Fog Server vulnerable
-
@tata FOG 1.5.9 does not support php version 8. You need to upgrade to the dev branch for that. Personally I would have taken php and php-fpm to version 7.4 and not jumped to php8. As for mysql there should be no problem upgrading to latest database. But I do have to caveat I have not tried to move beyond the versions shipped with the fog server host OS distro version.
-
@george1421 @TaTa Even the latest dev-branch version is not compatible with PHP8 yet. You might want to give the dev-branch-php8 branch a go. But this is really new and not tested much at all.
-
@george1421 @Sebastian-Roth Thank you all for your help. I downgraded to php7 but couldn’t get around the HTTP error 500. We didn’t take a snapshot of the VM before messing around with it. It took a while for the admin to restore our FOG server from the backup. I’m staying at PHP 7.4.28 and mysql 5.7.33 for now.
-
@tata said in Fog Server vulnerable:
Thank you all for your help.
You are welcome. You might want to ask in the forums before jumping right into it next time.
I downgraded to php7 but couldn’t get around the HTTP error 500.
The apache and PHP-FPM logs are your friends in finding out what’s wrong. See my signature on where to find those.
We didn’t take a snapshot of the VM before messing around with it.
Next time you will, I am sure.
It took a while for the admin to restore our FOG server from the backup. I’m staying at PHP 7.4.28 and mysql 5.7.33 for now.
So things are back to normal for now, right?
-
@sebastian-roth Yes, sir! Lesson learned…for now.
-
Good morning @george1421 @Sebastian-Roth. The security team agreed to grant an exception for ftp plain text authentication but they do need some documentations from the developer. I looked through the wiki but I could any places that mention this. Could you please point me to the right place?
-
@TaTa I guess code is probably the best documentation you can get for this particular question:
https://github.com/FOGProject/fogproject/blob/master/packages/web/lib/fog/fogftp.class.php
https://github.com/FOGProject/fogproject/search?q=FOGFTP -
@tata Beyond looking at the code, what do they expect you to produce? Yes plain text FTP is used. Its only used in the context of the application. At no time under the normal operation of FOG does a user or fog admin use FTP to access the server. Its only used by back end FOG services for image movements within FOG. I’m not sure what else they might want.
-
@Sebastian-Roth @george1421 Thank you. I’ll give them the source code to see what they say. @george1421 I explained that to them. They are okay with it but they need a written document from the developer in order to grant a exemption.
-
Thank you all for your help. I was able get an exemption from the security team for ftp plaintext. I’m down to the last issue about the nfs mount points and folder permissions. They don’t like the fact that these mount points are open to everyone. What is the proper way to secure them?
I currently have:
/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)What is the proper permission for /images folder (and sub folders)? It is now set to drwxrwxrwx. fogproject root 4096.
-
@TaTa The default NFS in FOG is still version 3 which has no concept of user authentication/authorization. Sure you can try to lock things down a bit by setting access rights on the FOG server filesystem.
But if you want to go beyond that you will need to look into NFSv4 which is not implemented yet: https://forums.fogproject.org/topic/14791/feature-request-for-fog-1-6-x-configure-image-capture-to-use-nfsv4-instead-of-nfsv3