Should I mess with file permissions in the Jenkins home directory? - security

Looking in /var/lib/jenkins on a relatively fresh install, I notice some file permissions that are, well, scary:
-rw-r--r-- 1 jenkins jenkins 7285 Apr 29 13:29 config.xml
-rw-r--r-- 1 jenkins jenkins 4008 Apr 28 21:04 credentials.xml
-rw-r--r-- 1 jenkins jenkins 64 Apr 28 13:57 secret.key
And in /var/lib/jenkins/secrets:
-rw-r--r-- 1 jenkins jenkins 272 Apr 28 15:08 hudson.console.AnnotatedLargeText.consoleAnnotator
-rw-r--r-- 1 jenkins jenkins 32 Apr 28 15:08 hudson.model.Job.serverCookie
-rw-r--r-- 1 jenkins jenkins 272 Apr 28 14:25 hudson.util.Secret
-rw-r--r-- 1 jenkins jenkins 32 Apr 28 13:57 jenkins.model.Jenkins.crumbSalt
-rw-r--r-- 1 jenkins jenkins 48 Apr 28 14:25 jenkins.security.ApiTokenProperty.seed
-rw-r--r-- 1 jenkins jenkins 256 Apr 28 13:57 master.key
-rw-r--r-- 1 jenkins jenkins 272 Apr 28 13:57 org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY
-rw-r--r-- 1 jenkins jenkins 5 Apr 29 13:29 slave-to-master-security-kill-switch
I'm thinking all these files should be set to mode 600 with owner jenkins, but I'm not sure if I'm being paranoid. Is there some reason why the maintainers haven't locked these files down more? Is there some other well-protected master key that makes these files by themselves less valuable?

The above permissions seems standard across all Jenkins. Changing the permissions have messed up the set up for me in the past.

Related

Amazon-ssm-agent unrecognized service (just installed it via Docker)

