Thanks both for the hints, looks like I've found the culprit in some hacky SW TPM scripts I had been playing with to get Windows 11 VMs running some time ago. It wasn't actually the plugins themselves, but a sneaky line in a User Scripts set to run on array start, which included 'chmod 0755 -R /var/lib'!
Steps tried today:
- Disable docker and VMs, reboot and check permissions - OK on initial boot, permissions broken when array is started.
- Additionally delete NerdPack (didn't realise it was deprecated) - same result, permissions broken when array is started.
- Additionally delete SWTPM hacks in /boot/extras as I'm not playing with Win 11 VM any more - same result, fine until array is started.
- Started wondering exactly what happens when the 'start' button is pressed, then remembered the User Scripts plugin has schedule options including array start.... checked my scripts and realised that the SW TPM script was doing nasty stuff.
Thanks for the nudge in the right direction, that'll teach me to keep hacks that are no longer needed (esp since latest release has TPM support built in...) on my 'production' box!