Keystone configuration file permissions - security

I'm playing around with Juju and OpenStack and I installed Keystone Identity service on one of the nodes. SSH-ing into the machine I noticed that the permissions of the configuration file /etc/keystone/keystone.conf are 644 (rw-r--r--) which means it is readable by any user on the system.
Keeping in mind that this file contains the MySQL username and password, wouldn't be it right the file to be readable only by the keystone user?
Note that I've tried installing using both Juju and by hand using a fresh Ubuntu 14.04 with the same results.
Edit: Forgot to mention that OpenStack documentation doesn't mention anything about permissions in its docs.

I don't think any other openstack services use keystone.conf. So you may change ownership to keystone and change permission so that only keystone can read.
chown keystone:keystone /etc/keystone/keystone.conf
chmod 600 /etc/keystone/keystone

Related

Linux AWS EC2 Permissions with rsync

I am running a default t2.nano ec2 linux ami. Nothing is changed on it. I am trying to rsync my local changes to the server. There is a permissions issue that I don't know enough about to fix.
My structure is as follows. I'm trying to push my work to the technology directory. The technology directory is mapped to a staging domain. i.e. technology.staging.com
:/var/www/html/technology
this is from the root, and it does work fine, it's the rsync that is failing.
when I push locally to that directory I get a "failed: Permission denied (13)" error.
I'm running an nginx server and assigned permissions to the www directory as follows:
sudo chown -R nginx:nginx /var/www
My user is ec2-user which is the normal default. Here is where I am tripped up. You can see the var directory is given root access.
You can see that the www directory then has permissions set to nginx so our server can access the files. I believe I need to add the ec2-user to this directory as well as the nginx user so that I can rsync my files there and the server will still have access I'm just unsure of how to do that.
As a test, I created a test directory at this location and it worked successfully.
:/home/ec2-user/test
you can see the permission here are set for the ec2-user which is why it works i'm sure.
Here's the command I'm running on my local machine to rsync my files which fails.
rsync -azP -e "ssh -i /Users/username/devwork/company/comp.pem" company_technology/ ec2-user#1.2.3.4:/var/www/html/technology
Here's the command that was working.
rsync -azP -e "ssh -i /Users/username/devwork/company/comp.pem" company_technology/ ec2-user#1.2.3.4:/home/ec2-user/test
I have done enough research and testing to know that it's a permissions error, I just can't figure out the right way to solve it. Do I need to create a group and assign both the nginx and ec2-user to the group and then give that group the same permissions level on the :/var directory.
Side note, what permissions level do I set for the chown to make these permissions that are currently set?
I have server config files in the :/etc/nginx/conf.d/ directory that map to the directories I create inside of :/var/www/html directory so I can have multiple sites hosted on the server.
So in this example, I have a config file at :/etc/nginx/conf.d/technology.conf which maps to the directory at :/var/www/html/technology
Thank you in advance, again, I do feel like I have put forth the research and effort to show that I've gone as far as I know how to do.
The answer made sense after I spent roughly a day playing around. You have to give access to both the ec2-user and the nginx group. I believe you never want to put a user in a group that involves the server itself, I think things would go south.
After changing the owner to both the ec2-user and nginx group, it still didn't work exactly the way I wanted it to. The reason was, I needed the nginx permissions to be updated to what they had when they were assigned the user role.
Basically, theec2-user had write permissions and the server did not. we wanted the user to have write permissions so they could rsync my local files to the directory on the server, and the nginx group needed the same level of permissions to display the pages. Now that I think about it, the nginx group may have only needed read permissions to display things, but this at least solved the problem for now.
Here is the command I ran on the server to update the ownership and the permissions, as well as the output.
modify ownership
sudo chown -R ec2-user:nginx :/var/www/html/technology
modify permissions
sudo chmod -R o=rwx,g+rwx,o-w technology
The end result looks like this
You can see the permissions match, and the ownership is as we expected. The only thing I have to figure out is after I rsync new files to the server, I need to run the previous code to update the permissions again. I'm sure that will come to me later, but I hope this helps anyone in the same situation.

Freeradius problem reading google_authenticator secrets Centos 7

I have a freeradius server setup with google authenticator to provide a basic working multi-factor setup.
Everything works when I run radiusd in debug mode as root. If I start it as a service, logons fail and this messages is recorded when processing messages:
radiusd(pam_google_authenticator)[1115]: Failed to read "/home/user#domain.com/.google_authenticator" for "user#domain.com"
I think this must be a permissions issue since it works fine when run as root.
I don't really want to edit the permissions on each secret file for every user.
I have tried specifying root in
/etc/raddb/radiusd.conf
user = root group = root
but still the service fails unless run from the command line as root. Does anyone have a nice elegant solution to this conundrum?
I think you should check out your systemd service file for radiusd. It might look something like:
https://github.com/ipfire/ipfire-3.x/blob/master/freeradius/systemd/freeradius.service
You can add User= and Group= in the [Service] section of the .service file if needed. See
https://unix.stackexchange.com/questions/347358/how-to-change-service-user-in-centos-7
and
https://serverfault.com/questions/806617/configuring-systemd-service-to-run-with-root-access
It would be a good idea to put the contents of the .service file for radiusd in your post.

How to set ownership for apache under linux (centOS)?