I am trying to figure out why I cannot start and stop the amazon-ssm-agent service manually in a Kali Linux Focker image running on an Ubuntu 20.04.1 LTS host. Per their instructions, I have obtained the .deb file and installed it with dpkg -i. Although I can interact with it via amazon-ssm-agent -h and registering it just fine, etc., I cannot restart the service which sometimes fixes the Connection Lost issue after registering.
As you can see below, I am using wget to get the .deb file, and installing it:
➜ ~ wget https://s3.us-east-1.amazonaws.com/amazon-ssm-us-east-1/latest/debian_amd64/amazon-ssm-agent.deb
--2020-12-27 22:21:32-- https://s3.us-east-1.amazonaws.com/amazon-ssm-us-east-1/latest/debian_amd64/amazon-ssm-agent.deb
Resolving s3.us-east-1.amazonaws.com (s3.us-east-1.amazonaws.com)... 52.217.109.126
Connecting to s3.us-east-1.amazonaws.com (s3.us-east-1.amazonaws.com)|52.217.109.126|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41537900 (40M) [binary/octet-stream]
Saving to: 'amazon-ssm-agent.deb'
amazon-ssm-agent.deb 100%[========================================================================================================================================================================================================================================>] 39.61M 105MB/s in 0.4s
2020-12-27 22:21:33 (105 MB/s) - 'amazon-ssm-agent.deb' saved [41537900/41537900]
➜ ~ dpkg -i amazon-ssm-agent.deb
Selecting previously unselected package amazon-ssm-agent.
(Reading database ... 231292 files and directories currently installed.)
Preparing to unpack amazon-ssm-agent.deb ...
Preparing for install
Unpacking amazon-ssm-agent (3.0.431.0-1) ...
Setting up amazon-ssm-agent (3.0.431.0-1) ...
Starting agent
➜ ~ service amazon-ssm-agent status
amazon-ssm-agent: unrecognized service
➜ ~
I also cannot use systemctl because of the following error:
➜ ~ systemctl status amazon-ssm-agent
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
➜ ~
I tried looking in /etc/init.d as well, but no luck:
➜ ~ ls /etc/init.d -l
total 240
-rwxr-xr-x 1 root root 2489 Aug 8 07:47 apache-htcacheclean
-rwxr-xr-x 1 root root 8181 Aug 8 07:47 apache2
-rwxr-xr-x 1 root root 1614 Jul 14 2019 atftpd
-rwxr-xr-x 1 root root 2401 May 26 2020 avahi-daemon
-rwxr-xr-x 1 root root 1175 Apr 17 2020 binfmt-support
-rwxr-xr-x 1 root root 2948 Sep 16 07:49 bluetooth
-rwxr-xr-x 1 root root 1232 Dec 1 01:02 console-setup.sh
-rwxr-xr-x 1 root root 937 Sep 3 22:30 cryptdisks
-rwxr-xr-x 1 root root 896 Sep 3 22:30 cryptdisks-early
-rwxr-xr-x 1 root root 3152 Jul 2 13:19 dbus
-rwxr-xr-x 1 root root 1408 Aug 4 23:00 dns2tcp
-rwxr-xr-x 1 root root 7159 May 23 2020 exim4
-rwxr-xr-x 1 root root 3708 Nov 25 21:07 hwclock.sh
-rwxr-xr-x 1 root root 3615 Sep 5 2019 inetsim
-rwxr-xr-x 1 root root 4113 Sep 26 16:48 iodined
-rwxr-xr-x 1 root root 1479 Oct 9 2016 keyboard-setup.sh
-rwxr-xr-x 1 root root 2044 Apr 18 2020 kmod
-rwxr-xr-x 1 root root 5966 Nov 22 15:42 mariadb
-rwxr-xr-x 1 root root 2882 Jul 26 2019 miredo
-rwxr-xr-x 1 root root 4486 Sep 21 14:45 networking
-rwxr-xr-x 1 root root 5658 Jul 26 12:02 nfs-common
-rwxr-xr-x 1 root root 4579 May 28 2020 nginx
-rwxr-xr-x 1 root root 1934 Jul 7 05:55 nmbd
-rwxr-xr-x 1 root root 1494 Sep 23 11:46 ntp
-rwxr-xr-x 1 root root 9138 Oct 28 18:37 openvpn
-rwxr-xr-x 1 root root 3720 Jun 14 2020 pcscd
-rwxr-xr-x 1 root root 1490 Nov 15 2019 postgresql
-rwxr-xr-x 1 root root 924 May 16 2020 procps
-rwxr-xr-x 1 root root 3699 Jul 22 2017 ptunnel
-rwxr-xr-x 1 root root 3836 Jan 2 2017 redsocks
-rwxr-xr-x 1 root root 1615 Aug 19 2018 rlinetd
-rwxr-xr-x 1 root root 2507 Jul 13 01:22 rpcbind
-rwxr-xr-x 1 root root 4417 Aug 26 20:23 rsync
-rwxr-xr-x 1 root root 2864 Oct 20 19:45 rsyslog
-rwxr-xr-x 1 root root 1661 Jun 5 2013 rwhod
-rwxr-xr-x 1 root root 2259 Jul 7 05:55 samba-ad-dc
-rwxr-xr-x 1 root root 1222 Apr 2 2017 screen-cleanup
-rwxr-xr-x 1 root root 3088 Oct 10 2019 smartmontools
-rwxr-xr-x 1 root root 2061 Jul 7 05:55 smbd
-rwxr-xr-x 1 root root 1175 Sep 24 23:10 snmpd
-rwxr-xr-x 1 root root 4056 Dec 2 10:32 ssh
-rwxr-xr-x 1 root root 4440 Sep 5 2019 sslh
-rwxr-xr-x 1 root root 5730 Sep 13 10:43 stunnel4
-rwxr-xr-x 1 root root 1030 Dec 2 03:10 sudo
-rwxr-xr-x 1 root root 1581 Dec 16 08:36 sysstat
-rwxr-xr-x 1 root root 6871 Dec 3 22:53 udev
-rwxr-xr-x 1 root root 2757 Oct 9 08:13 x11-common
➜ ~
However, you can see that running the amazon-ssm-agent command works just fine:
➜ ~ amazon-ssm-agent
Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory
Initializing new seelog logger
New Seelog Logger Creation Complete
2020-12-27 22:24:08 ERROR error fetching the instanceID, Failed to fetch instance ID. Data from vault is empty. EC2MetadataError: failed to make EC2Metadata request
status code: 404, request id:
caused by: not found
2020-12-27 22:24:08 ERROR error occurred when starting amazon-ssm-agent: error fetching the instanceID, Failed to fetch instance ID. Data from vault is empty. EC2MetadataError: failed to make EC2Metadata request
status code: 404, request id:
caused by: not found
➜ ~
The only reason that I need to restart the service after registering is because sometimes I get a "Connection Lost" on the managed instance's ping status after registering. Usually restarting the service seem to do the trick for me.
I'm able to restart the service successfully when just using the host (Ubuntu 20.04) and even when the host is running Kali Linux as well, but not when it's a docker container, which doesn't make any sense to me because everything is functional with the exception of being able to start/stop the service manually.
I was able to get this running by cloning this repository: https://github.com/gdraheim/docker-systemctl-replacement
After cloning, I ran the following:
/root/docker-systemctl-replacement/files/docker/systemctl.py restart amazon-ssm-agent

