RE: Dell Latitude 3340 with USB-C Ethernet Adapter - bad mac address registered

@pbriec https://forums.fogproject.org/topic/15885/hp-probook-430-g8-system-mac-not-passing-through-usb-type-c-dongle/4

This seems, as best I can tell, to have a similar problem.

I am seeing in this thread that the debug mode seems to get the correct device mac address (passthrough) but the getMACAddresses function we have in place appears to be getting the physical mac address off the device.

It’s interesting as ip a s works just fine, but FOG is using a command: ip -0 addr (along with some pipe commands) to get all device MAC addresses.

Would you be willing to boot your system into debug mode of FOS and performing some tests to see if we can confirm and potential address the problem?

@aviel1540 https://docs.fogproject.org/en/latest/management/web/hosts/#method-1-adding-a-new-host-via-full-registration

@oelked Sorry for the delay:

Hopefully this could help?

https://forums.fogproject.org/topic/8836/basic-persistent-groups-and-1-3-0rc16?_=1716234233001

Hello all,

There was a vulnerability brought to attention of a privelege escalation in how FOG has previously used NFS.

The specific vulnerability was using options “no_root_squash” and “insecure” as definitions of the exports file.

The insecure option effectively allowed any system on non-priveleged ports (anything > 1024 which we defaulted to for NFS) had root level access to the filesystem.

The no_root_squash allowed a client system to mount the NFS share and if a client UID matched the UID of the server the files would be created as that user (say client had user named bob with UID 1000, and server had user named admin with UID 1000, NFS on the server would show “admin” created the file). It also allowed root (UID 0) on a clients machine to create files - scripts and all - as root on the server.

If I understand the depth, once that client root level created a file that contained code to escalate privilege, anyone could mount the NFS share and use that bad acting file to elevate as root on the server system.

Luckily this had a relatively easy fix and this fix has been implemented to dev-branch and working-1.6 from an installer standpoint.

Since I don’t know when a “full” release will be made I am outlining the steps you should/will need to take to correct the issue in the meantime.

Here’s a diff of the master to include these changes in an automated fashion if you feel comfortable doing this:

diff --git a/lib/common/functions.sh b/lib/common/functions.sh
index b20b0e482..44f8657f5 100755
--- a/lib/common/functions.sh
+++ b/lib/common/functions.sh
@@ -1357,7 +1357,9 @@ configureNFS() {
         echo "Skipped"
     else
         mv -fv "${nfsconfig}" "${nfsconfig}.${timestamp}" >>$error_log 2>&1
-        echo -e "$storageLocation *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)\n$storageLocation/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)" > "$nfsconfig"
+        userId=$(id -u $username)
+        groupId=$(id -g $username)
+        echo -e "$storageLocation *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,all_squash,anonuid=${userId},anongid=${groupId},fsid=0)\n$storageLocation/dev *(rw,async,no_wdelay,no_subtree_check,all_squash,anonuid=${userId},anongid=${groupId},fsid=1)" > "$nfsconfig"
         diffconfig "${nfsconfig}"
         errorStat $?
         dots "Setting up and starting RPCBind"
@@ -1569,8 +1571,8 @@ configureStorage() {
     else
         (head -1 "$storageLocationCapture/postinitscripts/fog.postinit" | grep -q '^#!/bin/bash') || sed -i '1i#!/bin/bash' "$storageLocationCapture/postinitscripts/fog.postinit" >/dev/null 2>&1
     fi
-    chmod -R 777 $storageLocation $storageLocationCapture >>$error_log 2>&1
-    chown -R $username $storageLocation $storageLocationCapture >>$error_log 2>&1
+    chmod -R 775 $storageLocation $storageLocationCapture >>$error_log 2>&1
+    chown -R $username:$username $storageLocation $storageLocationCapture >>$error_log 2>&1
     errorStat $?
 }
 clearScreen() {

Steps:
(If you rerun the installer please re-perform these steps to ensure things are as secure as possible)

1. Get your fogproject user’s user and group ids:
   echo "UserID: "$(id -u fogproject); echo "GroupID: "$(id -g fogproject)
2. Note these down and edit your systems export file (usually located in /etc/exports)
   Remove the no_root_squash and replace with all_squash in both instances
   Remove the insecure, from both instances
3. Add: anonuid=<UserID>,anongid=<GroupID> to both instances
   Please replace <UserID> with the actual userID returned, and <GroupID> with the actual groupID returned.
   You should end up with an exports that looks like:

/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,all_squash,anonuid=1001,anongid=1001,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,all_squash,anonuid=1001,anongid=1001,fsid=1)

4. Change filesystem permissions of /images to at least chmod -R 775 /images (Not necessary, but useful for an extra bit of security)
5. Change owner ship of /images to fogproject/fogproject chown -R fogproject:fogproject /images
6. Restart nfsd: systemctl restart nfsd
7. Test.

