adjusted path to /var/foreman/cache , which I created on the remote host and gave permissions 777
I’m now trying to figure out how I can adjust those permissions down a bit as remote_exec doesn’t seem to sudo when it creates the file.
Yes, that’s the file. However bear in mind that file is managed by the installer and your customizations will be discarded on subsequent installer runs. If you want to make this change persistent, pass --foreman-proxy-plugin-remote-execution-script-remote-working-dir /var/foreman/cache to the installer.
According to installation documentation at → Installing Foreman 3.2 server with Katello 4.4 plugin on Enterprise Linux the partition to give exec is /tmp, not /var/tmp. So has it moved from /tmp to /var/tmp?
What is the reason for using these directories anyway for scripts? It does not sound like best security practice. I mean the REX user has a home directory that I assume works to execute scripts in?
I am creating my REX user as a system user with home directory in /opt/fmrex.
So as long as the REX user is the owner of this directory and /opt partition is mounted with noexec It feels pretty safe and dynamic. Even if I need to change the REX user for a host down the line, I just have to make sure that the other REX user owns the /opt/fmrex directory.
and can confirm it works just like expected. Scripts created and ran by REX in /opt/fmrex now. Sorta nice to not have to mess with modding the mount permissions for /var/tmp on all these machines with NIST security policies in place that will complain if /var/tmp or /tmp do not have noexec.
Have also beef up security even more by removing NOPASSWD in sudo conf and added a password for REX user to elevate to sudo. That way if someone hacked the proxies, all they get is a basic user access using the ssh key.
Also added these to /etc/ssh/sshd_config to slim down access even further:
#Deny access for user fmrex from non Foreman proxy IP.
Match User fmrex Address *,!<Proxy IP>
#Only allow user fmrex to log in with SSH key.
Match User fmrex