Circumnavigate fog user issues
-
Trying to get all the pros and cons of changing the current setup of using
fog
linux user account as we have it at the moment.As we answer many questions just because people keep using the account and change the password I wonder what can be done to prevent from that.
@george1421 @Wayne-Workman Just moved your other posts here so we have it together in one place and not fill up the users request on how to fix his issue. Open for discussion.
-
@george1421 I wish the account were named
svc.fog
instead of justfog
ā¦ it would solve a tremendous amount of problems. -
@Wayne-Workman Good point but I only think it would help if we restrict that account to not allow logins on it. Otherwise people would also use svc.fog as user account I am sure. Not sure if there is a way to disallow shell/GUI logins but still make it work using FTP?! Havenāt looked into that yet.
-
@Wayne-Workman I agree. IMO both the webui default admin and the linux service account names should be changed. The problem is that Iāve see instructions in the past that specifically says create a linux user account called
fog
and use that to install the FOG environment. Hopefully when FOG 2.0 is released we can move away from some of the sins of the past. -
You can disable a linux userās ability to use a shell. Assuming the user account is called
fog
the command is:
usermod -s /sbin/nologin fog
or
usermod -s /usr/sbin/nologin fog
Something more elaborate that I found on the net would look like this:
touch /bin/nologin chmod 755 /bin/nologin echo '#!/bin/bash' > /bin/nologin echo 'echo The fog account should not be used for system management.' >> /bin/nologin echo 'echo Please create another account for system management.' >> /bin/nologin echo 'echo This session will end in 15 seconds' >> /bin/nologin echo 'echo Goodbye' >> /bin/nologin echo 'sleep 15' >> /bin/nologin echo '/bin/nologin' >> /etc/shells usermod -s /bin/nologin fog
Changing the default username to something besides
fog
shouldnāt affect existing fog systems, since the username setting inside of/opt/fog/.fogsettings
would remain in existing systems, and the username for existing storage nodes wouldnāt be touched.A downside is all the documentation / screenshots that would become incorrect for new installations. There is a lot of content āout thereā about fog.
-
Thanks @Wayne-Workman, I though about something along that line as well. Will give it a try to see if it has any culprits that I have not thought about yet.
As well I am wondering if itād be wise to change the fog web UI username, e.g. to admin. Beginners seem to get confused about those different user accounts when we ask about it in the forums. Question remains: How much of the documentation needs updating? Just from the top of my head Iād think that itād be less than changing the Linux account name. What do you think?
-
I think changing the web UIās default user is a good idea.
Below are the spots that come to mind, but there are surely lots of other spots. I searched the wiki for āfogā and āuserā, the results werenāt helpful.
https://wiki.fogproject.org/wiki/index.php?title=.fogsettings#Username
https://wiki.fogproject.org/wiki/index.php?title=Password_Central
https://wiki.fogproject.org/wiki/index.php?title=Troubleshoot_FTP#Credentials_.2F_Passwords -
One of many examples of people getting mixed up by this: https://forums.fogproject.org/topic/12810/after-installing-fog-i-seem-to-get-locked-out-of-ubuntu
-
First let me say Iām going to mark this post as deleted so that only mods and above can see it. The deletion is intended to just hide the post from the general community and not that it doesnāt have value.
Since this IS the holiday season, I would like to create Georgeās wish list for FOG 1.6 to help on the support side. @Developers
- Force the installer to provide a database password for root in mysql. Donāt continue to support a blank password for root access. If rootās password is current blank on the current install, force it to be set to something by the user in the installer. Its a bad security practice to have blank passwords. On the support side we continue to fight with ubuntu who is trying to enforce better security practices (rightly so).
- Change the default webgui admin account from
fog
andpassword
tofog
and a password defined by the fog admin when fog is installed. This fog installer supplied password shouldnāt need to be stored in the .fogsettings file. - Change the fog service account from
fog
tofogsvc
to avoid confusion with the webui user of the same name. This will also eliminate the issue where people follow some pretty crappy instructions on the internet that says to create a user account called fog and then install fog with that account. Then they wonder why they get locked out of the fog server linux account. We can either choose to abandon the linux userfog
ās account or set it to no login. I donāt recommend deleting it from the linux system. If the password was defined by the fog installer it should be complex enough. If the fog admin changed it for some reason then its not FOGās problem then. There will be an issue with file ownership if the service account is changed to fogsvc from fog, so that will need to be taken into account.
These changes should be implemented on existing as well as new installations. I know there is a risk for legacy installs where this security policy change could break things. As long as the changes are communicated to the fog admins beforehand they should be able to adapt since THEY are providing the passwords for both the database as well as the webui. I feel that FOG Project needs to do what it can with the resources available to implement better security practices out of the box.
-
@george1421 Thanks heaps for bringing this up! I will continue to answer in a minuteā¦ Ok, deleted mine as well to not confuse anyone.
I donāt see your points as something we need to delay for FOG 1.6 but could possibly bring into 1.5.x already as a testing stage.
- Force the installer to provide a database password for root in mysql. [ā¦]
Absolutely! Funny but I have started looking into this already before Christmas as I really would like to have FOG enforce secure passwords for exactly the same reasons. I just have not found enough time to think it through and test things. Iād even go as far as creating a FOG database user to be used (good practice) but still enforce passwords for root and fog DB user! Will look into that in the first days of 2019.
- Change the default webgui admin account from
fog
andpassword
to [ā¦]
I am with you here about the default
password
. But as we have briefly discussed in another thread I tend to rename the FOG web UI user (instead of thefog
linux account). Maybe default toadmin
but even make it so people can choose their own.- Change the fog service account from
fog
tofogsvc
to avoid confusion with the webui user of the same name [ā¦]
As mentioned above Iād prefer renaming the web UI account name and leave this one. Iād still force the account to be no-login! I need to think more about how we prevent users from using this account like create it beforehand and then being locked out or if they do use it right now on an existing installation. There are options like checking wtmp and stuff to see if the account has been used for login and warn the user but I have not gone into depth here.
