Permission Issues on custom fixlet to address security issues

Hi everyone,
I’m writing to address a problem that I’m having on a custom fixlet I crated to address security vulnerabilities.

The issue that I’m having is that whenever I try to “take action” from the fixlet on some test VMs, I get a permission error.
So I tried to handcraft a sort of logging system into the fixlet, but still, the action failed to complete due to permission issues and got no logs.
It seems that the script of the fixlet can’t be even executed due to lack of permissions.
Please correct me if something that I’m stating is wrong/not correct.

I’m going to attach to this thread the content of the fixlet.
MSC 0000-2 - Check salt-minion for purge on RHEL-like.bes|attachment (3.9 KB)
Any feedback from anyone trying to help me with this issue is more that welcome.

Thanks everybody.

~Rei

Are the computers subscribed to the custom site where you saved your fixlet to?

Where is the permission error? Is it presented in the Console or in the client log? Can you include the exact message and, if it’s from the client log, the log from the client running the action?

Hi @JonL,
thank you for your feedback.

Currently the site of the fixlet is the “Master Aciton Site” and is in the domain “All Content”.
The computers check for the relevance of the fixlet correctly before applying it.

~ Rei

Hi @JasonWalker ,
Thank you for your feedback too.

Please refer to the following :

  • Where is the permission error?
    The error is in the detail of the Action Info, the exit code is “126

  • Is it presented in the Console or in the client log?
    It’s not presented directly into the console, there you just see the status as “Failed”.
    On the other hand after taking a look in the action info you see exit code “126

  • Can you include the exact message and, if it’s from the client log, the log from the client running the action?
    Sure, here is a portion of the log related to the action from the BesClient log
    (I’m going to censor logs related to the root server with a series of asterisks)

At 11:51:00 +0200 -
   ActionLogMessage: (action:31320) Action signature verified for Execution
   ActionLogMessage: (action:31320) starting action
At 11:51:00 +0200 - actionsite (http://**************************:52311/cgi-bin/bfgather.exe/actionsite)
   Normal Action Logging. action log all  (action:31320)
   Command succeeded delete No '/var/opt/BESClient/__BESData/actionsite/__appendfile' exists to delete, no failure reported (action:31320)
   Command succeeded appendfile touch /tmp/loggin_file.txt (action:31320)
   Command succeeded (file created) appendfile touch /tmp/loggin_file.txt (action:31320)
   Command succeeded appendfile touch /tmp/loggin_file.txt (action:31320)
   Command succeeded appendfile "###########################" >> /tmp/loggin_file.txt (action:31320)
   Command succeeded appendfile date 1>> /tmp/loggin_file.txt (action:31320)
   Command succeeded appendfile zypper remove *salt-minion* -y $>> /tmp/loggin_file.txt (action:31320)
   Command succeeded appendfile rm -rf /etc/*salt*/* $>> /tmp/loggin_file.txt (action:31320)
   Command succeeded appendfile rm -rf /etc/*salt* $>> /tmp/loggin_file.txt (action:31320)
   Command started - wait chmod 555 "/var/opt/BESClient/__BESData/actionsite/__appendfile (action:31320)
   Command succeeded (Exit Code=1) wait chmod 555 "/var/opt/BESClient/__BESData/actionsite/__appendfile (action:31320)
   Command started - wait /bin/sh -c "/var/opt/BESClient/__BESData/actionsite/__appendfile" (action:31320)
At 11:51:00 +0200 -
   Report posted successfully
At 11:51:00 +0200 - actionsite (http://**************************:52311/cgi-bin/bfgather.exe/actionsite)
   Command succeeded (Exit Code=126) wait /bin/sh -c "/var/opt/BESClient/__BESData/actionsite/__appendfile" (action:31320)
At 11:51:00 +0200 -
   ActionLogMessage: (action:31320) ending action
At 11:51:00 +0200 - mailboxsite (http://**************************:52311/cgi-bin/bfgather.exe/mailboxsite1187688)
   Not Relevant - Test Error - MSC 0000-1 - Check "salt-minion" for purge on RHEL-like (fixlet:31320)
At 11:52:10 +0200 -
   Report posted successfully

Please let me know if you need further information about the problem or if something from the text above isn’t clear :slight_smile:

I look forward to your reply

~ Rei

It looks like the ‘chmod’ command failed before your attempt to execute the script. Is there a closing doublequote on the path to ‘__appendfile’ ? It looks like it’s missing here.

Otherwise, ensure your /var partition is not mounted with the ‘noexec’ option, I’ve seen that come up as an issue before. If /var is mounted with -noexec, you’ll need to create a new mountpoint for /var/opt/BESClient so you can mount that without the -noexec.