Mattermost, Inc.

Plugins Permissions fail

What are permissions for plugins?

I gave aog+rwx mattermost:mattermost

{"level":"error","ts":1581891337.668472,"caller":"mlog/log.go:174","msg":"Unable to activate plugin","plugin_id":"github","error":"unable to start plugin: github: fork/exec /usr/local/www/mattermost/plugins/github: permission denied","errorVerbose":"fork/exec /usr/local/www/mattermost/plugins/github: permission denied\nunable to start plugin: github\ngithub.com/mattermost/mattermost-server/v5/plugin.(*Environment).Activate\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/plugin/environment.go:251\ngithub.com/mattermost/mattermost-server/v5/app.(*App).SyncPluginsActiveState\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/app/plugin.go:106\ngithub.com/mattermost/mattermost-server/v5/app.(*App).InitPlugins.func2\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/app/plugin.go:197\ngithub.com/mattermost/mattermost-server/v5/config.(*emitter).invokeConfigListeners.func1\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/config/emitter.go:35\nsync.(*Map).Range\n\t/usr/local/go/src/sync/map.go:333\ngithub.com/mattermost/mattermost-server/v5/config.(*emitter).invokeConfigListeners\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/config/emitter.go:33\ngithub.com/mattermost/mattermost-server/v5/config.(*commonStore).set\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/config/common.go:90\ngithub.com/mattermost/mattermost-server/v5/config.(*FileStore).Set\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/config/file.go:107\ngithub.com/mattermost/mattermost-server/v5/app.(*Server).UpdateConfig\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/app/config.go:53\ngithub.com/mattermost/mattermost-server/v5/app.(*App).UpdateConfig\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/app/config.go:59\ngithub.com/mattermost/mattermost-server/v5/app.(*App).EnablePlugin\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/app/plugin.go:341\ngithub.com/mattermost/mattermost-server/v5/api4.enablePlugin\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/api4/plugin.go:305\ngithub.com/mattermost/mattermost-server/v5/web.Handler.ServeHTTP\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/web/handlers.go:163\ngithub.com/NYTimes/gziphandler.GzipHandlerWithOpts.func1.1\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/vendor/github.com/NYTimes/gziphandler/gzip.go:336\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2007\ngithub.com/gorilla/mux.(*Router).ServeHTTP\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/vendor/github.com/gorilla/mux/mux.go:212\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2802\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1890\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357"}

Hello, @busy

May I know if you have tried to run the following command on your Mattermost Server terminal and verify that the issue is fixed?

sudo chown mattermost:mattermost /opt/mattermost/

Let me know how it goes.

I am using FreeBSD version that lands into /usr/local/www/mattermost
I gave all folders user mattermost and this did not help.

I did follow https://pushpanel.io/2020/mattermost-5-19-setup-on-freebsd-12-1-inside-a-jail/ steps.

{“level”:“error”,“ts”:1581980204.8666434,“caller”:“mlog/log.go:174”,“msg”:“Unable to restart plugin on upgrade.”,“path”:"/api/v4/plugins/marketplace",“request_id”:“xxx”,“ip_addr”:“xxx”,“user_id”:“xxx”,“method”:“POST”,“err_where”:“installPluginLocally”,“http_code”:500,“err_details”:“unable to start plugin: jenkins: fork/exec /usr/local/www/mattermost/plugins/jenkins: permission denied”}

#ls -la /usr/local/www/mattermost/plugins/jenkins
total 6
drwxr–r-- 4 mattermost mattermost 6 17 Feb 22:56 .
drwxr–r-- 3 mattermost mattermost 3 17 Feb 22:56 …
-rw-r–r-- 1 mattermost mattermost 0 17 Feb 22:56 .filestore
drwxr–r-- 2 mattermost mattermost 3 17 Feb 22:56 assets
-rw-r–r-- 1 mattermost mattermost 1186 17 Feb 22:56 plugin.json
drwxr–r-- 3 mattermost mattermost 3 17 Feb 22:56 server

Maybe there is a way to debug the problem more deeply?