SSH 'server refused our key' when using home directory on external EBS volume

Scenario;
AWS EC2 running Red Hat 8.2 with an EBS volume mounted at /data
mount | grep -i data
/dev/nvme1n1 on /data type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
Created a test user with home directory on the external EBS volume /data/home/test and copied authorized_keys from ec2-user. SSH fails, 'Server refused our key'. However, when the home directory is moved to root volume; /home, it is possible to login.
The permissions are the same, what am I missing? Thanks!
# ls -Rla /data/home/test/
/data/home/test/:
total 16
drwx------. 3 test test 88 Oct 19 10:16 .
drwxr-xr-x. 4 root root 30 Oct 19 10:15 ..
-rw-r--r--. 1 test test 18 Aug 30 2019 .bash_logout
-rw-r--r--. 1 test test 141 Aug 30 2019 .bash_profile
-rw-r--r--. 1 test test 312 Aug 30 2019 .bashrc
-rw-r--r--. 1 test test 172 Feb 6 2020 .kshrc
drwx------. 2 test test 29 Oct 19 10:16 .ssh
/data/home/test/.ssh:
total 4
drwx------. 2 test test 29 Oct 19 10:16 .
drwx------. 3 test test 88 Oct 19 10:16 ..
-rw-------. 1 test test 829 Oct 19 10:16 authorized_keys
# ls -Rla /home/test/
/home/test/:
total 16
drwx------. 3 test test 88 Oct 19 10:40 .
drwxr-xr-x. 8 root root 106 Oct 19 10:39 ..
-rw-r--r--. 1 test test 18 Aug 30 2019 .bash_logout
-rw-r--r--. 1 test test 141 Aug 30 2019 .bash_profile
-rw-r--r--. 1 test test 312 Aug 30 2019 .bashrc
-rw-r--r--. 1 test test 172 Feb 6 2020 .kshrc
drwx------. 2 test test 29 Oct 19 10:40 .ssh
/home/test/.ssh:
total 4
drwx------. 2 test test 29 Oct 19 10:40 .
drwx------. 3 test test 88 Oct 19 10:40 ..
-rw-------. 1 test test 829 Oct 19 10:40 authorized_keys

How to prevent npm from installing demo/sample/example/test code for a package?

