MonkWho
"sh: /conf/pfatt/bin/pfatt.sh: Permission denied" on pfSense 2.6 w/ ZFS
Not sure if this is an issue, or just something I’m doing wrong. I’m fairly new to pfSense and a lot of this is over my head.
I installed pfSense 2.6 on a Protectli Vault and selected ZFS for the filesystem. I followed the bridge method instructions from the supplicant branch, but couldn’t get it working, so I tried the master branch, and it worked fine. Then I decided try the supplicant method with certificates.
During bootup, I kept getting:
sh: /conf/pfatt/bin/pfatt.sh: Permission denied
My file permissions, showed:
-rwxr-xr-x 1 root wheel 9194 Apr 5 14:18 pfatt.sh
Since I couldn’t get it working, I moved pfatt.sh to /root/bin and left the certs in /conf/pfatt/wpa. I rebooted and everything worked as expected.
There’s a Netgate forum post (see Apr 26, 2022, 6:03PM & Jul 21, 2022, 4:24 PM) which discusses a similar permissions issue. They mention /conf being locked down and a Netgate admin says to use /root instead. That led me to try mount -p, which shows:
pfSense/cf/conf /cf/conf zfs rw,noexec,nosuid,noatime,nfsv4acls 0
I’m assuming noexec on the pfSense/cf/conf line means pfatt.sh can’t run in the /conf directory. Does this sound correct? If so, any issue with leaving pfatt.sh in /root/bin? Thanks.
I’m assuming noexec on the pfSense/cf/conf line means pfatt.sh can’t run in the /conf directory.
Correct
If so, any issue with leaving pfatt.sh in /root/bin?
No issue, just make sure you have the correct path(s) when calling the script, certificates, etc.
Is there a particular reason why /conf was chosen as the folder for the pfatt.* scripts in the first place? I recall this being used way back - 3+ years ago when the script first came about.
No issue, just make sure you have the correct path(s) when calling the script, certificates, etc.
Thanks!
Is there a particular reason why /conf was chosen as the folder for the pfatt.* scripts in the first place?
To be honest I'm not familiar enough with pfSense to know.