opened 08:14PM - 29 Aug 23 UTC
T: bug
P: default
### Qubes OS release
R4.2
### Brief summary
User / group permissions in… [Qubes `bind-dirs` directory](https://www.qubes-os.org/doc/bind-dirs/) are wrong.
### Steps to reproduce
Not sure. Might happen by swapping the the underlying Template of a App Qube for another Template or by restoring a VM using Qubes VM backup (which could be similar to the former).
### Expected behavior
Correct user / group permissions.
### Actual behavior
In corner cases, wrong user / group permissions.
### Additional information
* For tracking purposes: This is not a Whonix specific issue. This is a general issues with Qubes bind-dirs.
* Affects Qubes-Whonix: Yes. In corner cases users have to run a [Tor permissions fix](https://www.whonix.org/wiki/Tor#Permissions_Fix) because Tor fails to start due to wrong folder permissions.
I was now able to most likely pin this issue to Qubes bind-dirs. The permissions in folder `/rw/bind-dirs` (where the fully-persistent data in App Qube resides) (for example "`/rw/bind-dirs/var/lib/tor`") are wrong to begin with. Therefore bind-dirs will mount it also with the wrong permissions as a follow-up error.
Why are the user / group permissions in `/rw/bind-dirs` wrong to begin with? Because while Template A and Template B might use the same user / group names (example: "`debian-tor`"), the user identifier (`UID`) and group identifier (`GID`), which are numeric, are most likely different. Unfortunately, Linux stores UID / GID as number in the filesystem, not as literal names.