mlton: bin/domtool-server bin/domtool-client bin/domtool-slave \
bin/domtool-admin bin/domtool-doc bin/dbtool bin/vmail \
- bin/smtplog bin/setsa bin/mysql-fixperms bin/webbw bin/domtool-tail \
+ bin/smtplog bin/setsa bin/webbw bin/domtool-tail \
bin/fwtool bin/domtool-config bin/domtool-portal
smlnj: $(COMMON_DEPS) openssl/smlnj/FFI/libssl.h.cm pcre/smlnj/FFI/libpcre.h.cm \
$(MAKE_MLB_BASE) >src/smtplog.mlb
echo "main-smtplog.sml" >>src/smtplog.mlb
-src/mysql-fixperms.mlb: src/prefix.mlb src/sources src/suffix.mlb
- $(MAKE_MLB_BASE) >src/mysql-fixperms.mlb
- echo "main-mysql-fixperms.sml" >>src/mysql-fixperms.mlb
-
src/fwtool.mlb: src/prefix.mlb src/sources src/suffix.mlb
$(MAKE_MLB_BASE) >src/fwtool.mlb
echo "main-fwtool.sml" >>src/fwtool.mlb
bin/smtplog: $(COMMON_MLTON_DEPS) src/smtplog.mlb
$(MLTON) -output bin/smtplog src/smtplog.mlb
-bin/mysql-fixperms: $(COMMON_MLTON_DEPS) src/mysql-fixperms.mlb
- $(MLTON) -output bin/mysql-fixperms src/mysql-fixperms.mlb
-
bin/fwtool: $(COMMON_MLTON_DEPS) src/fwtool.mlb
$(MLTON) -output bin/fwtool src/fwtool.mlb
-cp bin/vmail /usr/local/bin/
-cp bin/setsa /usr/local/bin/
-cp bin/smtplog /usr/local/bin/
- -cp bin/mysql-fixperms /usr/local/bin/
-cp bin/vmailpasswd /usr/local/bin/
-cp bin/webbw /usr/local/sbin/
-cp bin/domtool-tail /usr/local/bin/
default_days = 365
default_crl_days= 30
-default_md = sha1
+default_md = sha256
preserve = no
policy = policy_domtool
[ req ]
default_bits = 4096
default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
-default_md = sha1
+default_md = sha256
prompt = no
distinguished_name = root_ca_distinguished_name
val confDir = ConfigCore.localRoot ^ "/vhosts"
val webNodes_all = [("shelob", {version = APACHE_2, auth = MOD_WAKLOG})]
-val webNodes_admin = [("minsky", {version = APACHE_2, auth = MOD_WAKLOG})]
+val webNodes_admin = [("minsky", {version = APACHE_2, auth = MOD_WAKLOG}),
+ ("busted", {version = APACHE_2, auth = MOD_WAKLOG})]
val proxyTargets = ["http://hcoop.net/cgi-bin/mailman",
"http://hcoop.net/pipermail"]
val domtool_publish = ConfigCore.installPrefix ^ "/sbin/domtool-publish"
-val nodeIps = [("outpost", "151.236.216.192", "2a01:7e00::f03c:91ff:fe70:7c62"), ("gibran", "142.93.177.82", "2604:a880:800:c1::99:5001"), ("marsh", "45.55.52.66", "2604:a880:800:a1::13a3:f001"), ("minsky", "104.248.1.95", "2604:a880:800:c1::b1:5001"), ("shelob", "68.183.54.165", "2604:a880:800:c1::d:3001"), ("lovelace", "68.183.58.241", "2604:a880:800:c1::c2:7001")]
+val nodeIps = [("outpost", "151.236.216.192", "2a01:7e00::f03c:91ff:fe70:7c62"), ("gibran", "142.93.177.82", "2604:a880:800:c1::99:5001"), ("marsh", "45.55.52.66", "2604:a880:800:a1::13a3:f001"), ("minsky", "104.248.1.95", "2604:a880:800:c1::b1:5001"), ("shelob", "68.183.54.165", "2604:a880:800:c1::d:3001"), ("lovelace", "68.183.58.241", "2604:a880:800:c1::c2:7001"), ("busted", "64.225.6.23", "2604:a880:800:c1::1fe:7001")]
val dispatcherName = "gibran"
val dnsNodes_all = ["outpost", "gibran"]
-val dnsNodes_admin = []
+val dnsNodes_admin = ["busted"]
val mailNodes_all = ["minsky"]
-val mailNodes_admin = [ ]
+val mailNodes_admin = ["busted"]
val aclFile = ConfigCore.sharedRoot ^ "/acl"
{{FastCGI based php 7.3.}}
extern val php74 : php_version;
{{FastCGI based php 7.4.}}
-
-val fast_php : php_version = php56;
+extern val php80 : php_version;
+{{FastCGI based php 8.0.}}
extern val vhost : host -> Vhost => [Domain]
{WebPlaces : [web_place],
val outpost_ipv6 : (ipv6) = "2a01:7e00::f03c:91ff:fe70:7c62";
(* Digital Ocean *)
+val busted_ip : (ip) = "64.225.6.23";
+val busted_private_ip : (ip) = "10.132.165.25";
+val busted_ipv6 : (ipv6) = "2604:a880:800:c1::1fe:7001";
+
val gibran_ip : (ip) = "142.93.177.82";
val gibran_private_ip : (ip) = "10.132.5.78";
val gibran_ipv6 : (ipv6) = "2604:a880:800:c1::99:5001";
+#include <openssl/ossl_typ.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/asn1.h>
-#include <openssl/ossl_typ.h>
-
-/* SSL_METHOD is defined in <openssl/ssl.h>, which #includes system
- headers that ml-nlffigen can't parse. */
-
+/* OpenSSL header files include system headers that ml-nlffigen can't
+ parse, include any needed typedefs or forward declarations here.
