One of our security expert has run vulnerability detection script on CoreOS and found few recommendations (Note this script is initially designed used with Linux OS)
Some of the VA issues reported by tools as below.
PASS_MAX_DAYS in /etc/login.defs must be set to 60
Field 5 of /etc/shadow must be 90
CoreOS doesn't allow me to edit /etc/login.defs as root user. The file is read-only for core and root users. I know this is in-vain as CoreOS uses ssh key based login. However I would like to know whether there is any other way to edit this files as I need to deal with few system files to fix more issues.
Do I need to use cloud-init tool to modify this file ? or is there any other alternative to harden CoreOS ?
https://groups.google.com/forum/#!topic/coreos-user/87fluJrTuJE:
These types of files in /etc are actually symlinks pointing to files in /usr. This allows CoreOS to update them via auto-updates, but also give you the ability to break the symlinks and stick a customized file in its place. You can see this by listing out the directory:
$ ls -la /etc/ | grep login
lrwxrwxrwx. 1 root root 32 Nov 8 19:00 login.access -> ../usr/share/shadow/login.access
lrwxrwxrwx. 1 root root 30 Nov 1 06:14 login.defs -> ../usr/share/shadow/login.defs
Obviously, edit these only if you know what you are doing. You should be able to do this cloud-config/ignition if you need to automate it.
Both of those recommendations have to do with login passwords. We do not recommend you use passwords at all and nearly all setups of CoreOS Linux use ssh keys instead.
Related
I had this working, but it no longer does, and I somewhat-suspect a docker volume problem as well as somewhat-suspect a permissions issue, and also somewhat suspect an OS upgrade. But I really don’t know what the problem is.
Inside the splunk container, I see:
[root#splunk splunk]# cat /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
[http]
disabled = 0
[http://splunk_hec_token]
disabled = 0
token = really-big-token-thingie
Which is really not what I want.
And outside the splunk container (on the MacOS side), I see:
$ cat splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/inputs.conf
cmd output started 2022 Mon May 02 04:19:43 PM PDT
[http]
disabled = 0
[http://splunk_hec_token]
disabled = 0
token = really-big-token-thingie
index = dev_game-publishing
That is what I want.
In my docker-compose, I have (among other things) :
volumes:
- ./splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/ /opt/splunk/etc/apps/splunk_httpinput/local/
(That long volume line is all-one-line. It may or may not be wrapping when you view it, though it is wrapping in this editor)
I tried both setting up a volume for the entire directory, as well as just that one file. I’m hearing that doing an entire directory tends to be more reliable, but both failed the same way.
The directory containing the file is owned by splunk and has restrictive permissions:
[ansible#splunk splunk]$ cat /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf
cat: /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf: Permission denied
[ansible#splunk splunk]$ ls -l /opt/splunk/etc/apps/splunk_httpinput/
total 12
drwxr-xr-x 2 splunk splunk 4096 Jan 15 03:31 default
drwx------ 2 splunk splunk 4096 May 2 22:14 local
drwx------ 2 splunk splunk 4096 May 2 22:14 metadata
[ansible#splunk splunk]$
Which explains why the ansible user can’t cat it. But is ansible painting itself into a corner and preventing itself from making all the changes I need?
I also upgraded from MacOS 11.x to 12.3 in between when this was working, and when it stopped. I don’t know if that’s related or not.
How can I get the desired content inside the container, automatically?
Thanks for any and all suggestions!
Your volume spec looks broken. Usually you join the host path with a colon to the container path.
volumes:
- ./splunk-files/opt-splunk-etc-apps-splunk_httpinput-local:/opt/splunk/etc/apps/splunk_httpinput/local
I guess that's why inside the image you see the default content of this directory, as your local directory is never properly mounted.
Agenda: To have an common Project Folder between Linux and Windows
I have changed my document root from : /var/www/html to /media/mithun/Projects/test in my ubuntu machine 14.04
I get error as :
Forbidden
You don't have permission to access / on this server.
Apache/2.4.7 (Ubuntu) Server at localhost Port 80
So i added some scripts to : sudo gedit /etc/apache2/sites-available/000-default.conf
# DocumentRoot /var/www/html
DocumentRoot /media/mithun/Projects/test
But Document Root /var/www/test works but not with Windows NTFS Partition Drive.
Even after referring to :
Error message "Forbidden You don't have permission to access / on this server"
Issue with my Ubuntu Apache Conf file. (Forbidden You don't have permission to access / on this server.)
No success :( So kindly assist me with it...
