From 5511dd203b05a6589083674078932d0b2563e775 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Sat, 29 Aug 2020 17:06:08 -0400 Subject: [PATCH 1/7] fwtool: allow udp/tcp for all user rules Ideally, we'd have separate tcp and udp support, but ... we need udp now (e.g. for lightweight game servers such as bzflag), and I don't want to invest more time into this code without fully refactoring it, as I've just kludged new things onto it for years. --- src/plugins/firewall.sml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml index 642379d..4c10f24 100644 --- a/src/plugins/firewall.sml +++ b/src/plugins/firewall.sml @@ -212,7 +212,7 @@ fun generateFirewallConfig rules = let val _ = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname))) in - TextIO.output (tcp_inf, "proto tcp mod comment comment \"user:" ^ uname ^ "\" {\n"); + TextIO.output (tcp_inf, "proto (tcp udp) mod comment comment \"user:" ^ uname ^ "\" {\n"); TextIO.output (tcp_inf, concat lines); TextIO.output (tcp_inf, "\n}\n\n") end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n") (* no sense in opening ports for bad users *) @@ -221,7 +221,7 @@ fun generateFirewallConfig rules = let val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname))) in - TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid) ^ " mod comment comment \"user:" ^ uname ^ "\" proto tcp {\n"); + TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid) ^ " mod comment comment \"user:" ^ uname ^ "\" proto (tcp udp) {\n"); TextIO.output (tcp_outf, concat lines); TextIO.output (tcp_outf, "\nDROP;\n}\n\n") end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n") -- 2.20.1 From 13ea2e2df2369670dcba934a2ff5ff406a027d2f Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Sat, 30 Jan 2021 16:24:40 -0500 Subject: [PATCH 2/7] boostrap: update domtool CA to use sha256 sha1 public certs can no longer be loaded on Debian 10 and later --- bootstrap/common.ssl.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bootstrap/common.ssl.conf b/bootstrap/common.ssl.conf index c2c0ddb..40e234c 100644 --- a/bootstrap/common.ssl.conf +++ b/bootstrap/common.ssl.conf @@ -36,7 +36,7 @@ crl_extensions = crl_ext default_days = 365 default_crl_days= 30 -default_md = sha1 +default_md = sha256 preserve = no policy = policy_domtool @@ -55,7 +55,7 @@ emailAddress = supplied [ req ] default_bits = 4096 default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem -default_md = sha1 +default_md = sha256 prompt = no distinguished_name = root_ca_distinguished_name -- 2.20.1 From c6ef8d4e8d18c1af2cae226381a2e759133e1656 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Tue, 23 Feb 2021 21:53:45 -0500 Subject: [PATCH 3/7] apache: fix phpVersion action Was not updated with PhpVersion environment variable to output once wrapper directive per extension instead of forcing all extensions. --- lib/apache.dtl | 2 -- src/plugins/apache.sml | 18 +++++++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/lib/apache.dtl b/lib/apache.dtl index 9269ee1..b663f0e 100644 --- a/lib/apache.dtl +++ b/lib/apache.dtl @@ -44,8 +44,6 @@ extern val php73 : php_version; extern val php74 : php_version; {{FastCGI based php 7.4.}} -val fast_php : php_version = php56; - extern val vhost : host -> Vhost => [Domain] {WebPlaces : [web_place], SSL : ssl, diff --git a/src/plugins/apache.sml b/src/plugins/apache.sml index 9d751e8..59e96b3 100644 --- a/src/plugins/apache.sml +++ b/src/plugins/apache.sml @@ -475,6 +475,7 @@ val php_version = fn (EVar "php56", _) => SOME 56 | (EVar "php72", _) => SOME 72 | (EVar "php73", _) => SOME 73 | (EVar "php74", _) => SOME 74 + | (EVar "php80", _) => SOME 80 | _ => NONE fun vhostBody (env, makeFullHost) = @@ -1207,13 +1208,16 @@ val () = Env.action_one "diskCache" val () = Env.action_one "phpVersion" ("version", php_version) (fn version => (write "\tAddHandler fcgid-script .php .phtml\n"; - (* FIXME: only set kerberos wrapper of waklog is on *) - (* won't be trivial, since we don't have access to node here *) - write "\n\tFcgidWrapper \""; - write (Config.Apache.fastCgiWrapperOf (Domain.getUser ())); - write " "; - write (Config.Apache.phpFastCgiWrapper