* Mail/SMime: include CA-bundle directories in open_basedir of Apache config of packages

2018-01-30 13:58:00 +01:00 · 2018-01-30 13:58:00 +01:00 · 3c6e61ba7c
commit 3c6e61ba7c
parent 54389ff5a5
5 changed files with 70 additions and 5 deletions
--- a/doc/rpm-build/apache.conf
+++ b/doc/rpm-build/apache.conf
@ -42,7 +42,8 @@ RedirectMatch ^(/principals/users/.*)$ /egroupware/groupdav.php$1
  php_admin_value mbstring.func_overload 0
  php_value memory_limit 128M
  php_value include_path .
-  php_admin_value open_basedir /usr/share/egroupware:/var/lib/egroupware:/tmp
+  # need to include directories of OpenSSL trusted CAs depending on distribution
+  php_admin_value open_basedir /usr/share/egroupware:/var/lib/egroupware:/tmp:/etc/pki/tls/certs:/etc/pki/ca-trust
  php_value upload_max_filesize 64M
  php_admin_value upload_tmp_dir /tmp
  php_value post_max_size 65M
--- a/doc/rpm-build/debian.control
+++ b/doc/rpm-build/debian.control
@ -57,7 +57,7 @@ Depends: apache2 | nginx,
 ${misc:Depends}
 Recommends: mariadb-server | mysql-server, php-opcache | php-apc, php-apcu, php5-pecl-smb, php5-tidy | php-tidy, php5-zip | php-zip,
 mariadb-client | mysql-client | postgresql-client, php5-bcmath | php-bcmath,
- php5-ldap | php-ldap, php-mbstring, php5-mhash | php-mhash, php-xml
+ php5-ldap | php-ldap, php-mbstring, php5-mhash | php-mhash, php-xml, ca-certificates
 Suggests: egroupware-epl
 Provides: egroupware-epl-addressbook, egroupware-epl-pear
 Replaces: egroupware-core, egroupware-addressbook, egroupware-epl-addressbook,
--- a/doc/rpm-build/debian.rules
+++ b/doc/rpm-build/debian.rules
@ -42,6 +42,8 @@ install: build
 	# customize webserver config
 	mkdir -p $(CURDIR)/debian/egroupware-epl-core/etc/egroupware
 	cp $(CURDIR)/doc/rpm-build/apache.conf $(CURDIR)/debian/egroupware-epl-core/etc/egroupware/apache.conf
+	# Debian/Ubuntu uses /usr/lib/ssl/certs with files symlinked from /usr/share/ca-certificates instead for trusted OpenSSL CA
+	sed -i '' 's|/etc/pki/tls/certs:/etc/pki/ca-trust|/usr/lib/ssl/certs:/usr/share/ca-certificates|g' $(CURDIR)/debian/egroupware-epl-core/etc/egroupware/apache.conf
 	# Univention needs access to /usr/sbin/univention-directory-manager symlinked to /usr/share/univention-directory-manager-tools/directory-manager-cli
 	sed 's|\(open_basedir .*\)|\1:/usr/sbin/univention-directory-manager:/usr/share/univention-directory-manager-tools/directory-manager-cli|' \
 	  $(CURDIR)/doc/rpm-build/apache.conf > $(CURDIR)/debian/egroupware-epl-core/etc/egroupware/apache-univention.conf
--- a/doc/rpm-build/egroupware-epl.spec
+++ b/doc/rpm-build/egroupware-epl.spec
@ -574,6 +574,11 @@ echo "post_install: %{post_install}"
 mkdir -p $RPM_BUILD_ROOT%{egwdir}
 mkdir -p $RPM_BUILD_ROOT%{httpdconfd}
 cp egroupware/doc/rpm-build/apache.conf $RPM_BUILD_ROOT%{httpdconfd}/egroupware.conf
+%if 0%{?suse_version}
+# RHEL/CentOS needs open_basedir to include /etc/pki/tls/certs:/etc/pki/ca-trust
+# SUSE uses /var/lib/ca-certificates/openssl instead for trusted OpenSSL CA
+    sed -i '' 's|/etc/pki/tls/certs:/etc/pki/ca-trust|/var/lib/ca-certificates/openssl|g' $RPM_BUILD_ROOT%{httpdconfd}/egroupware.conf
+%endif
 mkdir -p $RPM_BUILD_ROOT/etc/cron.d
 sed 's/apache/%{apache_user}/' egroupware/doc/rpm-build/egroupware.cron > $RPM_BUILD_ROOT/etc/cron.d/egroupware
 mkdir -p $RPM_BUILD_ROOT%{egwdatadir}/default/files
--- a/doc/rpm-build/post_install.php
+++ b/doc/rpm-build/post_install.php
@ -65,6 +65,7 @@ $config = array(
 	'folder'        => '',
 	'install-update-app' => '',	// install or update a single (non-default) app
 	'webserver_user'=> 'apache',	// required to fix permissions
+	'apache_config'   => '/etc/httpd/conf.d/egroupware.conf',
 	'php5enmod'     => '',
 );

