FOG image capture file permissions
-
Server
FOG Version: 1.5.10.48
OS: Ubuntu 22.04Hello first post so please forgive me if it’s in the wrong section.
Since the storage permissions of /images are 775 (https://forums.fogproject.org/topic/17486/fog-1-5-10-and-earlier-nfs-privilege-escalation-vulnerability) shouldn’t the capture image create the files with the same permisssions?
While testing a new image capture the permissions are 777 and the owner:group is fogproject.
-
For all watching,
Yes permissions are set in multiple levels and I forgot one element on the FOS side, apparently it was being re-overwritten at the point of the moveUpload which I had missed on the UI side.
This should be adjusted accordingly now as well.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@AUTH-IT-Center So the permissions are handled from the FOS side of things, not the FOG side. The NFS bit was to try to ensure a bit more security but it seems this chmod effect was missed on the FOS side.
I have pushed this and am currently building expermental kernel/inits for this. Give it about 1-2 hours and you should be able to see the new inits from FOG Configuration->InitRD Update
If you can download the 64 bit (or 32 if the systems is i386 based) and replace the existing (init.xz or init_32.xz respectively) and give it a test? it should work properly moving forward.
Thank you for letting us know.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
unfortunately the same result.
also the permissions of the init.xz and init_32.xz on /var/www/html/fog/service/ipxe/ got 755 instead of 644 and the group www-data (just mentioning)
the system is 64bit
-
@AUTH-IT-Center I’m not sure I follow the issues? Edit: Well i think I got it now!
Thanks for bring this up.
If you can install the dev-branch of FOG git, this should be corrected as well. No need to update the init’s though not a bad idea either.
-
For all watching,
Yes permissions are set in multiple levels and I forgot one element on the FOS side, apparently it was being re-overwritten at the point of the moveUpload which I had missed on the UI side.
This should be adjusted accordingly now as well.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Tom-Elliott since this is the production server I will try it on a staging one and notify you.
-
@AUTH-IT-Center with the dev-branch the created folder after the image capture has the correct permissions.
will wait for the update on stable branch to deploy to the production server.
Thank you!
-
[[undefined-on,
A AUTH IT Center, ]]
