foxpass / foxpass-setup Goto Github PK

Can you update your documentation to include Debian 10 here: https://docs.foxpass.com/docs/debian-9 ?

Also, can you please add support for Debian 11 Bullseye? We were forced to use it because we had a box that was better supported by the newest OS (I know, not officially released yet). I'm going to try the debian-10 script in a docker image first to see how that goes.

foxpass_setup.py fails to run without a pip install urllib3 on ubuntu 16.04 and this is not mentioned in the docs.

Many of the scripts in this repo are not compatible with AWS IMDSv2. This includes the Ubuntu 21.04 and Ubuntu 22.04 scripts.

If you search, you will find many instances of code like the following

aws_instance_id=`curl -s -q -f http://169.254.169.254/latest/meta-data/instance-id`
aws_region_id=`curl -s -q -f http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/.$//'`

I suggest replacing the above code with the following code across the repo:

aws_meta_data_token=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
aws_instance_id=$(curl -s -q -f -H "X-aws-ec2-metadata-token: $aws_meta_data_token" http://169.254.169.254/latest/meta-data/instance-id)
aws_region_id=$(curl -s -q -f -H "X-aws-ec2-metadata-token: $aws_meta_data_token" http://169.254.169.254/latest/meta-data/placement/region')

Note, shellcheck recommended the use of $(...) over backticks `...`

The Ubuntu 14.04 install shell script doesn't work, failing with syntax errors.

In Ubuntu/Debian, /bin/sh is typically the dash shell, which means syntax like

function cache_up_to_date() {

won't work, as well as the local keyword.

Also here: https://github.com/foxpass/foxpass-setup/blob/master/linux/ubuntu/14.04/foxpass_setup.sh#L47, the variables aren't prefixed with $, so the shell will try and execute them as commands.

this is more of an fyi thing than a real bug.. because i have a system image with security autoupdates enabled, it will do an apt-get update at first boot. since foxpass-setup also does this, sometimes it will fail with:

E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?

i've added a simple loop to my userdata script as a fix but you may consider incorporating some similar logic into foxpass-setup:

# wait for other apt processes to finish before running foxpass script
while fuser /var/lib/dpkg/lock; do
   sleep 1
done

in python backslash \ is a special character aka escape symbol
when python writes a file with the backslash the next symbol will be escaped

which mean \\ => \

Python 3.9.12 (main, Mar 26 2022, 15:52:10)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.31.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: f = open('a_file', "w")

In [2]: f.write('foo\\bar')
Out[2]: 7

In [3]: f.close()

In [4]: cat a_file
foo\bar

so if grep -q "^${user/./\\.}:" /etc/passwd; then exit; fi turns to if grep -q "^${user/./\.}:" /etc/passwd; then exit; fi

This means if a user has a dot in the name for example foo.bar it's not gonna be escaped on the bash side.

test:

cat > passwd_test <<EOF
foo.bar:pwd
foo bar:pwd
foo_bar:pwd
foo-bar:pwd
foo2bar:pwd
EOF

user='foo.bar'
grep "^${user/./\.}:" passwd_test
foo.bar:pwd
foo bar:pwd
foo_bar:pwd
foo-bar:pwd
foo2bar:pwd

grep "^${user/./\\.}:" passwd_test
foo.bar:pwd

When adding to the sudoers file a newline is not added at the end of the file and if you are using amazon userdata scripts to make additional changes to the sudoers file it will break unless you know to prepend the additional changes w/ a newline.

I basically ended up with a sudoers file that ended w/

%foxpass-sudo ALL=(ALL:ALL) NOPASSWD:ALL%Ops ALL = NOPASSWD: ALL

Luckily I caught this on a newly provisioned server before it started to spread to the rest of the infrastructure.

A few takeaways from this:

1. I'm not sure if I like the idea of Foxpass deciding what groups are going to be given sudo rights automatically, perhaps it should configurable in the web interface if anything
2. I should have pinned the version of the setup script in my userdata script instead of using https://raw.githubusercontent.com/foxpass/foxpass-setup/master/linux/ubuntu/16.04/foxpass_setup.py which has the possibility of changing between server provisioning