Hello, @busy

Thanks for the clarification. Can you please run the command below and share the output?

ps -ef | grep mattermost

Also, can you also try to grant permission across the entire Mattermost folder using the command below and observe if you are still facing issues with the plugin permission?

sudo chown -R mattermost:mattermost /usr/local/www/mattermost

#ps -ewwf | grep mattermost
25411 2 IJ 0:00.01 VENDOR=amd SSH_CLIENT= 54147 22 LOGNAME=root jail_mattermost_exec_stop= PAGER=more LANG=en_US.UTF-8 OSTYPE=FreeBSD MACHTYPE=x86_64 MAIL=/var/mail/root jail_mattermost_parameters= jail_mattermost_exec_start=/bin/sh /etc/rc PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin jail_mattermost_post_start_script= jail_mattermost_hostname=mattermost EDITOR=vi HOST=man001 REMOTEHOST= jail_mattermost_forceblocking= jail_mattermost_attachblocking= jail_mattermost_parentzfs=tank/root/jails jail_mattermost_cpuset= PWD=/root jail_mattermost_ip=em1|,em0| GROUP=wheel TERM=xterm-256color SSH_TTY=/dev/pts/2 HOME=/root USER=root jail_mattermost_rootdir=/usr/jails/mattermost jail_mattermost_retention_policy= SSH_CONNECTION= 54147 22 jail_mattermost_devfs_ruleset=devfsrules_jail HOSTTYPE=FreeBSD SHELL=/bin/csh jail_mattermost_fib= jail_mattermost_procfs_enable=YES jail_mattermost_mount_enable=YES jail_mattermost_fdescfs_enable=YES MM_CHARSET=UTF-8 jail_mattermost_attachparams= jail_mattermost_imagetype=zfs jail_mattermost_image= jail_mattermost_zfs_datasets= jail_mattermost_devfs_enable=YES BLOCKSIZE=K SHLVL=1 login [pam] (login)

All folders are mattermost:mattermost, even tried to /usr/local/www with aog+rwx ; did not help; did try even change permission on the fly when mattermost is extracting plugin. restarting service did not make anything.

Upgrade to package: mattermost to 5.19.1 and still getting a problem:

{"level":"error","ts":1584695137.1472464,"caller":"mlog/log.go:174","msg":"Unable to activate plugin","plugin_id":"mattermost-autolink","error":"unable to start plugin: mattermost-autolink: fork/exec /usr/local/www/mattermost/plugins/mat
termost-autolink: permission denied","errorVerbose":"fork/exec /usr/local/www/mattermost/plugins/mattermost-autolink: permission denied\nunable to start plugin: mattermost-autolink\ngithub.com/mattermost/mattermost-server/v5/plugin.(*Env
ironment).Activate\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/plugin/environment.go:251\ngithub.com/mattermost/mattermost-server/v5/app.(*App).SyncPluginsActiveState\n\t/wrkdirs/usr/ports/www/mattermost-ser
ver/work/mattermost-server-5.19.1/app/plugin.go:106\ngithub.com/mattermost/mattermost-server/v5/app.(*App).InitPlugins.func2\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/app/plugin.go:197\ngithub.com/mattermo
st/mattermost-server/v5/config.(*emitter).invokeConfigListeners.func1\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/config/emitter.go:35\nsync.(*Map).Range\n\t/usr/local/go/src/sync/map.go:333\ngithub.com/matt
ermost/mattermost-server/v5/config.(*emitter).invokeConfigListeners\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/config/emitter.go:33\ngithub.com/mattermost/mattermost-server/v5/config.(*commonStore).set\n\t/
wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/config/common.go:90\ngithub.com/mattermost/mattermost-server/v5/config.(*FileStore).Set\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/confi
g/file.go:107\ngithub.com/mattermost/mattermost-server/v5/app.(*App).SaveConfig\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/app/config.go:382\ngithub.com/mattermost/mattermost-server/v5/app.(*App).EnablePlug
in\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/app/plugin.go:346\ngithub.com/mattermost/mattermost-server/v5/api4.enablePlugin\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/api4/p
lugin.go:305\ngithub.com/mattermost/mattermost-server/v5/web.Handler.ServeHTTP\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/web/handlers.go:163\ngithub.com/NYTimes/gziphandler.GzipHandlerWithOpts.func1.1\n\t/
wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/vendor/github.com/NYTimes/gziphandler/gzip.go:336\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2007\ngithub.com/gorilla/mux.(*Router).ServeH
TTP\n\t/wrkdirs/usr/ports/www/mattermost-server/work/mattermost-server-5.19.1/vendor/github.com/gorilla/mux/mux.go:212\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2802\nnet/http.(*conn).serve\n\t/usr/local/g
o/src/net/http/server.go:1890\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357"}
1 Like

