file permissions

[ragnar76]

Environment:

• Fail2Ban version: ver. 1.1.0 (2024/04/25)
• OS, including release name/version :

Linux dev 6.6.31+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.31-1+rpt1 (2024-05-29) aarch64 GNU/Linux

• [ ] Fail2Ban installed via OS/distribution mechanisms
• [x] You have not applied any additional foreign patches to the codebase
• [ ] Some customizations were done to the configuration (provide details below is so)

The issue:

Just installed 1.1.0 from releases (https://github.com/fail2ban/fail2ban/releases) and recognized that all directory and file permissions on Linux are set to 0755 (-rwxr-xr-x)

Steps to reproduce

Install the Debian package from releases

Expected behavior

directories should have 0775 files should have 0664

[sebres]

and recognized that all directory and file permissions on Linux are set to 0755 (-rwxr-xr-x)

Hmm... Which directories and files did you mean exactly? Really all files on your Linux box got affected by installation?!

Anyway I cannot reproduce it on debian 12 box at all, neither fail2ban files have +x (excepting /usr/bin/fail2ban-* and few executable files in config), nor some other foreign linux files are touched at all.

Here is excerpt how it looks after installation:

# find /etc/fail2ban -printf "%-50p: %m (%M)\n"
/etc/fail2ban                                     : 755 (drwxr-xr-x)
...
/etc/fail2ban/jail.conf                           : 644 (-rw-r--r--)
/etc/fail2ban/paths-freebsd.conf                  : 644 (-rw-r--r--)
/etc/fail2ban/paths-debian.conf                   : 644 (-rw-r--r--)

# find /usr/lib/python3/dist-packages/fail2ban -maxdepth 1 -printf "%-60p: %m (%M)\n"
/usr/lib/python3/dist-packages/fail2ban                     : 755 (drwxr-xr-x)
/usr/lib/python3/dist-packages/fail2ban/__pycache__         : 755 (drwxr-xr-x)
/usr/lib/python3/dist-packages/fail2ban/exceptions.py       : 644 (-rw-r--r--)
/usr/lib/python3/dist-packages/fail2ban/helpers.py          : 644 (-rw-r--r--)
/usr/lib/python3/dist-packages/fail2ban/server              : 755 (drwxr-xr-x)
/usr/lib/python3/dist-packages/fail2ban/protocol.py         : 644 (-rw-r--r--)
/usr/lib/python3/dist-packages/fail2ban/__init__.py         : 644 (-rw-r--r--)
/usr/lib/python3/dist-packages/fail2ban/version.py          : 644 (-rw-r--r--)
/usr/lib/python3/dist-packages/fail2ban/tests               : 755 (drwxr-xr-x)
/usr/lib/python3/dist-packages/fail2ban/client              : 755 (drwxr-xr-x)
/usr/lib/python3/dist-packages/fail2ban/setup.py            : 644 (-rw-r--r--)

# find /usr/bin/ -name 'fail2ban-*' -printf "%-50p: %m (%M)\n"
/usr/bin/fail2ban-python                          : 777 (lrwxrwxrwx)
/usr/bin/fail2ban-server                          : 755 (-rwxr-xr-x)
/usr/bin/fail2ban-client                          : 755 (-rwxr-xr-x)
/usr/bin/fail2ban-testcases                       : 755 (-rwxr-xr-x)
/usr/bin/fail2ban-regex                           : 755 (-rwxr-xr-x)

[ragnar76]

Strange, i've just tried it on another Raspberry Pi, results are the same as in my 1st report. The results are the same for /etc/fail2ban . And it's only there. /usr/lib/python3/dist-packages/fail2ban and files in /usr/bin are not affected

[sebres]

Hmm... What are the default permission for files inside /etc/fail2ban (or subfolders)? Maybe some default ACLs set (getfacl /etc/fail2ban/filter.d/)?

Or what do you see if you'd simply create a file inside:

fn=/etc/fail2ban/filter.d/test-gh-3773.conf
touch "$fn"
ls -la "$fn"
rm "$fn"

Anyway I don't see in install scripts, who may do that... Must check debian branch, which get always merged to make our releases.

[sebres]

Found in folder where I created the merged build, that all config files are indeed with o+x, however only for owner (e. g. 744 and not as you show 755).

I'll try to build new release soon.

Just for the case someone is also affected by the issue - this must fix it (set default permissions):

find /etc/fail2ban/ -type f -not -path "/etc/fail2ban/filter.d/ignorecommands/*" -exec chmod 644 {} \;

(unless one has own executable inside, then restore it back with chmod +x "$file")