Security enhanced PMG cannot join cluster

orsiris

New Member
Mar 13, 2025
12
3
3
I am behind developpment of security enhanced linux script "el_scripts", which include an OpenSCAP profile setup for machines (in my case I use ANSSI-BP-028-High security profile.
Having applied my securitry enhancements to PMG 9.x, I couldn't setup a cluster anymore with the following error:
```
copying master database finished (got 184169 bytes)
delete local database
create new local database
GRANT
GRANT
GRANT
GRANT
insert received data into local database
cluster join failed: postgres_admin_cmd failed: pg_restore failed: pg_restore: error: could not open input file "/tmp/masterdb2717.tar": Permission denied
```

This happened since /tmp umask created masterdbxxxx.tar file with permissons 600.
In order to make thinks work, I modified `/usr/share/perl5/PMG/DBTools.pm` by adding the following on line 1380:
```
my $ocmd = ['/usr/bin/chmod', '644', $fn,];
PVE::Tools::run_command($ocmd);
```

With this, I could join the cluster.
Would it make sense to the Proxmox team to add the above modification, since the file is unlinked after import anyway ?

Btw, also made the following mods for PMG to work with secure setup:
- set `AllowTcpForwarding yes` again
- Configured firewall to allow all ports from PMG cluster members via `ufw allow from <ip autres membres cluster>`
- Install apparmor-utils via `apt install apparmor-utils`
- Run aa-logprof to allow clamav working properly

Cheers.
 
Thanks for the report - and quite well to know that most things seem to run okay with this profile...

Would it make sense to the Proxmox team to add the above modification, since the file is unlinked after import anyway ?
We do plan to evaluate and change the use of /tmp in general in PMG - and move most things to /run where sensibly possible - so that should fix this particular issue.

I hope this helps!
 
  • Like
Reactions: Johannes S
We do plan to evaluate and change the use of /tmp in general in PMG - and move most things to /run where sensibly possible - so that should fix this particular issue.

/run is usually quite small being a tmpfs. Wouldn't /opt be the perfect candidate here ? Also, security best practices consider mounting /run (and /var and /opt...) with `nosuid,noexec,nodev`, so there should never be an executable script in those.