Circumnavigate fog user issues
-
Thinking a bit more about this I am wondering if we could get rid of the local user account altogether by using vsftpd virtual users. This is untested yet and I might have missed something here. Possibly access rights could cause us trouble here but as we usually set directories to
777
(not great!!) it wouldn’t be any worse than what we have right now. -
@Sebastian-Roth Virtual users still require “physical” home drive locations.
I’ve used VSFTPD in virtual user mode and while it works and can be managed via mysql, it still requires physical access. Usually to a single user which new virtual user folders get generated.
Using the virtual user mode would mean we still have a local account, but with some robustness involved that allows us to limit access to specific virtual users.
I don’t know what method is better (one way or the other).
-
@Tom-Elliott You are right, we probably still need some local system user account anyway. I started playing with it a bit and couldn’t get it to work because of PAM lib issues. Would make it all just way more complicated and error prone so we won’t go there.
As @george1421 states that he’s see several tutorials out in the wild telling users to create an account
fog
and using that to install we want to move away from that account name and make it a system account (no login allowed). Restricting shell/SSH login is fairly simple but for X login I have not found a general way to restrict login for certain users. The best I could fine is here but needs a modification of the specific login manager (gdm, kdm, xdm, lightdm, sddm, …??) PAM configuration file. This can go wrong in so many ways that I don’t think it’s even worth trying.Just changing the account name to something different without restricting login (including GUI login!) is not solving the issue but might just add to the confusion of new users.
Should we start by renaming the web UI default user name (e.g. to
admin
) and change to a auto-generated password? Do you consider this being anything worth in terms of causing less confusion? -
@Sebastian-Roth nearly any web GUI account uses a default user and default password. I suppose we could ask the user what account they’d like to name it and assign a password at install time, this isn’t too hard. That said should this be a GUI and Local user or one or the other? Too many questions too think of.
What might help is detecting if the fog local user already exists, and if so present the user with the question asking what it’s password is set to. If the fog local user doesn’t already exist, create it and set using a random password. Should this also be what we set the GUI user for then? If so how do we ensure the user knows this password?
Just my ramblings but hopefully brings a little insight and or innovation?
-
@Tom-Elliott Thanks for your thoughts on this. I was looking at it from the other side. Try to entangle FOG ftp system account and web GUI account for less possibility to cause confusion.
Checking if system account already exists and has been used to logon is probably a first step towards warning the user. I am not sure but I think a general way to check last logon (terminal, GUI, SSH but not ftp logon I hope) does exist.
-
@Sebastian-Roth said in Circumnavigate fog user issues:
we want to move away from that account name and make it a system account (no login allowed)
The only thing we need to check is if you disable interactive login, does that also block FTP access? I’m suspecting no, but we should at least test it to confirm. I’m not seeing a risk if we simply abandon the current
fog
linux account because it should have a secure password by default. If the IT admin had changed it post FOG install then its only as secure as the IT admin set the password to.On the negative side, I’m not sure about the interactions with a Master/Storage node configuration if only one component of that configuration is updated. Will that break something? While I haven’t kept track of the status, (I’m guessing) I’m seeing (on average) one post per week where the end results was someone fiddled with the fog service account’s password or complains that they were locked out of the FOG server after installing fog.
-
@george1421 said in Circumnavigate fog user issues:
The only thing we need to check is if you disable interactive login
Can you be more precise on this point. How do you disable interactive login? As far as I know there are half a dozen ways of doing this and none is doing it for shell/SSH and GUI at the same time.
interactions with a Master/Storage node configuration
Definitely a good point that we have to keep in mind!!!
-
@Sebastian-Roth said in Circumnavigate fog user issues:
shell/SSH and GUI at the same time
Who uses a GUI?? This isn’t MS Windows is it?
I can only speak for centos, but placing “/sbin/nologin” on the shell column of the password file should disable at least console (ssh) login. I would be surprised if the GUI ignored this parameter. I might have to spin up a centos install with a gui to test. On the other hand at what level do we go to, to protect the FOG admin from him/her self?
I think the users are most confused between the web ui admin fog and the linux service account called
fog
. Changing one or both may at least resolve this specific confusion. -
@george1421 said in Circumnavigate fog user issues:
but placing “/sbin/nologin” on the shell column of the password file should disable at least console (ssh) login. I would be surprised if the GUI ignored this parameter.
I only got as far as testing this on a OpenSuSE installtion that I had at hand and that would surely not login. But it wouldn’t print out a message to the user either. GUI login just seemed to freeze. People who don’t know how to kill the X server (crtl+alt+backspace) and use the terminals to fix things are totally lost with this and will post questions in the forums as before.
