Restricted user permissions issue

seribe

I’m a new Fog user and I found some problems that can be by wrong configuration.

When a restricted user creates a host and associates that host to his site the host is not listed in the host site list and I need to enter as administrator account to add the host to the site. When I tried to do a workaround I found a security issue (maybe my configuration is not correct) that permit a restricted user apply a snapin task to a host that not belongs to his site. To do this I select a group, select membership, check the option “click here to see what host can be added” and the list appears with all host from other sites. If the user select one of the listed hosts that belongs to other site and try to edit he can apply all the snapins without restriction.

Please note that I’m using plugin site and access control.

Thanks

Sebastian Roth

@seribe I am real sorry we didn’t answer your post in the other topic. I had that on my list of things to do but couldn’t get to it. Thanks for bringing it up again. From what you wrote I would think this could be a bug in FOG but I have to verify first. Will try to get into this over the next few days.

seribe

@Sebastian-Roth Thanks for your quick reply.
I put the server into production, but now I have this “problem” to solve. While you check, I tried to block the option in the access control but I couldn’t find the correct option and I also tried to add a new rule, but without success.

Sebastian Roth

@seribe Finally I found some time to look into this. Setting up things as described and trying to replicate the issue I am not sure I fully understand this.

When a restricted user creates a host and associates that host to his site the host is not listed in the host site list and I need to enter as administrator account to add the host to the site.

There are several different ways of registering a host and the outcome might not be all the same in this scenario with sites plugin and unprivileged users:

1. Log in to the web UI as unprivileged user and add a host using the host’s distinct MAC address.
   -> In my tests this works perfectly fine. Click “Create New Host”, type in the MAC address, select site and image association and the new host will show up for the unprivileged user as well. Your unprivileged users need to be aware of the fact that they have to select the site when creating the host because it’s not visible for them without the association made right from the start.
2. PXE boot a new host and do the registration via PXE boot menu.
   -> In this case the host is being created without association to a specific site (because site plugin is not part of the FOG core) and therefore not listed for the unprivileged user.
3. The fog-client software is installed on the host and auto-registers it to the FOG server.
   -> Haven’t tested this scenario yet but I would expect it to be the same as when you register through the PXE menu.

When I tried to do a workaround I found a security issue (maybe my configuration is not correct) that permit a restricted user apply a snapin task to a host that not belongs to his site.

FOG doesn’t have a full security/role model. From the very beginning it was not built with having restricted access and so it lacks a proper security model. Things like the access control plugin where added to kind of make FOG a little more enterprise ready but it never made it to the FOG core - not because someone argues against it but because it would be a hell lot of work to get it fully integrated and without flaws. There are just way too few people working on the FOG project.

seribe

@Sebastian-Roth
The process that we used to create the host is the same that you described in point 1, but is not working in our environment. The point 2 we are no using at moment and the point 3 when we register with this method the host goes to a pending state and we need to approve it and then add it to the site.
.
First I created the new host

And after I created the host is not listed.

When I’m logged with admin account and as you can see the host is not associated to any site

Sebastian Roth

@seribe Seems like I cannot replicate the issue as described. Please run the database maintenance and see if you still have the same issue after that: https://wiki.fogproject.org/wiki/index.php/Troubleshoot_MySQL#Database_Maintenance_Commands

By the way, which version of FOG do you run?

seribe

@Sebastian-Roth
Hi Sebastian,
Thanks for your reply.
The fog version is 1.5.8., the plugins are the site 1.5.5_2, access control 1.5.5, ldap 1.5.5_1 and location.
I did the database maintenance procedure and the problem is still present.
I don’t know if it’s related, but when I join a group for a site or location and go to another group or host and go back to the previous group the site membership is not configured.

seribe

@Sebastian-Roth

Hi Sebastian,

I checked the log file and found this error when I created a new host and associate to a site

[Fri Jun 26 18:28:37.451930 2020] [proxy_fcgi:error] [pid 24084] [client xx.xx.xx.x:59086] AH01071: Got error ‘PHP message: PHP Warning: Invalid argument supplied for foreach() in /var/www/fog/lib/plugins/site/hooks/addsitefiltersearch.hook.php on line 104\n’

seribe

@Sebastian-Roth
Hi Sebastian,
Any update?
Thank you

seribe

Hello
@Sebastian-Roth, can you please help me to solve this problem?
Thank you

Sebastian Roth

@seribe I am sorry but the stack of things to do is huge and I haven’t found the time to look into this as I need to focus on the core code. The plugin code was developed (and is kind of maintained) by @Fernando-Gietz. He might find some time to look into this.