mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-01-26 15:59:07 +01:00
* Mail/SMime: include CA-bundle directories in open_basedir of Apache config of packages
This commit is contained in:
parent
54389ff5a5
commit
3c6e61ba7c
@ -42,7 +42,8 @@ RedirectMatch ^(/principals/users/.*)$ /egroupware/groupdav.php$1
|
||||
php_admin_value mbstring.func_overload 0
|
||||
php_value memory_limit 128M
|
||||
php_value include_path .
|
||||
php_admin_value open_basedir /usr/share/egroupware:/var/lib/egroupware:/tmp
|
||||
# need to include directories of OpenSSL trusted CAs depending on distribution
|
||||
php_admin_value open_basedir /usr/share/egroupware:/var/lib/egroupware:/tmp:/etc/pki/tls/certs:/etc/pki/ca-trust
|
||||
php_value upload_max_filesize 64M
|
||||
php_admin_value upload_tmp_dir /tmp
|
||||
php_value post_max_size 65M
|
||||
|
@ -57,7 +57,7 @@ Depends: apache2 | nginx,
|
||||
${misc:Depends}
|
||||
Recommends: mariadb-server | mysql-server, php-opcache | php-apc, php-apcu, php5-pecl-smb, php5-tidy | php-tidy, php5-zip | php-zip,
|
||||
mariadb-client | mysql-client | postgresql-client, php5-bcmath | php-bcmath,
|
||||
php5-ldap | php-ldap, php-mbstring, php5-mhash | php-mhash, php-xml
|
||||
php5-ldap | php-ldap, php-mbstring, php5-mhash | php-mhash, php-xml, ca-certificates
|
||||
Suggests: egroupware-epl
|
||||
Provides: egroupware-epl-addressbook, egroupware-epl-pear
|
||||
Replaces: egroupware-core, egroupware-addressbook, egroupware-epl-addressbook,
|
||||
|
@ -42,6 +42,8 @@ install: build
|
||||
# customize webserver config
|
||||
mkdir -p $(CURDIR)/debian/egroupware-epl-core/etc/egroupware
|
||||
cp $(CURDIR)/doc/rpm-build/apache.conf $(CURDIR)/debian/egroupware-epl-core/etc/egroupware/apache.conf
|
||||
# Debian/Ubuntu uses /usr/lib/ssl/certs with files symlinked from /usr/share/ca-certificates instead for trusted OpenSSL CA
|
||||
sed -i '' 's|/etc/pki/tls/certs:/etc/pki/ca-trust|/usr/lib/ssl/certs:/usr/share/ca-certificates|g' $(CURDIR)/debian/egroupware-epl-core/etc/egroupware/apache.conf
|
||||
# Univention needs access to /usr/sbin/univention-directory-manager symlinked to /usr/share/univention-directory-manager-tools/directory-manager-cli
|
||||
sed 's|\(open_basedir .*\)|\1:/usr/sbin/univention-directory-manager:/usr/share/univention-directory-manager-tools/directory-manager-cli|' \
|
||||
$(CURDIR)/doc/rpm-build/apache.conf > $(CURDIR)/debian/egroupware-epl-core/etc/egroupware/apache-univention.conf
|
||||
|
@ -574,6 +574,11 @@ echo "post_install: %{post_install}"
|
||||
mkdir -p $RPM_BUILD_ROOT%{egwdir}
|
||||
mkdir -p $RPM_BUILD_ROOT%{httpdconfd}
|
||||
cp egroupware/doc/rpm-build/apache.conf $RPM_BUILD_ROOT%{httpdconfd}/egroupware.conf
|
||||
%if 0%{?suse_version}
|
||||
# RHEL/CentOS needs open_basedir to include /etc/pki/tls/certs:/etc/pki/ca-trust
|
||||
# SUSE uses /var/lib/ca-certificates/openssl instead for trusted OpenSSL CA
|
||||
sed -i '' 's|/etc/pki/tls/certs:/etc/pki/ca-trust|/var/lib/ca-certificates/openssl|g' $RPM_BUILD_ROOT%{httpdconfd}/egroupware.conf
|
||||
%endif
|
||||
mkdir -p $RPM_BUILD_ROOT/etc/cron.d
|
||||
sed 's/apache/%{apache_user}/' egroupware/doc/rpm-build/egroupware.cron > $RPM_BUILD_ROOT/etc/cron.d/egroupware
|
||||
mkdir -p $RPM_BUILD_ROOT%{egwdatadir}/default/files
|
||||
|
@ -65,6 +65,7 @@ $config = array(
|
||||
'folder' => '',
|
||||
'install-update-app' => '', // install or update a single (non-default) app
|
||||
'webserver_user'=> 'apache', // required to fix permissions
|
||||
'apache_config' => '/etc/httpd/conf.d/egroupware.conf',
|
||||
'php5enmod' => '',
|
||||
);
|
||||
|
||||
@ -112,6 +113,7 @@ function set_distro_defaults($distro=null)
|
||||
$config['ldap_context'] = 'ou=people,$base';
|
||||
$config['ldap_group_context'] = 'ou=group,$base';
|
||||
$config['webserver_user'] = 'wwwrun';
|
||||
$config['apache_config'] = '/etc/apache2/conf.d/egroupware.conf';
