Make fog.log unreadable by standard users

[lukebarone]

I propose changing the fog.log file to be unreadable by standard users, and only accessible by members of the Administrators group.

Link for reference: https://github.com/FOGProject/zazzles/blob/master/Zazzles/Log/Log.cs#L282

[Sebastian-Roth]

On top of changing permission I also suggest we move that file to C:\ProgramData\FOG\ (or similar subdirectory).

[lukebarone]

I agree! I have the code to change the permissions, but need to locate all the code that refer to the log file itself. I'll dig through the FOG Client code, as I'm sure there's a section in there about it too.

[Sebastian-Roth]

@lukebarone While I don't know the fog-client/zazzles code too well I have had a good dive into it over the years and might help a bit:

• https://github.com/FOGProject/fog-client/blob/d05025f63125d3e4082af7344c48ab0bbc4904d2/Service/main.cs#L32
• https://github.com/FOGProject/fog-client/blob/d05025f63125d3e4082af7344c48ab0bbc4904d2/UniversalInstaller/UniversalInstaller.cs#L204 (reads the fog.log on update error, didn't know that one)
• https://github.com/FOGProject/fog-client/blob/d05025f63125d3e4082af7344c48ab0bbc4904d2/UserService/main.cs#L36 (user context log - should be moved and secured as well I reckon)

Not sure if we should look into securing installer logs as well?

• zazzles/Zazzles/Log/Log.cs

  Line 70 in 34bd5b4

  FilePath = Path.Combine(temp, "FOGService.install.log");

• https://github.com/FOGProject/fog-client/blob/d05025f63125d3e4082af7344c48ab0bbc4904d2/UniversalInstaller/UniversalInstaller.cs#L39
• https://github.com/FOGProject/fog-client/blob/d05025f63125d3e4082af7344c48ab0bbc4904d2/UniversalInstaller/UniversalInstaller.cs#L279 (not implemented? should we get rid of that one completely?)
• https://github.com/FOGProject/fog-client/blob/d05025f63125d3e4082af7344c48ab0bbc4904d2/UniversalInstaller/Linux/LinuxInstall.cs#L47 (Linux installer)
• https://github.com/FOGProject/fog-client/blob/d05025f63125d3e4082af7344c48ab0bbc4904d2/UniversalInstaller/Linux/LinuxInstall.cs#L134 (same)
• https://github.com/FOGProject/fog-client/blob/d05025f63125d3e4082af7344c48ab0bbc4904d2/UniversalInstaller/Mac/MacInstall.cs#L48 (macOS installer)
• https://github.com/FOGProject/fog-client/blob/d05025f63125d3e4082af7344c48ab0bbc4904d2/UniversalInstaller/Mac/MacInstall.cs#L109 (same)

[Sebastian-Roth]

@0x41c Could you please elaborate on the thoughs on this you posted on Mattermost?

[lukebarone]

@Sebastian-Roth Do we know what the UserService does? If it does not run as an Administrator, then the path-changing will not help.

• fog-client/Service/main.cs done
• fog-client/UniversalInstaller/UniversalInstaller.cs - I'm trying to see where Settings.Location gets assigned. Got rid of the ShowGUI() function, since it makes an exception right away that it's not implimented.
• fog-client/UserService/main.cs - No change, don't think we can adjust it unless we ensure the user is an admin (which eliminates the need anyways)
• Did not touch the Mac or Linux stuff yet.

It looks like I am able to just change Zazzles/Log/Log.cs to adjust the path for any logging. I am going to work on building both Zazzles and the FOG Client, and make sure it's working as expected. After that, I'll ask for a code review (again, I'm not good with C#).

[0x41c]

@0x41c Could you please elaborate on the thoughs on this you posted on Mattermost?

For sure, and I think what lukebarone mentioned is what I have a concern with. If UserService does run as Administrator, then any issues found in fog-client will directly lead to local privledge-escalation. I have yet to do dynamic analysis on it, but I'd wait until there's been a good audit on fog-client as a sanity check before we require higher privileges be given to it if it's not given already.

[Sebastian-Roth]

@lukebarone The fog-client consists of two processes at runtime as far as I know. The one running as a service (FOGService) and another one running when a user is logged in - FOGUserService.exe - I think it's running as user not as Administrator (code ref).

So that means that we'd need to either pipe the log information through zazzles message bus (code ref) - not even sure that is possible; or user log information needs to be stripped down/removed altogether. From a few years helping to debug and work on the fog-client/zazzles stuff I can tell you that I haven't looked at this log much at all. Though I would not decide to drop it in a rush.

[lukebarone]

I'm going to see on one of my test machines if after changing the path and permissions on the fog.log file if it is still being written to - if so, then we know the service writing to the log file is running as an Administrator, and these changes should work (again, needing to get the build to work first)