New security setting in BOA Aegir 2.2.1 : Permission denied for /bin paths

[dnotes]

I'm getting a bunch of permission denied errors on commands like "ls" for the main system user (ubuntu@ or vagrant@) after up-stable to 2.2.1. This is happening both on my local Vagrant box and on a cloud server. The octopus users seem to be unaffected, and sudo still works fine and gives access to the entire system. Have you seen this before or do you know what may be happening? Looks to me like the permissions for /bin were removed from that user, if that is even possible.

Edit: text of the messages, so that the next person can find this:

 Barracuda System managed by Skynet Agent v.BOA-2.2.1 welcomes you aboard

You have new mail.
Last login: Wed Apr  2 16:37:00 2014 from 10.0.2.2
-bash: /bin/uname: Permission denied
-bash: [: =: unary operator expected
-bash: /bin/sed: Permission denied
-bash: /bin/ls: Permission denied
-bash: /bin/uname: Permission denied
-bash: [: =: unary operator expected
-bash: /bin/sed: Permission denied
-bash: /bin/ls: Permission denied

[laymonk]

There is a parameter in that forces strict permissions on /usr/bin .. it
restricts the use of /usr/bin commands to only root and users belonging to
the group 'users' ..

You need to add this particular user to the group 'users' to sort it out.

On 3 April 2014 00:17, David Hunt notifications@github.com wrote:

I'm getting a bunch of permission denied errors on commands like "ls" for
the main system user (ubuntu@ or vagrant@) after up-stable to 2.2.1. This
is happening both on my local Vagrant box and on a cloud server. The
octopus users seem to be unaffected, and sudo still works fine and gives
access to the entire system. Have you seen this before or do you know what
may be happening? Looks to me like the permissions for /bin were removed
from that user, if that is even possible.

[image: image]https://cloud.githubusercontent.com/assets/487954/2597940/9ee40a52-babc-11e3-83be-136e8b10a64a.png

Reply to this email directly or view it on GitHubhttps://github.com//issues/296
.

[omega8cc]

Correct, it is by design. If you want to whitelist any non-BOA users, add them to the "users" group:

usermod -aG users vagrant

[dnotes]

Heh. Was just writing that, thanks chuze and omega8cc. Is this a new security setting for this version of Aegir? Did I miss it in the release notes?

[omega8cc]

Yeah, we should document this better: https://github.com/omega8cc/boa/blob/master/CHANGELOG.txt#L454

[omega8cc]

We have added it to docs, but we should explain this also in the release notes.

https://github.com/omega8cc/boa/blob/master/docs/SECURITY.txt

[dnotes]

Ok, good to know. Thanks for the help all.