From 3c6e61ba7cf5854319f791f48ad3e6cca176061a Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Tue, 30 Jan 2018 13:58:00 +0100 Subject: [PATCH] * Mail/SMime: include CA-bundle directories in open_basedir of Apache config of packages --- doc/rpm-build/apache.conf | 3 +- doc/rpm-build/debian.control | 2 +- doc/rpm-build/debian.rules | 2 + doc/rpm-build/egroupware-epl.spec | 5 +++ doc/rpm-build/post_install.php | 63 +++++++++++++++++++++++++++++-- 5 files changed, 70 insertions(+), 5 deletions(-) diff --git a/doc/rpm-build/apache.conf b/doc/rpm-build/apache.conf index e7a654a5ac..2f28968a65 100644 --- a/doc/rpm-build/apache.conf +++ b/doc/rpm-build/apache.conf @@ -42,7 +42,8 @@ RedirectMatch ^(/principals/users/.*)$ /egroupware/groupdav.php$1 php_admin_value mbstring.func_overload 0 php_value memory_limit 128M php_value include_path . - php_admin_value open_basedir /usr/share/egroupware:/var/lib/egroupware:/tmp + # need to include directories of OpenSSL trusted CAs depending on distribution + php_admin_value open_basedir /usr/share/egroupware:/var/lib/egroupware:/tmp:/etc/pki/tls/certs:/etc/pki/ca-trust php_value upload_max_filesize 64M php_admin_value upload_tmp_dir /tmp php_value post_max_size 65M diff --git a/doc/rpm-build/debian.control b/doc/rpm-build/debian.control index 952588c8b1..5bbae9b71e 100644 --- a/doc/rpm-build/debian.control +++ b/doc/rpm-build/debian.control @@ -57,7 +57,7 @@ Depends: apache2 | nginx, ${misc:Depends} Recommends: mariadb-server | mysql-server, php-opcache | php-apc, php-apcu, php5-pecl-smb, php5-tidy | php-tidy, php5-zip | php-zip, mariadb-client | mysql-client | postgresql-client, php5-bcmath | php-bcmath, - php5-ldap | php-ldap, php-mbstring, php5-mhash | php-mhash, php-xml + php5-ldap | php-ldap, php-mbstring, php5-mhash | php-mhash, php-xml, ca-certificates Suggests: egroupware-epl Provides: egroupware-epl-addressbook, egroupware-epl-pear Replaces: egroupware-core, egroupware-addressbook, egroupware-epl-addressbook, diff --git a/doc/rpm-build/debian.rules b/doc/rpm-build/debian.rules index 21da5d9dd9..64e484f8af 100644 --- a/doc/rpm-build/debian.rules +++ b/doc/rpm-build/debian.rules @@ -42,6 +42,8 @@ install: build # customize webserver config mkdir -p $(CURDIR)/debian/egroupware-epl-core/etc/egroupware cp $(CURDIR)/doc/rpm-build/apache.conf $(CURDIR)/debian/egroupware-epl-core/etc/egroupware/apache.conf + # Debian/Ubuntu uses /usr/lib/ssl/certs with files symlinked from /usr/share/ca-certificates instead for trusted OpenSSL CA + sed -i '' 's|/etc/pki/tls/certs:/etc/pki/ca-trust|/usr/lib/ssl/certs:/usr/share/ca-certificates|g' $(CURDIR)/debian/egroupware-epl-core/etc/egroupware/apache.conf # Univention needs access to /usr/sbin/univention-directory-manager symlinked to /usr/share/univention-directory-manager-tools/directory-manager-cli sed 's|\(open_basedir .*\)|\1:/usr/sbin/univention-directory-manager:/usr/share/univention-directory-manager-tools/directory-manager-cli|' \ $(CURDIR)/doc/rpm-build/apache.conf > $(CURDIR)/debian/egroupware-epl-core/etc/egroupware/apache-univention.conf diff --git a/doc/rpm-build/egroupware-epl.spec b/doc/rpm-build/egroupware-epl.spec index 889f65f089..56df05a0ce 100644 --- a/doc/rpm-build/egroupware-epl.spec +++ b/doc/rpm-build/egroupware-epl.spec @@ -574,6 +574,11 @@ echo "post_install: %{post_install}" mkdir -p $RPM_BUILD_ROOT%{egwdir} mkdir -p $RPM_BUILD_ROOT%{httpdconfd} cp egroupware/doc/rpm-build/apache.conf $RPM_BUILD_ROOT%{httpdconfd}/egroupware.conf +%if 0%{?suse_version} +# RHEL/CentOS needs open_basedir to include /etc/pki/tls/certs:/etc/pki/ca-trust +# SUSE uses /var/lib/ca-certificates/openssl instead for trusted OpenSSL CA + sed -i '' 's|/etc/pki/tls/certs:/etc/pki/ca-trust|/var/lib/ca-certificates/openssl|g' $RPM_BUILD_ROOT%{httpdconfd}/egroupware.conf +%endif mkdir -p $RPM_BUILD_ROOT/etc/cron.d sed 's/apache/%{apache_user}/' egroupware/doc/rpm-build/egroupware.cron > $RPM_BUILD_ROOT/etc/cron.d/egroupware mkdir -p $RPM_BUILD_ROOT%{egwdatadir}/default/files diff --git