Bug 253858

Summary: security/trousers ERROR: TCSD config file (/usr/local/etc/tcsd.conf) must be user/group root/_tss
Product: Ports & Packages Reporter: unitrunker <unitrunker>
Component: Individual Port(s)Assignee: Mateusz Piotrowski <0mp>
Status: Closed FIXED    
Severity: Affects Only Me CC: 0mp, holger.kipp, unitrunker, william.franck
Priority: --- Flags: bugzilla: maintainer-feedback? (hrs)
Version: Latest   
Hardware: amd64   
OS: Any   

Description unitrunker 2021-02-26 01:38:11 UTC 
tcsd reports the following error at boot:

Feb 25 19:45:15 thinkpad TCSD[972]: TrouSerS ERROR: TCSD config file (/usr/local/etc/tcsd.conf) must be user/group root/_tss

ls -la /usr/local/etc/tcsd.conf reports:

-rw------  1 _tss  _tss  7031 Aug 21  2020 /usr/local/etc/tcsd.conf

I applied 'chown root: /usr/local/etc/tcsd.conf' and rebooted. The same error message appears.

Checking /usr/local/etc/rc.d/tcsd I see the following line:

/usr/sbin/chown _tss:_tss /usr/local/etc/tcsd.conf

This leaves tcsd unusable.
Comment 1 unitrunker 2021-02-26 01:58:10 UTC 
A possible work-around in /usr/local/etc/rc.d/tcsd:

tcsd_precmd()
{
	/usr/bin/install -d -m 0700 -o root -g _tss \
	    /var/run/tpm /var/run/ima /usr/local/var/lib/tpm
	/usr/sbin/chown root:_tss \
	    /usr/local/etc/tcsd.conf
	/bin/chmod 0640 \
	    /usr/local/etc/tcsd.conf
}
Comment 2 unitrunker 2021-02-26 02:45:43 UTC 
Above work-around seems to work. However, I see the following error when starting tcsd:

Feb 25 21:40:34 thinkpad TCSD[TDDL]: - TrouSerS ioctl: (25) Inappropriate ioctl for device
Comment 3 Holger Kipp 2021-02-28 20:57:29 UTC 
I encounter exactly the same problem with tics (which is unable to start).

This is on FreeBSD 12.2-RELEASE with up-to-date Ports-Tree (27th of February 2021).

trying to switch file owner to root and setting file mode to 640 then gives other problems with accessing a device, etc.

Anything else I can try?

This is within VM (Parallels on MacOS)


Best regards,
Holger
Comment 4 Holger Kipp 2021-02-28 20:58:12 UTC 
(In reply to Holger Kipp from comment #3)

tcsd. I hate autocorrect...
Comment 5 William FRANCK 2021-06-12 05:47:53 UTC 
(In reply to unitrunker from comment #1)
Same issue,
Same solution in /usr/local/etc/rc.d/tcsd

Works for me :-)
Comment 6 Mateusz Piotrowski freebsd_committer freebsd_triage 2022-11-03 13:44:43 UTC 
I've hit this issue as well.
Comment 7 commit-hook freebsd_committer freebsd_triage 2022-11-04 11:06:12 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=47c2569d8979db687528456bd11c549a37ee4155

commit 47c2569d8979db687528456bd11c549a37ee4155
Author:     Mateusz Piotrowski <0mp@FreeBSD.org>
AuthorDate: 2022-11-04 10:29:24 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2022-11-04 11:05:09 +0000

    security/trousers: Fix tcsd.conf permissions

    It turns out that tcsd requires the ownership of tcsd.conf file to be
    set to root:_tss.  See trousers-0.3.14_3/src/tcsd/tcsd_conf.c for
    details. Otherwise, tcsd fails:

        # service tcsd start
        Starting tcsd.
        /usr/local/etc/rc.d/tcsd: WARNING: failed to start tcsd
        # tail /var/log/messages
        Nov  4 11:24:43 x TCSD[1298]: TrouSerS ERROR: TCSD config file (/usr/local/etc/tcsd.conf) must be user/group root/_tss
        Nov  4 11:24:43 x 0mp[2372]: /usr/local/etc/rc.d/tcsd: WARNING: failed to start tcsd

    Also, the mode of the configuration file has to be 640.

    PR:             253858
    Reported by:    unitrunker <unitrunker@gmail.com>
    Approved by:    maintainer timeout, portmgr blanket (runtime error)
    Sponsored by:   Klara, Inc.

 security/trousers/Makefile      | 2 +-
 security/trousers/files/tcsd.in | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)