This should address the vulnerabilty. While it won’t prevent a “bad actor” from placing a new file on your system the max level of that escalation could only be that of your fogproject user.

I know this isn’t a good way to start a Monday, but when is a good time when it comes to security issues?

Hopefully this will help and is simple enough to work in the mean time. Those who don’t mind, please use dev-branch for simplicity as it should address this in a more autonomous method.

Thank you all in advance!

Particularly, thank you Christophe Hugueny (Advens) @IronBlackBird

@Kureebow I don’t know what UFS is, but is this a relatively new technology?

Just because it’s NOT in the wiki, does not mean it’s automatically supported. We don’t know what we don’t know? How do you say you “don’t support” something you don’t even know about?

There has to be a ‘first’ and I think in this case there surely is.

Now we have to figure out what needs to be built into the filesystem as well as if/what drivers need to be added to the linux kernels?

I don’t have a build system anymore, but at least it’s a way we can try to get this working.

@oelked I don’t understand what you’re saying?

Note: I’m not saying there isn’t a bug, I just don’t understand how to replicate what you’re saying or fully grasp what you mean.

When a location is created, you must set these things:

• Location Name
• Location Name cannot be a location that already exists
• Storage Group

If either of those things are unmet, you will get an error stating as such

If the Storage group has no Storage nodes, I think this would be fine, though it might set to a storage node not in the group, ultimately the group is the end goal. If it errors out it just wouldn’t store the location.

Can you screen capture and potentially view this behaviour that when you create a Location it’s overwriting the last one that was created?

@jaumeramos Would you be willing to test:

diff --git a/lib/common/functions.sh b/lib/common/functions.sh
index b20b0e482..05f40d08c 100755
--- a/lib/common/functions.sh
+++ b/lib/common/functions.sh
@@ -725,6 +725,9 @@ installPackages() {
                     if [[ $OSVersion -gt 17 ]]; then
                         packages="${packages// libcurl3 / libcurl4 }">>$error_log 2>&1
                     fi
+                    if [[ $OSVersion -ge 22 ]]; then
+                        packages="${packages// libcurl4 / libcurl4t64 }">>$error_log 2>&1
+                    fi
                     if [[ $linuxReleaseName_lower == +(*ubuntu*) && $OSVersion -ge 18 ]]; then
                         # Fix missing universe section for Ubuntu 18.04 LIVE
                         LANG='en_US.UTF-8' LC_ALL='en_US.UTF-8' add-apt-repository -y universe >>$error_log 2>&1

Changing the functions to this code?

I’m hoping to catch as 17-21 worked fine with lubcurl4, but 22 needs libcurl4t64

It’s ugly, I have pushed if you just want to pull from dev-branch

@mrowand With SSD’s this this is only possible with SATA channels, kinda-ish:

PATA was really the only one we could always guarantee 100% of which order a drive would load up.

On PATA cards you had a ribbon with the end of the cable that plugged to the drive always being the first loaded, middle of the ribbon always being the second loaded. Channel 0 end of cable was always to be /dev/hda, middle on Channel 0 would be /dev/hdb if the end was plugged in.

With SATA you “almost” had it because of sata channels, but Serialized devices also counted against the counts (so if USB loaded first, it was possible a USB drive could take /dev/sda, /dev/sdb, etc…) So not a 100% guarantee here, which ever Serialized thing loaded first.

With nvme/pci based cards its first come first served based on how quickly the device can power on and present to the system during post. This is completely outside of FOG’s ability to control, so your method of disconnecting everything that you don’t want touched is the best result.

I know it’s not an answer one would hope for, but it currently is the best answer I think.

@cornycopia After thinking about it, there’s a “general” port that’s used.

