Circumnavigate fog user issues
-
I just fear we make it worse not better… This is why I keep asking before making the changes to the code.
-
Thinking a bit more about this I reckon we don’t really want to fully lock that account. It might even cause more people to ask in the forums. Better we try to inform the user as soon as we detect someone is using the account. And I mean informing beginners in particular. So for me it boils down to a couple of places we need to check and take care to inform the user.
- Fresh install - check if account already exists and setup a new account for the user in case it does - prompting for name and password and explaining why we do this.
- Upgrade with .fogettings (and therefore fog account) existing - check if the account was ever used to login on the machine (
last | grep "^fog"andlastlog -u fogshould do the job) and again setup a new account for the user - prompting for name and password and explaining why we do this. - Print out a message to the user when opening a shell/terminal or login as fog user (
~/.bashrcseems most appropriate to me) - Print a X dialog when a user logs in as fog user (
~/.config/autostart/seems to be standard, works great with Ubuntu - anyone can try other distros as well?)
mkdir -p /home/fog/.config/autostart/ cat >/home/fog/.config/autostart/warnfogaccount.desktop <<EOF [Desktop Entry] Type=Application Name=Warn users using the fog account Exec=/opt/fog/warnfogaccount.sh Comment=Warn users who use the fog system account to logon EOF chown fog:fog /home/fog/.config/autostart/warnfogaccount.desktop cat >/opt/fog/warnfogaccount.sh <<EOF #!/bin/bash title="FOG account" text="You seem to be using the 'fog' system account to logon and work \non your FOG server system.\n\nIt's NOT recommended to use this account! Please create a new \naccount for administrative tasks.\n\nIf you re-run the installer it would reset the 'fog' account \npassword and therefore lock you out of the system!\n\nTake care, \nyour FOGproject team" z=$(which zenity) x=$(which xmessage) n=$(which notify-send) if [[ -x $z ]] then $z --error --width=480 --text="$text" --title="$title" elif [[ -x $x ]] then echo -e $text | $x -center -file - else $n -u critical "$title" "$(echo $text | sed -e 's/ \\n/ /g')" fi EOF chmod 755 /opt/fog/warnfogaccount.sh -
Ok, somehow lost track of this. Want to add this before a next release… reminder
-
@Tom-Elliott I might find the time to add this to 1.5.x on the weekend. Just wanted to ask if you think this is a good way to go so we do things in line for 1.6.x as well and people don’t get confused.
@george1421 mentioned that from his point of view it would be a good idea to still rename the Linux account to
fogsrvor something like that. Should we really? What do we do with existing installations? Leave the old account alone and create a new one or rename and lock it?Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Sebastian-Roth said in Circumnavigate fog user issues:
Leave the old account alone and create a new one or rename and lock it?
IMO Yes, abandon it in place. If fog set the password on that account then we know its pretty secure (or at least complex enough). If the FOG Admin changed the password on the
foglinux account then there is not much we can do about security if they set the password to something like password. Either way abandoning it is the best move from my perspective. -
@Sebastian-Roth what about staying true to fog project itself? How about username
fogproject?As most users seem to use
fogfor our normal stuff I think this would be descriptive enough for admins to know who and why it was created and limit the number of issues with just plainfog -
@Tom-Elliott Yeah, kind of like that idea. I will still add the account locking mechanisms mentioned below.
@george1421 Comments?
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Sebastian-Roth said in Circumnavigate fog user issues:
Comments?
I’m good with anything as long as we move off
fogas the service name to avoid confusion with the web ui account as well as the bad instructions that say to install FOG as the fog linux user. -
@george1421 @Tom-Elliott I think I have put this off for way too long as I expected it to be complicated to handle in all cases (fresh install as well as updates). But seems like this is fairly easy to accomplish: https://github.com/FOGProject/fogproject/compare/dev-branch...rename-account
It’s still not finished yet but the basis is done and locking down the account won’t be much work I hope as I have done all the research and testing before.
Highly appreciate any comments you guys have on this. I have greped the whole code to make sure I don’t miss anywhere to change the name or handle the new name.
-
Did some more testing and will merge this into
dev-branchnow before the new release. Have tested on CentOS (existing installation and fresh) as well as Debian (fresh installation). Should be good to go.
