Circumnavigate fog user issues

  • Senior Developer

    @george1421 Thanks heaps for bringing this up! I will continue to answer in a minute… Ok, deleted mine as well to not confuse anyone.

    I don’t see your points as something we need to delay for FOG 1.6 but could possibly bring into 1.5.x already as a testing stage.

    1. Force the installer to provide a database password for root in mysql. […]

    Absolutely! Funny but I have started looking into this already before Christmas as I really would like to have FOG enforce secure passwords for exactly the same reasons. I just have not found enough time to think it through and test things. I’d even go as far as creating a FOG database user to be used (good practice) but still enforce passwords for root and fog DB user! Will look into that in the first days of 2019.

    1. Change the default webgui admin account from fog and password to […]

    I am with you here about the default password. But as we have briefly discussed in another thread I tend to rename the FOG web UI user (instead of the fog linux account). Maybe default to admin but even make it so people can choose their own.

    1. Change the fog service account from fog to fogsvc to avoid confusion with the webui user of the same name […]

    As mentioned above I’d prefer renaming the web UI account name and leave this one. I’d still force the account to be no-login! I need to think more about how we prevent users from using this account like create it beforehand and then being locked out or if they do use it right now on an existing installation. There are options like checking wtmp and stuff to see if the account has been used for login and warn the user but I have not gone into depth here.

    @george1421 Let’s see if we can discuss this a different way other than through hidden posts. Might move the discussion a chat session here in the forums or to slack.
    @Tom-Elliott What are your thoughts on this? Would be great to get your comments on this topic before I start changing this in 1.5.x already.

  • Moderator

    First let me say I’m going to mark this post as deleted so that only mods and above can see it. The deletion is intended to just hide the post from the general community and not that it doesn’t have value.

    Since this IS the holiday season, I would like to create George’s wish list for FOG 1.6 to help on the support side. @Developers

    1. Force the installer to provide a database password for root in mysql. Don’t continue to support a blank password for root access. If root’s password is current blank on the current install, force it to be set to something by the user in the installer. Its a bad security practice to have blank passwords. On the support side we continue to fight with ubuntu who is trying to enforce better security practices (rightly so).
    2. Change the default webgui admin account from fog and password to fog and a password defined by the fog admin when fog is installed. This fog installer supplied password shouldn’t need to be stored in the .fogsettings file.
    3. Change the fog service account from fog to fogsvc to avoid confusion with the webui user of the same name. This will also eliminate the issue where people follow some pretty crappy instructions on the internet that says to create a user account called fog and then install fog with that account. Then they wonder why they get locked out of the fog server linux account. We can either choose to abandon the linux user fog's account or set it to no login. I don’t recommend deleting it from the linux system. If the password was defined by the fog installer it should be complex enough. If the fog admin changed it for some reason then its not FOG’s problem then. There will be an issue with file ownership if the service account is changed to fogsvc from fog, so that will need to be taken into account.

    These changes should be implemented on existing as well as new installations. I know there is a risk for legacy installs where this security policy change could break things. As long as the changes are communicated to the fog admins beforehand they should be able to adapt since THEY are providing the passwords for both the database as well as the webui. I feel that FOG Project needs to do what it can with the resources available to implement better security practices out of the box.

  • I think changing the web UI’s default user is a good idea.

    Below are the spots that come to mind, but there are surely lots of other spots. I searched the wiki for ‘fog’ and ‘user’, the results weren’t helpful.

  • Senior Developer

    Thanks @Wayne-Workman, I though about something along that line as well. Will give it a try to see if it has any culprits that I have not thought about yet.

    As well I am wondering if it’d be wise to change the fog web UI username, e.g. to admin. Beginners seem to get confused about those different user accounts when we ask about it in the forums. Question remains: How much of the documentation needs updating? Just from the top of my head I’d think that it’d be less than changing the Linux account name. What do you think?

  • You can disable a linux user’s ability to use a shell. Assuming the user account is called fog the command is:
    usermod -s /sbin/nologin fog
    usermod -s /usr/sbin/nologin fog

    Something more elaborate that I found on the net would look like this:

    touch /bin/nologin
    chmod 755 /bin/nologin
    echo '#!/bin/bash' > /bin/nologin
    echo 'echo The fog account should not be used for system management.' >> /bin/nologin
    echo 'echo Please create another account for system management.' >> /bin/nologin
    echo 'echo This session will end in 15 seconds' >> /bin/nologin
    echo 'echo Goodbye' >> /bin/nologin
    echo 'sleep 15' >> /bin/nologin
    echo '/bin/nologin' >> /etc/shells
    usermod -s /bin/nologin fog

    Changing the default username to something besides fog shouldn’t affect existing fog systems, since the username setting inside of /opt/fog/.fogsettings would remain in existing systems, and the username for existing storage nodes wouldn’t be touched.

    A downside is all the documentation / screenshots that would become incorrect for new installations. There is a lot of content ‘out there’ about fog.

  • Moderator

    @Wayne-Workman I agree. IMO both the webui default admin and the linux service account names should be changed. The problem is that I’ve see instructions in the past that specifically says create a linux user account called fog and use that to install the FOG environment. Hopefully when FOG 2.0 is released we can move away from some of the sins of the past.

  • Senior Developer

    @Wayne-Workman Good point but I only think it would help if we restrict that account to not allow logins on it. Otherwise people would also use svc.fog as user account I am sure. Not sure if there is a way to disallow shell/GUI logins but still make it work using FTP?! Haven’t looked into that yet.

  • @george1421 I wish the account were named svc.fog instead of just fog… it would solve a tremendous amount of problems.

Log in to reply