@george1421 Letās see if we can discuss this a different way other than through hidden posts. Might move the discussion a chat session here in the forums or to slack.
@Tom-Elliott What are your thoughts on this? Would be great to get your comments on this topic before I start changing this in 1.5.x already. -
Thinking a bit more about this I am wondering if we could get rid of the local user account altogether by using vsftpd virtual users. This is untested yet and I might have missed something here. Possibly access rights could cause us trouble here but as we usually set directories to
777
(not great!!) it wouldnāt be any worse than what we have right now. -
@Sebastian-Roth Virtual users still require āphysicalā home drive locations.
Iāve used VSFTPD in virtual user mode and while it works and can be managed via mysql, it still requires physical access. Usually to a single user which new virtual user folders get generated.
Using the virtual user mode would mean we still have a local account, but with some robustness involved that allows us to limit access to specific virtual users.
I donāt know what method is better (one way or the other).
-
@Tom-Elliott You are right, we probably still need some local system user account anyway. I started playing with it a bit and couldnāt get it to work because of PAM lib issues. Would make it all just way more complicated and error prone so we wonāt go there.
As @george1421 states that heās see several tutorials out in the wild telling users to create an account
fog
and using that to install we want to move away from that account name and make it a system account (no login allowed). Restricting shell/SSH login is fairly simple but for X login I have not found a general way to restrict login for certain users. The best I could fine is here but needs a modification of the specific login manager (gdm, kdm, xdm, lightdm, sddm, ā¦??) PAM configuration file. This can go wrong in so many ways that I donāt think itās even worth trying.Just changing the account name to something different without restricting login (including GUI login!) is not solving the issue but might just add to the confusion of new users.
Should we start by renaming the web UI default user name (e.g. to
admin
) and change to a auto-generated password? Do you consider this being anything worth in terms of causing less confusion? -
@Sebastian-Roth nearly any web GUI account uses a default user and default password. I suppose we could ask the user what account theyād like to name it and assign a password at install time, this isnāt too hard. That said should this be a GUI and Local user or one or the other? Too many questions too think of.
What might help is detecting if the fog local user already exists, and if so present the user with the question asking what itās password is set to. If the fog local user doesnāt already exist, create it and set using a random password. Should this also be what we set the GUI user for then? If so how do we ensure the user knows this password?
Just my ramblings but hopefully brings a little insight and or innovation?
-
@Tom-Elliott Thanks for your thoughts on this. I was looking at it from the other side. Try to entangle FOG ftp system account and web GUI account for less possibility to cause confusion.
Checking if system account already exists and has been used to logon is probably a first step towards warning the user. I am not sure but I think a general way to check last logon (terminal, GUI, SSH but not ftp logon I hope) does exist.
-
@Sebastian-Roth said in Circumnavigate fog user issues:
we want to move away from that account name and make it a system account (no login allowed)
The only thing we need to check is if you disable interactive login, does that also block FTP access? Iām suspecting no, but we should at least test it to confirm. Iām not seeing a risk if we simply abandon the current
fog
linux account because it should have a secure password by default. If the IT admin had changed it post FOG install then its only as secure as the IT admin set the password to.On the negative side, Iām not sure about the interactions with a Master/Storage node configuration if only one component of that configuration is updated. Will that break something? While I havenāt kept track of the status, (Iām guessing) Iām seeing (on average) one post per week where the end results was someone fiddled with the fog service accountās password or complains that they were locked out of the FOG server after installing fog.
-
@george1421 said in Circumnavigate fog user issues:
The only thing we need to check is if you disable interactive login
Can you be more precise on this point. How do you disable interactive login? As far as I know there are half a dozen ways of doing this and none is doing it for shell/SSH and GUI at the same time.
interactions with a Master/Storage node configuration
Definitely a good point that we have to keep in mind!!!
-
@Sebastian-Roth said in Circumnavigate fog user issues:
shell/SSH and GUI at the same time
Who uses a GUI?? This isnāt MS Windows is it?
I can only speak for centos, but placing ā/sbin/nologinā on the shell column of the password file should disable at least console (ssh) login. I would be surprised if the GUI ignored this parameter. I might have to spin up a centos install with a gui to test. On the other hand at what level do we go to, to protect the FOG admin from him/her self?
I think the users are most confused between the web ui admin fog and the linux service account called
fog
. Changing one or both may at least resolve this specific confusion. -
@george1421 said in Circumnavigate fog user issues:
but placing ā/sbin/nologinā on the shell column of the password file should disable at least console (ssh) login. I would be surprised if the GUI ignored this parameter.
I only got as far as testing this on a OpenSuSE installtion that I had at hand and that would surely not login. But it wouldnāt print out a message to the user either. GUI login just seemed to freeze. People who donāt know how to kill the X server (crtl+alt+backspace) and use the terminals to fix things are totally lost with this and will post questions in the forums as before.
On the other hand at what level do we go to, to protect the FOG admin from him/her self?
From what I get in the forums most users running into this are very much inexperienced Ubuntu starters. Many if not all of them use the GUI to start off. Sure I would never ever advice such a thing but this is what you see in a couple of FOG beginner tutorial videos out there.
I think the users are most confused between the web ui admin fog and the linux service account called
fog
. Changing one or both may at least resolve this specific confusion.I am definitely with you on this point!
-
I just fear we make it worse not betterā¦ This is why I keep asking before making the changes to the code.