I found possible issue:

inside server: /model/manifest.go there is no definition for FreeBSD lines: 265/273
then by looking on plugin manifests: https://github.com/mattermost/mattermost-plugin-jenkins/blob/master/plugin.json There is no FreeBSD definition.
https://developers.mattermost.com/extend/plugins/manifest-reference/#backend

Does it mean that plugins on FreeBSD are not supported?

1 Like

Hello, I had the same problem, don’t know if you’ve solved it yet?

@busy I’m not sure about that so I’ve asked our developers. When they get back to me I’ll let you know.

In FreeBSD, any Plugin causes Permission denied and the directory becomes 744.
Even if the binary is made, it cannot be executed.

Same issue here on FreeBSD 12.1, installed via pkg
mattermost-server-5.19.1
mattermost-webapp-5.19.1

# ps -auxewwf |grep mattermost mattermost
35963 8.7 1.2 894000 193272 - S 22:53 0:05.28 VENDOR=amd LOGNAME=mattermost PAGER=less OSTYPE=FreeBSD MACHTYPE=x86_64 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin://bin EDITOR=vi HOST=(my server hostname) REMOTEHOST=(my ip) OLDPWD=/ PWD=/usr/local/www/mattermost GROUP=mattermost USER=mattermost HOME=/ HOSTTYPE=FreeBSD BLOCKSIZE=K RC_PID=26103 SHLVL=1 /usr/local/bin/mattermostd --disableconfigwatch --config=/usr/local/etc/mattermost/config.json
mattermost 35928 0.0 0.0 11004 2540 - Ss 22:53 0:00.01 VENDOR=amd LOGNAME=mattermost PAGER=less OSTYPE=FreeBSD MACHTYPE=x86_64 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin://bin EDITOR=vi HOST=(my server hostname) REMOTEHOST=(my ip) OLDPWD=/ PWD=/usr/local/www/mattermost GROUP=mattermost USER=mattermost HOME=/ HOSTTYPE=FreeBSD BLOCKSIZE=K RC_PID=26103 SHLVL=1 daemon: /usr/local/bin/mattermostd[35963] (daemon

I first thought this was an issue with Linux compatibility, but having installed Linux compatibility and running the plugin binary works:
# su -m mattermost -c /usr/local/www/mattermost/plugins/github/server/dist/plugin-linux-amd64
This binary is a plugin. These are not meant to be executed directly. Please execute the program that consumes these plugins, which will load any plugins automatically

Directory /usr/local/www/mattermost and all its subdirectories are owned by mattermost:mattermost.

Running mattermost as root defined as mattermost_user and restarted service resulted in same permission denied error.

Update: I got it working by changing the plugin’s plugin.json executable setting: https://i.imgur.com/9byjJ0Q.png

@busy see my post above for workaround.

Just a heads up. If you’ve downloaded the plugin from the marketplace, it will have downloaded a .sig file for that plugin as well in your data directory/plugins, and MM seems to check the signature or the contents of the plugin .tar.gz file at startup. I ended up downloading the plugin.tar.gz file from my server, stopping MM, removing the plugin’s directory under /usr/local/www/mattermost/plugins/ and enabling uploading of plugins through the system console without signature checking. I then edited the contents of the plugin.json file inside the .tar.gz archive and uploaded that plugin through the system console, now the edits to the plugin.json file persists along restarts of MM. For now, at least :slight_smile: