Fog Server vulnerable
@george1421 @Sebastian-Roth Thank you all for your help. I downgraded to php7 but couldn’t get around the HTTP error 500. We didn’t take a snapshot of the VM before messing around with it. It took a while for the admin to restore our FOG server from the backup. I’m staying at PHP 7.4.28 and mysql 5.7.33 for now.
Thank you all for your help.
You are welcome. You might want to ask in the forums before jumping right into it next time.
I downgraded to php7 but couldn’t get around the HTTP error 500.
The apache and PHP-FPM logs are your friends in finding out what’s wrong. See my signature on where to find those.
We didn’t take a snapshot of the VM before messing around with it.
Next time you will, I am sure.
It took a while for the admin to restore our FOG server from the backup. I’m staying at PHP 7.4.28 and mysql 5.7.33 for now.
So things are back to normal for now, right?
@sebastian-roth Yes, sir! Lesson learned…for now.
@TaTa I guess code is probably the best documentation you can get for this particular question:
@tata Beyond looking at the code, what do they expect you to produce? Yes plain text FTP is used. Its only used in the context of the application. At no time under the normal operation of FOG does a user or fog admin use FTP to access the server. Its only used by back end FOG services for image movements within FOG. I’m not sure what else they might want.
Thank you all for your help. I was able get an exemption from the security team for ftp plaintext. I’m down to the last issue about the nfs mount points and folder permissions. They don’t like the fact that these mount points are open to everyone. What is the proper way to secure them?
I currently have:
What is the proper permission for /images folder (and sub folders)? It is now set to drwxrwxrwx. fogproject root 4096.
@TaTa The default NFS in FOG is still version 3 which has no concept of user authentication/authorization. Sure you can try to lock things down a bit by setting access rights on the FOG server filesystem.
But if you want to go beyond that you will need to look into NFSv4 which is not implemented yet: https://forums.fogproject.org/topic/14791/feature-request-for-fog-1-6-x-configure-image-capture-to-use-nfsv4-instead-of-nfsv3