a/doc/rpm-build/post_install.php b/doc/rpm-build/post_install.php index a099fdaa6e..6965610099 100755 --- a/doc/rpm-build/post_install.php +++ b/doc/rpm-build/post_install.php @@ -65,6 +65,7 @@ $config = array( 'folder' => '', 'install-update-app' => '', // install or update a single (non-default) app 'webserver_user'=> 'apache', // required to fix permissions + 'apache_config' => '/etc/httpd/conf.d/egroupware.conf', 'php5enmod' => '', ); @@ -112,6 +113,7 @@ function set_distro_defaults($distro=null) $config['ldap_context'] = 'ou=people,$base'; $config['ldap_group_context'] = 'ou=group,$base'; $config['webserver_user'] = 'wwwrun'; + $config['apache_config'] = '/etc/apache2/conf.d/egroupware.conf'; break; case 'debian': // service not in Debian5, only newer Ubuntu, which complains about /etc/init.d/xx @@ -128,6 +130,7 @@ function set_distro_defaults($distro=null) $config['autostart_db'] = '/usr/sbin/update-rc.d mysql defaults'; $config['autostart_webserver'] = '/usr/sbin/update-rc.d apache2 defaults'; $config['webserver_user'] = 'www-data'; + $config['apache_config'] = '/etc/egroupware/apache.conf'; break; case 'mandriva': $config['ldap_suffix'] = 'dc=site'; @@ -136,6 +139,7 @@ function set_distro_defaults($distro=null) $config['ldap_base'] = '$suffix'; $config['ldap_context'] = 'ou=People,$base'; $config['ldap_group_context'] = 'ou=Group,$base'; + $config['apache_config'] = '/etc/apache2/conf.d/egroupware.conf'; break; case 'univention': set_univention_defaults(); @@ -705,9 +709,7 @@ function set_univention_defaults() // set an email address for sysop user so mail works right away $config['admin_email'] = '$admin_user@'.$domain; } - # add directory of univention-directory-manager and it's sysmlink target to open_basedir - system("/bin/sed -i 's|/usr/bin|/usr/bin:/usr/sbin:/usr/share/univention-directory-manager-tools|' /etc/egroupware/apache.conf"); - + $config['apache_config'] = '/etc/egroupware/apache-univention.conf'; } } @@ -793,6 +795,61 @@ function check_fix_php_apc_ini() } } +/** + * Check if CA certificates are added to open_basedir to be accessible + * + * Different distros use different CA directories: + * - Debian/Ubuntu: /usr/lib/ssl/certs with files symlinked from /usr/share/ca-certificates + * - RHEL/CentOS: /etc/pki/tls/certs with files symlinks from /etc/pki/ca-trust + * - openSUSE/SLES: /var/lib/ca-certificates/openssl + */ +function check_fix_open_basedir_certs() +{ + global $config; + + if (extension_loaded('openssl') && function_exists('openssl_get_cert_locations') && + ($locations = openssl_get_cert_locations()) && + file_exists($default_cert_dir = $locations['default_cert_dir'])) + { + $check_dirs = array($default_cert_dir); + foreach(scandir($default_cert_dir) as $cert) + { + $cert = $default_cert_dir.'/'.$cert; + if (is_link($cert) && ($link = readlink($cert)) && + dirname($link) != '.' && !in_array(dirname($link), $check_dirs)) + { + $check_dirs[] = dirname($link); + } + } + //echo "Checking if OpenSSL CA dirs are included in open_basedir: ".implode(', ', $check_dirs)."\n"; + $matches = null; + if (($content = file_get_contents($config['apache_config'])) && + preg_match('/^\s*php_admin_value\s+open_basedir\s+(.*)$/m', $content, $matches)) + { + //echo "$config[apache_config] contains open_basedir $matches[1]\n"; + $open_basedirs = explode(':', $matches[1]); + $need_adding = array(); + foreach($check_dirs as $dir) + { + if (!in_array($dir, $open_basedirs)) $need_adding[] = $dir; + } + if ($need_adding) + { + $content = preg_replace('/^\s*php_admin_value\s+open_basedir\s+(.*)$/m', + '\\0:'.implode(':', $need_adding), $content); + if (file_put_contents($config['apache_config'], $content)) + { + echo "Added OpenSSL CA directories ".implode(', ', $need_adding)." to Apache config $config[apache_config].\n"; + } + else + { + echo "Failed to add OpenSSL CA directories ".implode(', ', $need_adding)." to Apache config $config[apache_config]!\n"; + } + } + } + } +} + /** * Convert a size with unit eg. 32M to a number * @param int|string $_size