On the other hand at what level do we go to, to protect the FOG admin from him/her self?
From what I get in the forums most users running into this are very much inexperienced Ubuntu starters. Many if not all of them use the GUI to start off. Sure I would never ever advice such a thing but this is what you see in a couple of FOG beginner tutorial videos out there.
I think the users are most confused between the web ui admin fog and the linux service account called
fog
. Changing one or both may at least resolve this specific confusion.I am definitely with you on this point!
-
I just fear we make it worse not better… This is why I keep asking before making the changes to the code.
-
Thinking a bit more about this I reckon we don’t really want to fully lock that account. It might even cause more people to ask in the forums. Better we try to inform the user as soon as we detect someone is using the account. And I mean informing beginners in particular. So for me it boils down to a couple of places we need to check and take care to inform the user.
- Fresh install - check if account already exists and setup a new account for the user in case it does - prompting for name and password and explaining why we do this.
- Upgrade with .fogettings (and therefore fog account) existing - check if the account was ever used to login on the machine (
last | grep "^fog"
andlastlog -u fog
should do the job) and again setup a new account for the user - prompting for name and password and explaining why we do this. - Print out a message to the user when opening a shell/terminal or login as fog user (
~/.bashrc
seems most appropriate to me) - Print a X dialog when a user logs in as fog user (
~/.config/autostart/
seems to be standard, works great with Ubuntu - anyone can try other distros as well?)
mkdir -p /home/fog/.config/autostart/ cat >/home/fog/.config/autostart/warnfogaccount.desktop <<EOF [Desktop Entry] Type=Application Name=Warn users using the fog account Exec=/opt/fog/warnfogaccount.sh Comment=Warn users who use the fog system account to logon EOF chown fog:fog /home/fog/.config/autostart/warnfogaccount.desktop cat >/opt/fog/warnfogaccount.sh <<EOF #!/bin/bash title="FOG account" text="You seem to be using the 'fog' system account to logon and work \non your FOG server system.\n\nIt's NOT recommended to use this account! Please create a new \naccount for administrative tasks.\n\nIf you re-run the installer it would reset the 'fog' account \npassword and therefore lock you out of the system!\n\nTake care, \nyour FOGproject team" z=$(which zenity) x=$(which xmessage) n=$(which notify-send) if [[ -x $z ]] then $z --error --width=480 --text="$text" --title="$title" elif [[ -x $x ]] then echo -e $text | $x -center -file - else $n -u critical "$title" "$(echo $text | sed -e 's/ \\n/ /g')" fi EOF chmod 755 /opt/fog/warnfogaccount.sh
-
Ok, somehow lost track of this. Want to add this before a next release… reminder
-
@Tom-Elliott I might find the time to add this to 1.5.x on the weekend. Just wanted to ask if you think this is a good way to go so we do things in line for 1.6.x as well and people don’t get confused.
@george1421 mentioned that from his point of view it would be a good idea to still rename the Linux account to
fogsrv
or something like that. Should we really? What do we do with existing installations? Leave the old account alone and create a new one or rename and lock it? -
@Sebastian-Roth said in Circumnavigate fog user issues:
Leave the old account alone and create a new one or rename and lock it?
IMO Yes, abandon it in place. If fog set the password on that account then we know its pretty secure (or at least complex enough). If the FOG Admin changed the password on the
fog
linux account then there is not much we can do about security if they set the password to something like password. Either way abandoning it is the best move from my perspective. -
@Sebastian-Roth what about staying true to fog project itself? How about username
fogproject
?As most users seem to use
fog
for our normal stuff I think this would be descriptive enough for admins to know who and why it was created and limit the number of issues with just plainfog
-
@Tom-Elliott Yeah, kind of like that idea. I will still add the account locking mechanisms mentioned below.
@george1421 Comments?
-
@Sebastian-Roth said in Circumnavigate fog user issues:
Comments?
I’m good with anything as long as we move off
fog
as the service name to avoid confusion with the web ui account as well as the bad instructions that say to install FOG as the fog linux user. -
@george1421 @Tom-Elliott I think I have put this off for way too long as I expected it to be complicated to handle in all cases (fresh install as well as updates). But seems like this is fairly easy to accomplish: https://github.com/FOGProject/fogproject/compare/dev-branch...rename-account
It’s still not finished yet but the basis is done and locking down the account won’t be much work I hope as I have done all the research and testing before.
Highly appreciate any comments you guys have on this. I have greped the whole code to make sure I don’t miss anywhere to change the name or handle the new name.
-
Did some more testing and will merge this into
dev-branch
now before the new release. Have tested on CentOS (existing installation and fresh) as well as Debian (fresh installation). Should be good to go.