/bin files owned by frontail

  • Platform information:
    • Hardware: RPi4
    • OS: Raspbian GNU/Linux 12 (bookworm)
    • Java Runtime Environment: openjdk 17.0.13 2024-10-15
    • openHAB version: 4.2.2
  • Issue of the topic: After updating zigbee2mqtt and frontail, all files inside /bin and /usr/bin are now owned by frontail - also sudo, so canät figure out way to fix this. Appreciate any tips?

UPDATE: Duplicate of this: Sudo not working any more - #2 by rlkoshak

Snippet of /bin

-rwxr-xr-x  1 frontail frontail     1984 Apr 10  2022  zcat
-rwxr-xr-x  1 frontail frontail     1678 Apr 10  2022  zcmp
-rwxr-xr-x  1 frontail frontail     6460 Apr 10  2022  zdiff
-rwxr-xr-x  1 frontail frontail    18020 Nov  6 14:48  zdump
-rwxr-xr-x  1 frontail frontail       29 Apr 10  2022  zegrep
-rwxr-xr-x  1 frontail frontail       29 Apr 10  2022  zfgrep
-rwxr-xr-x  1 frontail frontail     2081 Apr 10  2022  zforce
-rwxr-xr-x  1 frontail frontail     8103 Apr 10  2022  zgrep
-rwxr-xr-x  1 frontail frontail   173100 Feb 19  2023  zip
-rwxr-xr-x  1 frontail frontail    72392 Feb 19  2023  zipcloak
-rwxr-xr-x  1 frontail frontail    70193 Nov 25  2023  zipdetails
-rwxr-xr-x  1 frontail frontail     2959 Feb 19  2023  zipgrep
-rwxr-xr-x  2 frontail frontail   145368 Feb 19  2023  zipinfo
-rwxr-xr-x  1 frontail frontail    68112 Feb 19  2023  zipnote
-rwxr-xr-x  1 frontail frontail    72216 Feb 19  2023  zipsplit
-rwxr-xr-x  1 frontail frontail     2206 Apr 10  2022  zless
-rwxr-xr-x  1 frontail frontail     1842 Apr 10  2022  zmore
-rwxr-xr-x  1 frontail frontail     4577 Apr 10  2022  znew

openhabi-config log, at first you can see sudo has worked, but not anymore after update.

openhabian@openhab:/usr/local/bin $ sudo openhabian-config
2024-11-20_23:00:54_EET [openHABian] Checking for root privileges... OK
2024-11-20_23:00:54_EET [openHABian] Making sure router advertisements are available...
$ sysctl --load
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_ra_rt_info_max_plen = 64
OK
2024-11-20_23:00:54_EET [openHABian] Loading configuration file '/etc/openhabian.conf'... OK
2024-11-20_23:00:54_EET [openHABian] openHABian configuration tool version: [openHAB]{2024-10-25T10:35:12-06:00}(7d97bd8)
2024-11-20_23:00:54_EET [openHABian] Checking for changes in origin branch openHAB... OK
2024-11-20_23:00:55_EET [openHABian] Switching to branch openHAB... OK
2024-11-20_23:00:55_EET [openHABian] Checking openHAB Signing Key expiry.
2024-11-20_23:00:55_EET [openHABian] Checking expiry date of apt keys... OK
2024-11-20_23:00:59_EET [openHABian] Updating Linux package information... OK
2024-11-20_23:01:02_EET [openHABian] Updating Zigbee2MQTT...
$ cd /opt/zigbee2mqtt

$ systemctl stop zigbee2mqtt

$ sudo -u openhabian cp -R data data-backup

$ sudo -u openhabian git pull
Already up to date.

$ sudo -u openhabian npm ci
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported

added 649 packages, and audited 650 packages in 49s

90 packages are looking for funding
  run `npm fund` for details

2 vulnerabilities (1 low, 1 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

$ sudo -u openhabian cp -R data-backup/configuration.example.yaml data-backup/configuration.yaml data-backup/database.db data-backup/state.json data

$ rm -rf /opt/zigbee2mqtt/data-backup

$ cd /opt

$ systemctl start zigbee2mqtt
OK
2024-11-20_23:02:03_EET [openHABian] Updating Linux package information... OK
2024-11-20_23:02:03_EET [openHABian] Installing Frontail prerequsites (NodeJS)...
$ nodejs_setup
2024-11-20_23:02:03_EET [openHABian] Adding required keys to apt... OK
2024-11-20_23:02:03_EET [openHABian] Adding NodeSource repository to apt...
$ apt-get update
Hit:1 http://deb.debian.org/debian bookworm-updates InRelease
Hit:2 http://security.debian.org/debian-security bookworm-security InRelease
Hit:3 http://archive.raspberrypi.org/debian bookworm InRelease
Hit:4 http://raspbian.raspberrypi.org/raspbian bookworm InRelease
Get:5 https://deb.nodesource.com/node_18.x bookworm InRelease [4,586 B]
Hit:6 https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable InRelease
Get:7 https://deb.nodesource.com/node_18.x bookworm/main armhf Packages [787 B]
Fetched 5,373 B in 2s (2,152 B/s)
Reading package lists... Done
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://security.debian.org/debian-security/dists/bookworm-security/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://archive.raspberrypi.org/debian/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://raspbian.raspberrypi.org/raspbian/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
OK
2024-11-20_23:02:10_EET [openHABian] Installing NodeJS...
$ apt-get install --yes -o DPkg::Lock::Timeout= nodejs
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
nodejs is already the newest version (20.18.1-1nodesource1).
The following packages were automatically installed and are no longer required:
  libc-ares2 node-busboy node-cjs-module-lexer node-undici node-xtend
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
OK
FAILED. Provide packageName.
OK
2024-11-20_23:02:14_EET [openHABian] Installing openHAB Log Viewer (frontail)... Removing any old installations...

