Open trocster opened 1 month ago
lucasmrod
commented
1 month ago Hi @trocster! Thanks for reporting this.
"this is fixed with "umask 0077" and removing the noexec mount option for /tmp", what's the umask value that caused this issue? (To reproduce the issue on our end.)fleetctl package on?/tmp setup? (Is it mounted separate from the root partition?)lucasmrod
commented
1 month ago @trocster
UPDATE: We've decided to add the requirement as a documentation for now. See https://fleetdm.com/guides/enroll-hosts, we added:
> fleetctl on macOS/Linux requires umask to be 022/002 and /tmp (used during package generation) has to be mounted without noexec.
noahtalerman
commented
1 month ago Hey @trocster, thanks for tracking this!
What Linux distribution+version are you running fleetctl package on?
When you get the chance, can you please let us know which Linux distro you're using?
Fleet only supports and pursues bugs on these Linux distros:
cc @lucasmrod
trocster
commented
1 month ago Hi,
Thanks for looking at this. Sorry got my umasks mixed up, the hardened and default umask is 0077. New files are created with no rwx permissions set for others and the gruop. The fix is to set umask 0022.
The distro this issue applies to is Debian Bookworm (12.7). This is not an "out of the box" Debian install, but it followed some common CIS Benchmark hardening measures.
E.g. "5.4.3.3 Ensure default user umask is configured (Automated)" ... "set the default umask to 027 or more restrictive"
These common security measures and are are also present in Ubuntu STIGs for example:
Configure Ubuntu 22.04 LTS to define the default permissions for all authenticated users in such a way that the user can read and modify only their own files.
Add or modify the following line in the "/etc/login.defs" file:
UMASK 077
From: https://www.stighub.com/search/umask/Canonical%20Ubuntu%2022.04%20LTS
The noexec mount option for /tmp is also a common security control, with both STIG and CIS 'checking'
"1.1.2.1.4 Ensure noexec option set on /tmp partition (Automated)" From: CIS_Ubuntu_Linux_24.04_LTS_Benchmark_v1.0.0.pdf
If the "/tmp" file system is mounted without the "noexec" option, this is a finding."
For RHEL 9 Cat II STIG ver 1, rel 2 so not directly, applicable but is down stream from Fedora which you do support. Thanks for the Official Linux list.
It would be great if the fleetctl tool aligned, or worked, with common security measures. Or at least make it more prominent in the documentation that the fleetctl server is best if it is not STIG/CIS hardened or compliant (sorry, that sounds rather bad).
Are the umask and noexec mount option "/tmp" controls too extreme ? Even though "fleetctl package" is potentially quite a sensitive step/process and benefits from a hardened and more secure environment ? What do other sysadmins think ?
[edited to fix details of broken and working umasks]
lucasmrod
commented
5 days ago @noahtalerman Re-assigning to you for guidance on next steps.
noahtalerman
commented
3 days ago @lucasmrod thanks! Reminder to add :product and remove :release for bugs that need product input.
Fleet version: fleetctl - version 4.57.3 branch: HEAD revision: 289a508b2162b17799d97fd7fe27a1682a5de8e4 build date: 2024-10-11 build user: runner go version: go1.23.1
💥 Actual behavior
As uid 0,
fleetctl package --verbose --type=deb --enable-scripts --fleet-url=https://example.com --enroll-secret=** Generating your fleetd agent... {"level":"debug","path":"/tmp/user/0/orbit-package2089577008","time":"2024-10-11T20:29:13+01:00","message":"created temp directory"} Error: create orbit dir: Path /tmp/user/0/orbit-package2089577008/root already exists with mode 20000000700 instead of the expected 20000000755
🕯️ More info (optional)
🛠️ To fix
this is fixed with "umask 0077" and removing the noexec mount option for /tmp
Feature request, I suppose.
The /tmp noexec mount option and general umask value of 0077 are not particularly strict, the surprise is that fleetctl stumbles.