hrak
Repos
35
Followers
30
Following
1

Events

issue comment
Security fixes to address #604

I'm a bit late to the party, but why do we need to run as root at all?

Running this as root seems pretty dangerous.

That's what this PR fixed.

Running as root is indeed dangerous, and i don't want to know how many instances are running as root due to this issue in versions 12.0.6 and 12.1.0 (in our case, it was quite a few).

Created at 1 month ago

Use RHEL 9 repo for Fedora

Created at 1 month ago

Use RHEL 9 repo for Fedora

Created at 1 month ago
issue comment
Security fixes to address #604

I can't test this myself now but does using the CentOS 9 repo rather than 8 fix the Fedora install issue?

I just tested this, and this works without openssl1.1 so thats probably the better solution. Will update PR.

Created at 1 month ago

Fix missing dependency for repo using Fedora

Created at 1 month ago
Chore/remove foodcritic

Could you git tag 4.1.0 please?

Created at 1 month ago
Remove foodcritic, enable unified_mode, move tests to Inspec

You can add me as Hans Rakers. Thanks and you're welcome!

Created at 1 month ago

Fix Inspec platform family names

Fix rule_create_if_missing Inspec tests

Created at 1 month ago
Remove foodcritic, enable unified_mode, move tests to Inspec

Besides the mentioned won't mixup, it seems like it's running on the newest versions of all distributions, while it fails on the older ones. I haven't investigated fully, but I think it might be ok to only run Github Actions on the newest versions, while the older ones are kept for manual runs as a compromise.

Seems like there are some issues with loading ip6tables on the older distro's. My guess is that this is GH Actions related, since on my workstation all the tests pass now. Maybe limit the test to the newest distros indeed.

Created at 1 month ago
Remove foodcritic, enable unified_mode, move tests to Inspec

I've been trying out Github actions, it seems like it's working due to your changes!

That's great news!

It seems like quite a few tests work, but also a lot of them fail. Are they all green when you run the tests locally?

I think there are some typos, e.g. this one should check for won't match instead of match for the port 80 rule. Compare:

You are right, i will push some changes in a bit to fix the failing tests.

Created at 1 month ago
issue comment
Security fixes to address #604

Looks like you’re right, these are unrelated failures. Still, you squashed a few!

I think this can be merged in, and these failures dealt with separately.

Yeah, i found the issue with fedora-latest already. It seems to require openssl1.1 to be installed. I will file a PR later to fix that.

Created at 1 month ago

Fix repo install on rhel/fedora/amazon

Install required dep pcre2 from the base repo before installation

Created at 1 month ago
issue comment
Security fixes to address #604

Maybe the easiest solution would be to install pcre2 before the installation of nginx, so turn it into something like:

if platform_family?('amazon', 'fedora', 'rhel') {
  package 'pcre2'
  package_install_opts = '--disablerepo=* --enablerepo=nginx' 
}
Created at 1 month ago
issue comment
Security fixes to address #604

Seems good, but a few of the integration tests are failing. Any chance it’s something that can be fixed with this PR?

I briefly looked into it but it seems unrelated to the changes. Something with RHEL + nginx repo + missing libpcre2 dependency.

Created at 1 month ago

restore Ubuntu 18.04 platform testing

Created at 1 month ago
Remove foodcritic, enable unified_mode, move tests to Inspec

I haven't fully checked whether all test functionality was migrated 100% so far - this might take a bit more time.

I have converted every minitest to Inspec so it should cover all the original tests.

Regarding Github Actions: I'm fully for it, last time I checked I had some issues with low-level tasks like iptables rules, so it wasn't easily adopted for this cookbook iirc - but I think it's worth another try!

Hmm, you may have a point there, not sure if iptables works in that environment.

Created at 1 month ago

Security fixes

Fix nginx running as root on Debian family Fix webserver able to overwrite/delete config files Add Inspec tests

Created at 1 month ago
pull request opened
Security fixes to address #604

Fix nginx running as root on Debian family Fix webserver able to overwrite/delete config files Add Inspec tests

Description

This PR partly reverts #593 that caused nginx to run as root on Debian platform family. It also makes sure that all configuration files are written as root:root so the webserver has no permission to alter or delete its own configuration.

Issues Resolved

#604 #591

Check List

  • [x] A summary of changes made is included in the CHANGELOG under ## Unreleased
  • [x] New functionality includes testing.
  • [x] New functionality has been documented in the README if applicable.
Created at 1 month ago

Security fixes

Fix nginx running as root on Debian family Fix webserver able to overwrite/delete config files Add Inspec tests

Created at 1 month ago
create branch
hrak create branch fix_security
Created at 1 month ago