Note: Projects is an New Volume (Internal Drive: In Windows its E:/ Drive)
#Lmwangi - Please check my updates for your reference below:
Output of : ls /etc/apparmor.d/
abstractions lightdm-guest-session usr.bin.evince usr.sbin.cupsd
cache local usr.bin.firefox usr.sbin.mysqld
disable sbin.dhclient usr.lib.telepathy usr.sbin.rsyslogd
force-complain tunables usr.sbin.cups-browsed usr.sbin.tcpdump
I tried killing apparmor:
sudo /etc/init.d/apparmor kill
I receive output as : Usage: /etc/init.d/apparmor
{start|stop|restart|reload|force-reload|status|recache}
After this, i was also able to restart apache successfully
maybe the problem is simple : is your new root directory accessible to the www-data user ?
Try :
$ chown -R www-data:www-data /media/mithun/Projects
As you have you have discovered by now, you cannot just manipulate permissions on an NTFS partition (using tools like chmod)
However, you can try forcing a given owner/permissions for the entire partition when you mount it.
Now the wayto do this, depends on the NTFS-utilities you are actually using (and which i don't know, so I'm assuming you are using ntfs-3g)
E.g. mount the partition with the following parameters (replace dev/sdX with your actual partition, and /path/to/wheredrive/is/mounted` with your target path):
mount -o gid=www-data /dev/sdX /path/where/the/drive/is/mounted
should make all the files on the partition belong to the www-data group.
If the filesystem sets the group ownership explicitely, this still might not work.
In this case, you might need to setup a usermap, that maps your windows users/groups (as found on the partition) to your linux users/groups.
The ntfs-3g.usermap utility will help you generate an initial usermap file, which you can then edit to your needs:
ntfs-3g.usermap /dev/sdX
Then pass the usermap to the mount options:
mount -o usermapping=/path/to/usermap.file /dev/sdX /path/where/the/drive/is/mounted
I suspect that you have apparmor enforcing rules that prevent Apache from reading non-whitelisted directory paths. I suggest that you
Edit the apparmor config for Apache to access your custom path. You'll need to hunt around /etc/apparmor.d/ . You may also find that using apparmor in non-enforcing mode helpful.
$ sudo aa-complain /etc/apparmor.d/*
Use mod_apparmor? See this
Or disable apparmor completely. See this
My order of preference would be 1,3,2. That should fix this for you :)
While using ubuntu with windows I faced same issue and it is resolved by remounting drive with read and write access. Below command will help you to do that:
sudo mount -o remount,rw /disk/location /disk/new_location
If it is still not working then in windows os, go to the power options and disable fast startup.
When you shut down a computer with Fast Startup enabled, Windows locks down the Windows hard disk. You won’t be able to access it from other operating systems if you have your computer configured to dual-boot. Even worse, if you boot into another OS and then access or change anything on the hard disk (or partition) that the hibernating Windows installation uses, it can cause corruption. If you’re dual booting, it’s best not to use Fast Startup or Hibernation at all.
Original article: https://www.howtogeek.com/243901/the-pros-and-cons-of-windows-10s-fast-startup-mode/
On my Linux box running Ubuntu 12.04LTS I am able to mount a share using cifs.
The shared folder in question is located at a Mac Pro running Mavericks.
Here is the fstab on the Ubuntu/Linux box.
//132.13.6.5/Data /home/sro/Mount cifs username=sro,password=psw,nounix,sec=ntlmssp,rw
/Mount on the Linux box has these permissions:
drwxr-xr-x 21 root root 0 Jan 16 13:29 Mount
I can read /Mount/Data but not write (I get a permission error).
I think this is because /Mount is created by root and I am trying this a user.
But I am unable to change /Mount permissions or ownership even using sudo.
On the Mac/Mavericks side, /Data has read/write permissions.
Any ideas how to solve this?
The issue here was a missing UID/GID pair. Apparently when those are absent the default owner of the share will be root.
So my fstab line should look like this:
//132.13.6.5/Data /home/sro/Mount cifs username=sro,password=psw,nounix,sec=ntlmssp,rw,uid=1001,gid=1001
Two things:
your UID/GID may not be 1001 so better check with the id command first
you may want to use permission masks as detailed here.
add to your fstab line uid=your_user_name your line will be:
//132.13.6.5/Data /home/sro/Mount cifs username=sro,password=psw,nounix,sec=ntlmssp,rw,uid=your_user_name
That way you are asking linux to set that user as owner of filesystem being mounted.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
My stuation
I'm using windows 8 and building a local web development box with archlinux (just a bare setup... LAMP and Ruby for sass and compass) inside virtual box. I shared one of my folder inside Linux using samba to be able to view and edit it within windows 8. I set the folder inside Linux to http:http and 0777 write permissions for me to be able to edit it within windows.
