inappropriate ioctl for device
Comment 3 Holger Kipp 2021-02-28 20:57:29 UTC 
I encounter exactly the same problem with tics (which is unable to start).

This is on FreeBSD 12.2-RELEASE with up-to-date Ports-Tree (27th of February 2021).

trying to switch file owner to root and setting file mode to 640 then gives other problems with accessing a device, etc.

Anything else I can try?

This is within VM (Parallels on MacOS)


Best regards,
Holger
Comment 4 Holger Kipp 2021-02-28 20:58:12 UTC 
(In reply to Holger Kipp from comment #3)

tcsd. I hate autocorrect...
Comment 5 William FRANCK 2021-06-12 05:47:53 UTC 
(In reply to unitrunker from comment #1)
Same issue,
Same solution in /usr/local/etc/rc.d/tcsd

Works for me :-)
Comment 6 Mateusz Piotrowski freebsd_committer freebsd_triage 2022-11-03 13:44:43 UTC 
I've hit this issue as well.
Comment 7 commit-hook freebsd_committer freebsd_triage 2022-11-04 11:06:12 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=47c2569d8979db687528456bd11c549a37ee4155

commit 47c2569d8979db687528456bd11c549a37ee4155
Author:     Mateusz Piotrowski <0mp@FreeBSD.org>
AuthorDate: 2022-11-04 10:29:24 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2022-11-04 11:05:09 +0000

    security/trousers: Fix tcsd.conf permissions

    It turns out that tcsd requires the ownership of tcsd.conf file to be
    set to root:_tss.  See trousers-0.3.14_3/src/tcsd/tcsd_conf.c for
    details. Otherwise, tcsd fails:

        # service tcsd start
        Starting tcsd.
        /usr/local/etc/rc.d/tcsd: WARNING: failed to start tcsd
        # tail /var/log/messages
        Nov  4 11:24:43 x TCSD[1298]: TrouSerS ERROR: TCSD config file (/usr/local/etc/tcsd.conf) must be user/group root/_tss
        Nov  4 11:24:43 x 0mp[2372]: /usr/local/etc/rc.d/tcsd: WARNING: failed to start tcsd

    Also, the mode of the configuration file has to be 640.

    PR:             253858
    Reported by:    unitrunker <unitrunker@gmail.com>
    Approved by:    maintainer timeout, portmgr blanket (runtime error)
    Sponsored by:   Klara, Inc.

 security/trousers/Makefile      | 2 +-
 security/trousers/files/tcsd.in | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)