+ */
+typedef struct bio_st BIO;
+typedef struct ssl_st SSL;
+typedef struct ssl_ctx_st SSL_CTX;
typedef struct ssl_method_st SSL_METHOD;
void OpenSSL_SML_init(void);
| (_, n) => n) 0 fields
fun noIpv4 maxLen =
- length fields >= 2
+ length fields >= 3
andalso length fields <= maxLen
andalso empties <= 1
andalso List.all (fn "" => true
in
validIp maybeIpv4 andalso noIpv4 6
end
+
+ fun localHost () =
+ length fields = 3
+ andalso empties = 2
+ andalso List.last fields = "1"
in
- noIpv4 8 orelse hasIpv4 ()
+ localHost () orelse noIpv4 8 orelse hasIpv4 ()
end
fun isIdent ch = Char.isLower ch orelse Char.isDigit ch
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
+#include <crypt.h>
#include <string.h>
int validDomain(const char *dom) {
+++ /dev/null
-(* HCoop Domtool (http://hcoop.sourceforge.net/)
- * Copyright (c) 2007, Adam Chlipala
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *)
-
-(* Driver for requesting MySQL DROP permission granting *)
-
-val _ =
- case CommandLine.arguments () of
- [] => Main.requestMysqlFixperms ()
- | _ => print "Invalid command-line arguments\n"
val requestSmtpLog : string -> unit
- val requestMysqlFixperms : unit -> unit
-
val requestApt : {node : string, pkg : string} -> OS.Process.status
val requestAptExists : {node : string, pkg : string} -> OS.Process.status
val requestCron : {node : string, uname : string} -> OS.Process.status
OpenSSL.close bio
end
-fun requestMysqlFixperms () =
- let
- val (_, context) = requestContext (fn () => ())
- val bio = OpenSSL.connect true (context,
- Config.Dbms.dbmsNode ^ ":" ^ Int.toString Config.slavePort)
- in
- Msg.send (bio, MsgMysqlFixperms);
- case Msg.recv bio of
- NONE => print "Server closed connection unexpectedly.\n"
- | SOME m =>
- case m of
- MsgOk => print "Permissions granted.\n"
- | MsgError s => print ("Failed: " ^ s ^ "\n")
- | _ => print "Unexpected server reply.\n";
- OpenSSL.close bio
- end
-
fun requestApt {node, pkg} =
let
val (user, context) = requestContext (fn () => ())
("Invalid database name " ^ user ^ "_" ^ dbname,
SOME ("Invalid database name " ^ dbname)))
(fn () => ())
- | MsgMysqlFixperms =>
- (print "Starting mysql-fixperms\n";
- doIt (fn () => if OS.Process.isSuccess
- (OS.Process.system "/usr/bin/sudo -H /afs/hcoop.net/common/etc/scripts/mysql-grant-table-drop") then
- ("Requested mysql-fixperms",
- NONE)
- else
- ("Requested mysql-fixperms, but execution failed!",
- SOME "Script execution failed."))