My problem:
Whenever I'm creating new files (eg... images, folder, files) within windows the ownership and group is set to nobody:nobody.
My question:
Is there a way when i create a new file in windows, the owner and group will be automatically set to http:http and 0777 write permission?
I'm new to Linux and I know this a security risk but this is only a web development box. just for me to be able to play with ruby and rails, sass or compass and of course expanding my little knowledge in Linux fromscratch.
Edit smb.conf
for security reason set a static ip on windows 8 eg (192.168.1.50) so that no one can access your samba shared directory. On your smb.conf uncomment host allow and set it to your windows static ip.
example:
host allow = 192.168.1.50
Next navigate down to share section and set the directory you want to share.
example:
[www]
comment = www
path = /www
writable = yes
guest ok = yes
public = yes
created mask = 0777
directory mode = 0777
then save.
next is setui and setgid
more info here
$sudo chmod -R g+s /www
next is Set Access control lists. * i just got this from here
$sudo setfacl -R -m d:g:http:rwx /www
Thats it!
Output sample, Test via windows 8 and virtualbox
created directory from linux
drwxrwsrwx+ 2 devbox http 4096 Mar 12 10:18 testfromnix
created file from linux
-rw-rw-rw-+ 1 devbox http 1 Mar 12 10:20 testfromnix.file
(ive set the rwx at the setfacl but the file shows only read and write. I might be missing something. but its ok it serves your purpose. If someone knows why its open for clarification.)
created directory from windows
drwxrwsrwx+ 2 nobody http 4096 Mar 12 10:27 testfromwin
created file from windows
-rwxrwxrw-+ 1 nobody http 0 Mar 12 10:29 testfromwin.file
now you can edit or add files/directories in both machine with no problem...
You can set the "setgid" flag on the directory (=folder), which will change the owning group for all files and directories created below it afterwards. See http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories for a more detailed explanation.
Unless you need something special that should be completely sufficient for your needs. Just set proper group permissions to the directories as well.
Another way would maybe be changing the samba configuration to use a different user for creating new files. But that's for someone else to answer :)
Hope you are good. I have Xammp on fedora and changed owner of opp/lampp/htdoc to root. Why I did so because whenever someone creates new folder through sharing, they don't have permission to dynamically create folder or files or to write images. Then I run command
chmod -R 777 /opt/lampp/htdocs
But when system goes to restart then I again need to run this command. So avoid again and again run this command I changed the owner on "opt/lampp/htdocs" and run
chmod -R 777 /opt/lampp/htdocs
Now, whenever server restarts, assigned permissions don't need to be set again and again. That is resolved.
I have an issue, that old directories can be used to write something. But if any network user creates new directory under htdocs, that new directory needs to be changed the permission for it.
previously created, and can use this one directory to run script to create files
drwxrwxrwx 2 root root 4096 2011-06-15 14:09 aaa
Newly created, cannot be used to run a script to create image or to write anything
drwxr-xr-x 2 root root 4096 2011-06-17 15:17 aaaa
drwxr-xr-x this one is really annoying to me for each newly created folder in htdocs :(
Just to let you know that my htdocs user and rights are:
drwxrwxrwx 101 root root 4096 2011-06-17 15:17 htdocs
Why is it so? Can anybody please help me to figure this problem out? I am waiting for quick response anxiously.
First off, you should investigate what permissions you really need - chmodding everything to 777 is a security risk as it will allow any user to write inside of your web root.
However, to address your actual question of the default permissions when a new folder is created by a user, you want to adjust the default "umask" which determines such things.
This question has some information for changing it for the Apache user (if a "network user" is a user creating new files and directories through the httpd process):
Setting the umask of the Apache user
If you need to adjust it for other users or processes, the solution will be similar.
Good luck!
Edit
Since you're on Fedora, try this: (from the question I linked above)
[root ~]$ echo "umask 002" >> /etc/sysconfig/httpd
[root ~]$ service httpd restart
The first command will add that line to the /etc/sysconfig/httpd which is a permanent configuration file, and the second command will make it active.
You are tackling the problem from the wrong side. Restore your apache configuration to use apache.apache as default user/group, and set your samba server to use those credentials when someone write to your document root.
If you are using nfs or another posix compatible filesystem, use chmod g+s to keep all files readable from your apache server.
Try it:
#umask 000
have a good time!!