Is there a way to have npm not install certain elements of a package? Like tests or example/demo code?
For example, in my test-api project, a package that I'm using has a dependency called jmespath:
user#hostname MINGW64 ~/Projects/test-api/node_modules/jmespath (develop)
$ ll
total 109
drwxr-xr-x 1 user group 0 May 15 00:16 ./
drwxr-xr-x 1 user group 0 May 15 00:17 ../
-rw-r--r-- 1 user group 126 Apr 25 2014 .eslintrc
-rw-r--r-- 1 user group 13 Apr 10 2014 .npmignore
-rw-r--r-- 1 user group 71 Jul 22 2015 .travis.yml
drwxr-xr-x 1 user group 0 May 15 00:16 artifacts/
-rw-r--r-- 1 user group 932 Feb 29 2016 BASELINE
-rw-r--r-- 1 user group 443 Jul 22 2015 bower.json
-rwxr-xr-x 1 user group 270 Feb 15 2016 g.sh*
-rw-r--r-- 1 user group 855 Mar 25 2016 Gruntfile.js
-rw-r--r-- 1 user group 3130 Apr 25 2014 index.html
-rw-r--r-- 1 user group 105 Apr 28 2014 james.html
-rw-r--r-- 1 user group 58310 Mar 25 2016 jmespath.js
-rwxr-xr-x 1 user group 535 Feb 13 2016 jp.js*
-rw-r--r-- 1 user group 4645 Feb 29 2016 l.js
-rw-r--r-- 1 user group 559 Jul 22 2015 LICENSE
-rw-r--r-- 1 user group 1802 May 15 00:16 package.json
-rw-r--r-- 1 user group 1229 Mar 25 2016 perf.js
-rw-r--r-- 1 user group 2011 Jul 22 2015 README.md
-rw-r--r-- 1 user group 151 Feb 13 2016 reservedWords.json
drwxr-xr-x 1 user group 0 May 15 00:16 test/
Here index.html is a demo app and test directory contains tests. If I do not want these in the node_modules directory, is there a way to exclude them during npm install?
No, the whole git repository of the dependency package is downloaded and then the package's dependencies are installed too from their package.json, all this information is stored in your package-lock.json.

Size of kernel built is much much larger than the built-in one

I got latest kernel source from kernel.org(using git), and followed the steps as described in this page to build the kernel. The kernel boots successfully, however, I have no idea what was done incorrectly in the configuration process that initrd.img-3.16.0 is so much larger than the build in one(initrd.img-3.13.0-32-generic)
I copied the configuration file .config from /boot/ and used "yes '' | make oldconfig" for the kernel configuration.
the file size total 191M
-rw-r--r-- 1 root root 1.2M Jul 14 21:29 abi-3.13.0-32-generic
-rw-r--r-- 1 root root 162K Jul 14 21:29 config-3.13.0-32-generic
-rw-r--r-- 1 root root 167K Aug 4 19:48 config-3.16.0
-rw-r--r-- 1 root root 20M Jul 28 15:14 initrd.img-3.13.0-32-generic
-rw-r--r-- 1 root root 151M Aug 4 19:48 initrd.img-3.16.0
-rw-r--r-- 1 root root 173K Mar 12 05:31 memtest86+.bin
-rw-r--r-- 1 root root 174K Mar 12 05:31 memtest86+.elf
-rw-r--r-- 1 root root 175K Mar 12 05:31 memtest86+_multiboot.bin
-rw------- 1 root root 3.3M Jul 14 21:29 System.map-3.13.0-32-generic
-rw-r--r-- 1 root root 3.4M Aug 4 19:48 System.map-3.16.0
-rw------- 1 root root 5.6M Jul 14 21:29 vmlinuz-3.13.0-32-generic
-rw-r--r-- 1 root root 5.7M Aug 4 19:48 vmlinuz-3.16.0
Thanks!
William
follow below steps to obtain the right kernel configuration
Copy /boot/.config to the kernel source code directory
make menuconfig
Exit and save configuration
make
and then continue with the other options for install
Note : Since you are using make oldconfig, this would enable many of the options not related to the platform but related to the CPU architecture.
This steps should help you solve this issue