$ npm uninstall -g frontail

removed 153 packages, and audited 1 package in 1s

found 0 vulnerabilities

$ frontail_download /opt
2024-11-20_23:02:17_EET [openHABian] Downloading frontail...
Update...

$ update_git_repo /opt/frontail master
2024-11-20_23:02:17_EET [openHABian] Updating frontail, master branch from git...
$ git -C /opt/frontail fetch origin

$ git -C /opt/frontail fetch --tags --force --prune

$ git -C /opt/frontail reset --hard origin/master
HEAD is now at 7ff8dc5 Merge pull request #2 from Gifford47/patch-1

$ git -C /opt/frontail clean --force -x -d
Removing node_modules/

$ git -C /opt/frontail checkout master
Already on 'master'
Your branch is up to date with 'origin/master'.

$ git -C /opt/frontail submodule update --init --recursive
OK
OK

$ npm audit fix --omit=dev
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 139 packages, and audited 140 packages in 16s

1 package is looking for funding
  run `npm fund` for details

# npm audit report

basic-auth-connect  1.0.0
Severity: high
basic-auth-connect's callback uses time unsafe string comparison - https://github.com/advisories/GHSA-7p89-p6hx-q4fw
fix available via `npm audit fix --force`
Will install basic-auth-connect@1.1.0, which is outside the stated dependency range
node_modules/basic-auth-connect

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install cookie@1.0.2, which is a breaking change
node_modules/cookie
node_modules/cookie-parser/node_modules/cookie
node_modules/engine.io/node_modules/cookie
node_modules/express-session/node_modules/cookie
  cookie-parser  1.0.1 - 1.4.6
  Depends on vulnerable versions of cookie
  node_modules/cookie-parser
  engine.io  0.7.8 - 0.7.9 || 1.8.0 - 6.6.1
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of ws
  node_modules/engine.io
    socket.io  3.0.0-rc1 - 4.6.1
    Depends on vulnerable versions of engine.io
    node_modules/socket.io
  express-session  1.0.1 - 1.18.0
  Depends on vulnerable versions of cookie
  node_modules/express-session


request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install universal-analytics@0.5.3, which is a breaking change
node_modules/request
  universal-analytics  <=0.4.23
  Depends on vulnerable versions of request
  node_modules/universal-analytics

send  <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install serve-static@1.16.2, which is outside the stated dependency range
node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static



socket.io-parser  4.0.4 - 4.2.2
Severity: moderate
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-cqmj-92xf-r6r9
fix available via `npm audit fix`
node_modules/socket.io-parser

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install universal-analytics@0.5.3, which is a breaking change
node_modules/tough-cookie

ws  7.0.0 - 7.5.9
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install socket.io@4.8.1, which is a breaking change
node_modules/ws

13 vulnerabilities (5 low, 5 moderate, 3 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

$ npm update --audit=false --omit=dev

added 13 packages, removed 16 packages, and changed 81 packages in 13s

2 packages are looking for funding
  run `npm fund` for details

$ npm install --global --audit=false --omit=dev

added 1 package in 826ms
OK
2024-11-20_23:02:52_EET [openHABian] Setting up openHAB Log Viewer (frontail) service...
$ chmod 644 /etc/systemd/system/frontail.service

$ systemctl -q daemon-reload

$ systemctl enable --now frontail.service

$ systemctl restart frontail.service
OK
2024-11-20_23:02:57_EET [openHABian] Adding an openHAB dashboard tile for 'frontail'... Replacing...
$ sed -i -e /^frontail-link-*$/d /etc/openhab/services/runtime.cfg
OK
2024-11-20_23:03:07_EET [openHABian] Checking for default openHABian username:password combination... OK
2024-11-20_23:03:07_EET [openHABian] We hope you got what you came for! See you again soon ;)
openhabian@openhab:/usr/local/bin $ sudo nano /etc/apt/sources.list
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

It was quite straightforward to fix the issue (take back ownership of sudo), etc. by mounting SSD to WSL doing:

sudo chown root:root sudo
sudo chmod a=rx,u+ws sudo

then back in openhab something along the lines of:

sudo chown --recursive --from=frontail:frontail root:root *

Only thing I wonder why did this happen in the first place when installing components and why exactly frontail, as this has occurred for others too?!