FOG Settings -> FOG_FTP_PORT

Granted this isn’t per server, but it is a choosable thing.

@cornycopia I could be wrong, but if I recall correctly, the “FTP” trigger isn’t from the client machine (persay) but rather from the fog server itself.

So NFS is the file mechanism that is used during the upload/deploy process.

The FTP part comes after an Upload completes to move it from the /images/dev/<mac_address> to /images/<image_name> on the FOG Server itself.

So effectively it’s doing a direct mapping. Now to be fair it is using the machines own IP address, instead of 127.0.0.1, so maybe that plays into it. Right now, that’s not something in the code.

@1337darkin The image can be captured in any state (PXE/UEFI)

But to boot the system, you need it in the “original” state of creating in the image:

For example::

You have a UEFI booted machine, and you capture the Image over PXE (Legacy) network via Virtual Box

That will be fine, as long as the system that boots is booting in UEFI mode. The “boot” mode is the important piece if that helps?

@george1421 This link might help:
https://forums.fogproject.org/topic/10160/virtualbox-pxe-boot-no-configuration-methods-succeeded

it’s the use of EFI booting a PXE booting system:

It’s been a long long time, but VirtualBox back then didn’t have EFI Network booting capability, and I suspect this still may be the case.

May need to adjust the boot options to use boot classes to provide ipxe.pxe for this virtual box host. I don’t recall how to do this right now.

@nkduy1508 You need to resync your FOG FTP credentials and all.

https://forums.fogproject.org/topic/11203/resyncing-fog-s-service-account-password

fog shouldn’t be the user in use anymore unless you’re using a very old version of FOG?

From the INIT version, it seems maybe from 1.5.7?

@inconnu can you provide your fog servers (10.1.3.100) php-fpm/html error logs from immediately after seeing this error?

I know it’s not a fix persay, but knowing if there’s a server error that we can actually read through might help us understand the problem better.

Particularly due to the fact that it gets to the point of capturing the image, it seems likely there’s some code error, but without knowing what the logs actually show (from the php perspective) I can only take WAGs at this point (Wild assumptive guesses).

@inconnu The StorageNode user/Pass is only used when you have Storage nodes in your environment. (Which we always do as the “Server” as well, but more meant relating to Additional “Storage Nodes” that communicate with a central system (the server).

I don’t think this is the cause of the FTP issues you’re seeing.

@inconnu From the storage node at 10.1.3.100, with username fogproject and the password associated, you can login, and create files. I see in the FTP code you tested that worked, but where did you get the password you used there?

Was that from the /opt/fog/.fogsettings file or the password associated in the UI?

I am undersuspicion the password in the DB is incorrect.

@mstraffin No problems, just wanted to make it known we are aware that each new version of Ubuntu tends to break the installer of FOG. This isn’t because the software wouldn’t work on ubuntu out of the box, but the packages needed keep changing between versions.

For example, libcurl4 might simply be provided in default curl now but since past versions need the specific libcurl4 call out, it causes errors. So we have to maintain libcurl4 of version ubuntu <x:y> while allowing “new” ubuntu <latest>.

Ubuntu is personally one OS i’m not a fan of for FOG’s installer since the package list is consistently fragmented.

@mstraffin Please do not use a version of Ubuntu that released AFTER the latest version of FOG was released?

While sometimes it may work just fine, in a large majority of cases they will not because changes ubuntu has made to available packages changes just as frequently as Ubuntu updates.

From what I can see Ubuntu 24.04 was released sometime yesterday. FOG 1.5.10 was released sometime in 2023. So there’s nothing for us to fix currently because we haven’t had enough time to even look at the new version of ubuntu and see IF we could even update the installer cleanly enough to get it installed on Ubuntu 24.04

@tedlaur You can provide your error log from the install, but sometimes more fruitful is the actual php-fpm error (or on debian it may just be in the http error logs)

I don’t recall, and it has been a while since I did direct troubleshooting with fog. I can still read of course and probabaly help in that way, but my systems are limited as of late and as such harder for me to troubleshoot issues to try to replicate.

@tedlaur FOG does not require using php 5 anylonger.

The “minimum” version expected in more modern versions of FOG I believe is at least 7. In the past it used to be 5.6 at least, but with the large differences in php 7/8 I believe it’s normal now to expect at least 7 or >