Failure to run postgresql on Mac (after reboot)

Whatever I did I couldn't start postgresql 9.2 on Mac 10.9.3 again after reboot.
$ initdb -D /usr/local/var/postgres
The files belonging to this database system will be owned by user "alex".
This user must also own the server process.
The database cluster will be initialized with locale "en_US.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".
Data page checksums are disabled.
initdb: directory "/usr/local/var/postgres" exists but is not empty
If you want to create a new database system, either remove or empty
the directory "/usr/local/var/postgres" or run initdb
with an argument other than "/usr/local/var/postgres"
I decided I should create another directory in it. So I created data directory there and ran initdb again:
$ initdb -D /usr/local/var/postgres/data
The files belonging to this database system will be owned by user "alex".
This user must also own the server process.
The database cluster will be initialized with locale "en_US.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".
Data page checksums are disabled.
fixing permissions on existing directory /usr/local/var/postgres/data ... initdb:
could not change permissions of directory "/usr/local/var/postgres/data":
Operation not permitted
I tried to change the permissions but didn't figure out what were the right ones. Here is what I have:
$ ls -ald /usr/local/var/postgres
drwxr-xr-x 22 _postgres staff 748 Jun 13 17:26 /usr/local/var/postgres
ls -ald /usr/local/var/postgres/data
drwxr-xr-x 2 _postgres staff 68 Jun 13 17:26 /usr/local/var/postgres/data
$ ls -al /usr/local/var/postgres
total 96
drwxr-xr-x 22 _postgres staff 748 Jun 13 17:26 .
drwx------ 3 alex admin 102 Jun 1 15:08 ..
-rw------- 1 _postgres _postgres 4 Jun 1 15:08 PG_VERSION
drwx------ 6 _postgres _postgres 204 Jun 2 11:40 base
drwxr-xr-x 2 _postgres staff 68 Jun 13 17:26 data
drwx------ 42 _postgres _postgres 1428 Jun 2 14:18 global
drwx------ 3 _postgres _postgres 102 Jun 1 15:08 pg_clog
-rw------- 1 _postgres _postgres 4465 Jun 2 10:58 pg_hba.conf
-rw------- 1 _postgres _postgres 1636 Jun 1 15:08 pg_ident.conf
drwx------ 4 _postgres _postgres 136 Jun 1 15:08 pg_multixact
drwx------ 3 _postgres _postgres 102 Jun 1 18:24 pg_notify
drwx------ 2 _postgres _postgres 68 Jun 1 15:08 pg_serial
drwx------ 2 _postgres _postgres 68 Jun 1 15:08 pg_snapshots
drwx------ 7 _postgres _postgres 238 Jun 2 21:23 pg_stat
drwx------ 2 _postgres _postgres 68 Jun 2 21:23 pg_stat_tmp
drwx------ 3 _postgres _postgres 102 Jun 1 15:08 pg_subtrans
drwx------ 2 _postgres _postgres 68 Jun 1 15:08 pg_tblspc
drwx------ 2 _postgres _postgres 68 Jun 1 15:08 pg_twophase
drwx------ 4 _postgres _postgres 136 Jun 1 15:08 pg_xlog
-rw------- 1 _postgres _postgres 20571 Jun 1 15:08 postgresql.conf
-rw------- 1 _postgres _postgres 79 Jun 1 18:24 postmaster.opts
-rw------- 1 _postgres _postgres 1482 Jun 2 21:23 server.log
What should I do next? I'm out of ideas. The only guess is that it is related to a file or folder permissions.
Two step process:
Go to your web-browser and search for "postgresql permissions data directory" - look down the list for the page from the official manuals (it's the top one for me).
Read the page from the official manuals and follow the instructions.
Presumably it's complaining that it "could not change permissions" because you aren't running this as user "_postgres". Note - it's normally user "postgres". I don't know if the name-change is something you've done or something common on Mac installations.
Oh - and I can't see why this is tagged "linux"

Resources