- (fn () => ()))
| MsgFirewallRegen =>
doIt (fn () => (Acl.read Config.aclFile;
if Acl.query {user = user, class = "priv", value = "all"} then
| MsgGrantDb {dbtype, dbname} => (OpenSSL.writeInt (bio, 37);
OpenSSL.writeString (bio, dbtype);
OpenSSL.writeString (bio, dbname))
- | MsgMysqlFixperms => OpenSSL.writeInt (bio, 38)
+ (* | MsgMysqlFixperms => OpenSSL.writeInt (bio, 38) *)
| MsgDescribe dom => (OpenSSL.writeInt (bio, 39);
OpenSSL.writeString (bio, dom))
| MsgDescription s => (OpenSSL.writeInt (bio, 40);
(SOME dbtype, SOME dbname) =>
SOME (MsgGrantDb {dbtype = dbtype, dbname = dbname})
| _ => NONE)
- | 38 => SOME MsgMysqlFixperms
+ (* | 38 => SOME MsgMysqlFixperms *)
| 39 => Option.map MsgDescribe (OpenSSL.readString bio)
| 40 => Option.map MsgDescription (OpenSSL.readString bio)
| 41 => SOME MsgReUsers
(* MsgRegenerate without actual publishing of configuration *)
| MsgGrantDb of {dbtype : string, dbname : string}
(* Grant all allowed privileges on a DBMS database to the user *)
- | MsgMysqlFixperms
+ (* | MsgMysqlFixperms *)
(* Run the script to grant DROP privileges on MySQL tables to owning users *)
| MsgDescribe of string
(* Ask for a listing of all of a domain's real configuration *)
| (EVar "php72", _) => SOME 72
| (EVar "php73", _) => SOME 73
| (EVar "php74", _) => SOME 74
+ | (EVar "php80", _) => SOME 80
| _ => NONE
fun vhostBody (env, makeFullHost) =
val () = Env.action_one "phpVersion"
("version", php_version)
(fn version => (write "\tAddHandler fcgid-script .php .phtml\n";
- (* FIXME: only set kerberos wrapper of waklog is on *)
- (* won't be trivial, since we don't have access to node here *)
- write "\n\tFcgidWrapper \"";
- write (Config.Apache.fastCgiWrapperOf (Domain.getUser ()));
- write " ";
- write (Config.Apache.phpFastCgiWrapper version);
- write "\" .php .phtml\n"))
+ (* FIXME: only set kerberos wrapper of waklog is on *)
+ (* won't be trivial, since we don't have access to node here *)
+ app (fn ext => (write "\n\tFcgidWrapper \"";
+ write (Config.Apache.fastCgiWrapperOf (Domain.getUser ()));
+ write " ";
+ write (Config.Apache.phpFastCgiWrapper version);
+ write "\" ";
+ write ext;
+ write "\n"))
+ [".php", ".phtml"]))
val () = Env.action_two "addType"
("mime type", Env.string, "extension", Env.string)
chmod 770 $DIR/$DBNAME
ln -sf $DIR/$DBNAME /var/lib/mysql/$DBNAME
chmod g+rw -R $DIR/$DBNAME/
- sudo -H mysql -e "GRANT CREATE,CREATE TEMPORARY TABLES,SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,LOCK TABLES,GRANT OPTION ON TABLE * TO '$USERNAME'@$WHERE;" $DBNAME
+ sudo -H mysql -e "GRANT ALL ON TABLE * TO '$USERNAME'@$WHERE WITH GRANT OPTION;" $DBNAME
sudo -H mysql -e "FLUSH PRIVILEGES;"
;;
DBNAME_BASE=$3
DBNAME="${USERNAME}_${DBNAME_BASE}"
+ sudo -H mysql -e "REVOKE ALL ON TABLE * FROM '$USERNAME'@$WHERE;" $DBNAME
+ sudo -H mysql -e "REVOKE GRANT OPTION ON TABLE * FROM '$USERNAME'@$WHERE;" $DBNAME
sudo -H mysql -e "DROP DATABASE $DBNAME;"
+
;;
grant)
DBNAME_BASE=$3
DBNAME="${USERNAME}_${DBNAME_BASE}"
- sudo -H mysql -e "GRANT CREATE,SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,LOCK TABLES,GRANT OPTION ON TABLE * TO '$USERNAME'@$WHERE;" $DBNAME
+ sudo -H mysql -e "GRANT ALL ON TABLE * TO '$USERNAME'@$WHERE WITH GRANT OPTION;" $DBNAME
;;
*)
let
val _ = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
in
- TextIO.output (tcp_inf, "proto tcp mod comment comment \"user:" ^ uname ^ "\" {\n");
+ TextIO.output (tcp_inf, "proto (tcp udp) mod comment comment \"user:" ^ uname ^ "\" {\n");
TextIO.output (tcp_inf, concat lines);
TextIO.output (tcp_inf, "\n}\n\n")
end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n") (* no sense in opening ports for bad users *)
let
val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
in
- TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid) ^ " mod comment comment \"user:" ^ uname ^ "\" proto tcp {\n");
+ TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid) ^ " mod comment comment \"user:" ^ uname ^ "\" proto (tcp udp) {\n");
TextIO.output (tcp_outf, concat lines);
TextIO.output (tcp_outf, "\nDROP;\n}\n\n")
end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n")