@ -112,6 +113,7 @@ function set_distro_defaults($distro=null)
 			$config['ldap_context'] = 'ou=people,$base';
 			$config['ldap_group_context'] = 'ou=group,$base';
 			$config['webserver_user'] = 'wwwrun';
+			$config['apache_config'] = '/etc/apache2/conf.d/egroupware.conf';
 			break;
 		case 'debian':
 			// service not in Debian5, only newer Ubuntu, which complains about /etc/init.d/xx
@ -128,6 +130,7 @@ function set_distro_defaults($distro=null)
 			$config['autostart_db'] = '/usr/sbin/update-rc.d mysql defaults';
 			$config['autostart_webserver'] = '/usr/sbin/update-rc.d apache2 defaults';
 			$config['webserver_user'] = 'www-data';
+			$config['apache_config'] = '/etc/egroupware/apache.conf';
 			break;
 		case 'mandriva':
 			$config['ldap_suffix'] = 'dc=site';
@ -136,6 +139,7 @@ function set_distro_defaults($distro=null)
 			$config['ldap_base'] = '$suffix';
 			$config['ldap_context'] = 'ou=People,$base';
 			$config['ldap_group_context'] = 'ou=Group,$base';
+			$config['apache_config'] = '/etc/apache2/conf.d/egroupware.conf';
 			break;
 		case 'univention':
 			set_univention_defaults();
@ -705,9 +709,7 @@ function set_univention_defaults()
 			// set an email address for sysop user so mail works right away
 			$config['admin_email'] = '$admin_user@'.$domain;
 		}
-		# add directory of univention-directory-manager and it's sysmlink target to open_basedir
-		system("/bin/sed -i 's|/usr/bin|/usr/bin:/usr/sbin:/usr/share/univention-directory-manager-tools|' /etc/egroupware/apache.conf");
-
+		$config['apache_config'] = '/etc/egroupware/apache-univention.conf';
 	}
 }

@ -793,6 +795,61 @@ function check_fix_php_apc_ini()
 	}
 }

+/**
+ * Check if CA certificates are added to open_basedir to be accessible
+ *
+ * Different distros use different CA directories:
+ * - Debian/Ubuntu: /usr/lib/ssl/certs with files symlinked from /usr/share/ca-certificates
+ * - RHEL/CentOS: /etc/pki/tls/certs with files symlinks from /etc/pki/ca-trust
+ * - openSUSE/SLES: /var/lib/ca-certificates/openssl
+ */
+function check_fix_open_basedir_certs()
+{
+	global $config;
+
+	if (extension_loaded('openssl') && function_exists('openssl_get_cert_locations') &&
+		($locations = openssl_get_cert_locations()) &&
+		file_exists($default_cert_dir = $locations['default_cert_dir']))
+	{
+		$check_dirs = array($default_cert_dir);
+		foreach(scandir($default_cert_dir) as $cert)
+		{
+			$cert = $default_cert_dir.'/'.$cert;
+			if (is_link($cert) && ($link = readlink($cert)) &&
+				dirname($link) != '.' && !in_array(dirname($link), $check_dirs))
+			{
+				$check_dirs[] = dirname($link);
+			}
+		}
+		//echo "Checking if OpenSSL CA dirs are included in open_basedir: ".implode(', ', $check_dirs)."\n";
+		$matches = null;
+		if (($content = file_get_contents($config['apache_config'])) &&
+			preg_match('/^\s*php_admin_value\s+open_basedir\s+(.*)$/m', $content, $matches))
+		{
+			//echo "$config[apache_config] contains open_basedir $matches[1]\n";
+			$open_basedirs = explode(':', $matches[1]);
+			$need_adding = array();
+			foreach($check_dirs as $dir)
+			{
+				if (!in_array($dir, $open_basedirs)) $need_adding[] = $dir;
+			}
+			if ($need_adding)
+			{
+				$content = preg_replace('/^\s*php_admin_value\s+open_basedir\s+(.*)$/m',
+					'\\0:'.implode(':', $need_adding), $content);
+				if (file_put_contents($config['apache_config'], $content))
+				{
+					echo "Added OpenSSL CA directories ".implode(', ', $need_adding)." to Apache config $config[apache_config].\n";
+				}
+				else
+				{
+					echo "Failed to add OpenSSL CA directories ".implode(', ', $need_adding)." to Apache config $config[apache_config]!\n";
+				}
+			}
+		}
+	}
+}
+
 /**
 * Convert a size with unit eg. 32M to a number
 * @param int|string $_size