I want to install and use prestashop but now it only works correctly when I set permissions to 777 (I can login to the server via shell with root privileges). While installing I get this error "recursive write permissions for apache user on..." and only works for permissions set to 777. I don't like this idea because after installation I can't even change back to 755 or 775. I also get problem partly solved when I change the user ownership to apache but then I can't do anything with my ftp client with that folder.
The user owner is ftp and the group owner is psacln? How should I change the membership of the folders so I can work both through ftp and allow apache to do things with presta files? (and of course have the permission set not higher then to 775). BTW, do I have to restart a server when adding or removing user's membership of the group?
This should fix your problem.
ssh root#ip_address
chown -R www-data:ftp /var/www/prestashop
You don't need to restart the server.
Optional :
service apache2 reload

AWS Elastic Beanstalk - User Permission Problems

I am trying to configure our Node.js application to be deployed with Amazon Elastic Beanstalk.
Actually I did a few configuration files inside .ebextensions to enable Websockets, doing yum installs for several modules and to install some custom software we need.
So far the App deployment works and all configured software is installed by Beanstalk.
The Problem I have is that the nodejs user wich runs the node application, doesnt have permission to execute the commandline tools installed by our beanstalk custom config.
To be more concrete:
The app supports user file uploads and the uploaded files are saved
to some temp folder on the instance (that works like it should).
Then the app does a commandline execution to convert the uploaded
file in to a custom file format, whats executing something like
/home/ec2-user/converter/bin convert filename output filename.
At this point I get this error:
{ [Error: spawn EACCES] code: 'EACCES', errno: 'EACCES', syscall: 'spawn' }
Overall the app requires several commandline tools for such conversion tasks to run correctly.
Actually they all have the same problem. Even tools installed by yum, such as Imagemagick, are not beeing executed by the app.
Manually, by using the ec2-user account, I am able to execute all these, all files are in place at the right system paths and they work fine. So all installations seem to work right.
I already tried to grant permissions to the user nodejs manually and did chmod the files, but this doesnt seem to take any effect here.
Big question is.. how can I grant the required permissions to the nodejs user or as alternative how to use a defined User to execute node.js?
I believe that the nodejs user doesn't have privileges to use the shell:
[ec2-user#host ~]$ cat /etc/passwd
....
nodejs:x:497:497::/tmp:/sbin/nologin
According to the docs, node runs the command in a shell and returns it.
I also tried:
[ec2-user#host ~]$ pwd
/home/ec2-user
[ec2-user#host ~]$ cat test.js
#!/opt/elasticbeanstalk/node-install/node-v0.10.31-linux-x64/bin/node
require('child_process').exec('/usr/bin/whoami', function (err, data) {
console.log(data);
});
[ec2-user#host ~]$ ls -l
total 4
-rwxrwxrwx 1 ec2-user ec2-user 169 Nov 3 21:49 test.js
[ec2-user#host ~]$ sudo -u nodejs /home/ec2-user/test.js
sudo: unable to execute /home/ec2-user/test.js: Permission denied
I will say that this works, which im confused about (maybe someone can chime in to clarify):
$ sudo -u nodejs /usr/bin/whoami
nodejs
HOWEVER, as an outside observer it seems more like Beanstalk isn't a good fit for you. Generally, Beanstalk is a hands-off fully managed abstraction by design and messing around with the file system permissions and user permissions is over-stepping those boundaries.
As an aside, maybe you want to consider moving to OpsWorks instead. From http://aws.amazon.com/opsworks/faqs/:
Q: How is AWS OpsWorks different than AWS Elastic Beanstalk?
AWS OpsWorks and AWS Elastic Beanstalk both focus on operations, but
with very different orientations. AWS Elastic Beanstalk seeks to
automatically provide key operations activities so that developers can
maximize the time they spend on development and minimize the time they
spend on operations. In contrast, AWS OpsWorks delivers integrated
experiences for IT administrators and ops-minded developers who want a
high degree of productivity and control over operations.
I finally found the solution:
Beanstalk is using the ec2-user account to run bash commands.
So everything installed by commandline cannot be executed by the nodejs user account because of permission conflicts.
Solution was to copy all installed tools in to /usr/local/bin, where they can be executed by any user.
07_myprogram:
command: sudo cp bin/* /usr/local/bin
cwd: /home/ec2-user/myprogram
ignoreErrors: true

WordPress can't install themes

I can't workout how to solve this problem so wordpress would let me upload themes.
I have a fresh copy of Fedora 17 installed on my dev machine.
I then installed mysql using: yum install mysql mysql-server. Next I installed WordPress which also installs apache and php: yum install wordpress
I can go to http://localhost/wordpress and see WordPress working. But when I try tried to install my theme it asked for ftp credentials. I then updated the wp-config.php file and set the FS_METHOD constant to direct. Now it doesn't ask for ftp credentials but it gives me this error:
Could not create directory. /usr/share/wordpress/wp-content/themes/my-theme-name/
httpd service is running under 'apache' user and 'apache' group. The /usr/share/wordpress/ directory is recursively own by 'apache' user and 'apache' group too. I've even set the permissions to 777 (also recursively) and even then I keep getting the same error as above.
How can I solve this problem?
Fedoras SELinux configuration is most probably blocking the attempts of the webserver to write to the disk. To change the settings for your wordpress folder you can run this command (as root):
chcon -R -t httpd_sys_content_rw_t /usr/share/wordpress/wp-content
No need to do chmod 777 to the whole folder, this is a huge security risk. Of course this is for direct filesystem access, you have to disable the ftp access. For ftp access you will have to look up the right SELinux context.
You got the check these lines in your Wp-config.php (aproximatively line 105) :
define('FTP_USER', 'usr');
define('FTP_PASS', 'P#ssw0rd');
define('FTP_HOST', 'url');
You process of web server is running on apache but Wordpress will use the account define in the wp-config.php . So you got to set the group of your user to get access to these files.
Setting permissions 777 is not a solution, you got to care about it.

Resources