|
||||
break;
|
||||
case 'debian':
|
||||
// service not in Debian5, only newer Ubuntu, which complains about /etc/init.d/xx
|
||||
@ -128,6 +130,7 @@ function set_distro_defaults($distro=null)
|
||||
$config['autostart_db'] = '/usr/sbin/update-rc.d mysql defaults';
|
||||
$config['autostart_webserver'] = '/usr/sbin/update-rc.d apache2 defaults';
|
||||
$config['webserver_user'] = 'www-data';
|
||||
$config['apache_config'] = '/etc/egroupware/apache.conf';
|
||||
break;
|
||||
case 'mandriva':
|
||||
$config['ldap_suffix'] = 'dc=site';
|
||||
@ -136,6 +139,7 @@ function set_distro_defaults($distro=null)
|
||||
$config['ldap_base'] = '$suffix';
|
||||
$config['ldap_context'] = 'ou=People,$base';
|
||||
$config['ldap_group_context'] = 'ou=Group,$base';
|
||||
$config['apache_config'] = '/etc/apache2/conf.d/egroupware.conf';
|
||||
break;
|
||||
case 'univention':
|
||||
set_univention_defaults();
|
||||
@ -705,9 +709,7 @@ function set_univention_defaults()
|
||||
// set an email address for sysop user so mail works right away
|
||||
$config['admin_email'] = '$admin_user@'.$domain;
|
||||
}
|
||||
# add directory of univention-directory-manager and it's sysmlink target to open_basedir
|
||||
system("/bin/sed -i 's|/usr/bin|/usr/bin:/usr/sbin:/usr/share/univention-directory-manager-tools|' /etc/egroupware/apache.conf");
|
||||
|
||||
$config['apache_config'] = '/etc/egroupware/apache-univention.conf';
|
||||
}
|
||||
}
|
||||
|
||||
@ -793,6 +795,61 @@ function check_fix_php_apc_ini()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if CA certificates are added to open_basedir to be accessible
|
||||
*
|
||||
* Different distros use different CA directories:
|
||||
* - Debian/Ubuntu: /usr/lib/ssl/certs with files symlinked from /usr/share/ca-certificates
|
||||
* - RHEL/CentOS: /etc/pki/tls/certs with files symlinks from /etc/pki/ca-trust
|
||||
* - openSUSE/SLES: /var/lib/ca-certificates/openssl
|
||||
*/
|
||||
function check_fix_open_basedir_certs()
|
||||
{
|
||||
global $config;
|
||||
|
||||
if (extension_loaded('openssl') && function_exists('openssl_get_cert_locations') &&
|
||||
($locations = openssl_get_cert_locations()) &&
|
||||
file_exists($default_cert_dir = $locations['default_cert_dir']))
|
||||
{
|
||||
$check_dirs = array($default_cert_dir);
|
||||
foreach(scandir($default_cert_dir) as $cert)
|
||||
{
|
||||
$cert = $default_cert_dir.'/'.$cert;
|
||||
if (is_link($cert) && ($link = readlink($cert)) &&
|
||||
dirname($link) != '.' && !in_array(dirname($link), $check_dirs))
|
||||
{
|
||||
$check_dirs[] = dirname($link);
|
||||
}
|
||||
}
|
||||
//echo "Checking if OpenSSL CA dirs are included in open_basedir: ".implode(', ', $check_dirs)."\n";
|
||||
$matches = null;
|
||||
if (($content = file_get_contents($config['apache_config'])) &&
|
||||
preg_match('/^\s*php_admin_value\s+open_basedir\s+(.*)$/m', $content, $matches))
|
||||
{
|
||||
//echo "$config[apache_config] contains open_basedir $matches[1]\n";
|
||||
$open_basedirs = explode(':', $matches[1]);
|
||||
$need_adding = array();
|
||||
foreach($check_dirs as $dir)
|
||||
{
|
||||
if (!in_array($dir, $open_basedirs)) $need_adding[] = $dir;
|
||||
}
|
||||
if ($need_adding)
|
||||
{
|
||||
$content = preg_replace('/^\s*php_admin_value\s+open_basedir\s+(.*)$/m',
|
||||
'\\0:'.implode(':', $need_adding), $content);
|
||||
if (file_put_contents($config['apache_config'], $content))
|
||||
{
|
||||
echo "Added OpenSSL CA directories ".implode(', ', $need_adding)." to Apache config $config[apache_config].\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "Failed to add OpenSSL CA directories ".implode(', ', $need_adding)." to Apache config $config[apache_config]!\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert a size with unit eg. 32M to a number
|
||||
* @param int|string $_size
|
||||
|
Loading…
Reference in New Issue
Block a user