version); - write "\" .php .phtml\n")) + (* FIXME: only set kerberos wrapper of waklog is on *) + (* won't be trivial, since we don't have access to node here *) + app (fn ext => (write "\n\tFcgidWrapper \""; + write (Config.Apache.fastCgiWrapperOf (Domain.getUser ())); + write " "; + write (Config.Apache.phpFastCgiWrapper version); + write "\" "; + write ext; + write "\n")) + [".php", ".phtml"])) val () = Env.action_two "addType" ("mime type", Env.string, "extension", Env.string) -- 2.20.1 From 3ee4785cf7ea173d6ea9eb65cc3c43c5a5729f28 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Tue, 23 Feb 2021 22:20:00 -0500 Subject: [PATCH 4/7] hcoop: style nit Make order of declarations for busted match other servers. --- lib/hcoop.dtl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/hcoop.dtl b/lib/hcoop.dtl index db725ba..d65d892 100644 --- a/lib/hcoop.dtl +++ b/lib/hcoop.dtl @@ -29,8 +29,8 @@ val outpost_ipv6 : (ipv6) = "2a01:7e00::f03c:91ff:fe70:7c62"; (* Digital Ocean *) val busted_ip : (ip) = "64.225.6.23"; -val busted_private_ip : (ip) = "2604:a880:800:c1::1fe:7001"; -val busted_ipv6 : (ipv6) = "10.132.165.25"; +val busted_private_ip : (ip) = "10.132.165.25"; +val busted_ipv6 : (ipv6) = "2604:a880:800:c1::1fe:7001"; val gibran_ip : (ip) = "142.93.177.82"; val gibran_private_ip : (ip) = "10.132.5.78"; -- 2.20.1 From 4e432cbb02c2001884be392701bd3344bd5a47f5 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Tue, 23 Feb 2021 22:27:25 -0500 Subject: [PATCH 5/7] apache: enable php 8.0 support --- lib/apache.dtl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/apache.dtl b/lib/apache.dtl index b663f0e..745cc62 100644 --- a/lib/apache.dtl +++ b/lib/apache.dtl @@ -43,6 +43,8 @@ extern val php73 : php_version; {{FastCGI based php 7.3.}} extern val php74 : php_version; {{FastCGI based php 7.4.}} +extern val php80 : php_version; +{{FastCGI based php 8.0.}} extern val vhost : host -> Vhost => [Domain] {WebPlaces : [web_place], -- 2.20.1 From d505bba1ca42e447925faa4f4d042d8378b77980 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Sat, 6 Nov 2021 14:47:36 -0400 Subject: [PATCH 6/7] mysql: grant users ALL perms on their dbs, remove mysql-fixperms Users were not given DROP permissions at the database level since that came with the risk of the user dropping their own database, with DROP permissions for individual tables granted by mysql-fixperms. This safeguard unfortunately breaks most software since installation and migration scripts usually assume a database wide grant has been issued and they can use SQL like "DROP TABLE ... IF EXISTS". Given this reality, grant users ALL permissions to their database. Regular backups are critical, and can mitigate the risk as best as it can be. --- Makefile | 10 +--------- src/main-mysql-fixperms.sml | 24 ------------------------ src/main.sig | 2 -- src/main.sml | 27 --------------------------- src/msg.sml | 4 ++-- src/msgTypes.sml | 2 +- src/plugins/domtool-mysql | 4 ++-- 7 files changed, 6 insertions(+), 67 deletions(-) delete mode 100644 src/main-mysql-fixperms.sml diff --git a/Makefile b/Makefile index efa01a6..1f1d55b 100644 --- a/Makefile +++ b/Makefile @@ -31,7 +31,7 @@ config.sml: mlton: bin/domtool-server bin/domtool-client bin/domtool-slave \ bin/domtool-admin bin/domtool-doc bin/dbtool bin/vmail \ - bin/smtplog bin/setsa bin/mysql-fixperms bin/webbw bin/domtool-tail \ + bin/smtplog bin/setsa bin/webbw bin/domtool-tail \ bin/fwtool bin/domtool-config bin/domtool-portal smlnj: $(COMMON_DEPS) openssl/smlnj/FFI/libssl.h.cm pcre/smlnj/FFI/libpcre.h.cm \ @@ -113,10 +113,6 @@ src/smtplog.mlb: src/prefix.mlb src/sources src/suffix.mlb $(MAKE_MLB_BASE) >src/smtplog.mlb echo "main-smtplog.sml" >>src/smtplog.mlb -src/mysql-fixperms.mlb: src/prefix.mlb src/sources src/suffix.mlb - $(MAKE_MLB_BASE) >src/mysql-fixperms.mlb - echo "main-mysql-fixperms.sml" >>src/mysql-fixperms.mlb - src/fwtool.mlb: src/prefix.mlb src/sources src/suffix.mlb $(MAKE_MLB_BASE) >src/fwtool.mlb echo "main-fwtool.sml" >>src/fwtool.mlb @@ -204,9 +200,6 @@ bin/setsa: $(COMMON_MLTON_DEPS) src/setsa.mlb bin/smtplog: $(COMMON_MLTON_DEPS) src/smtplog.mlb $(MLTON) -output bin/smtplog src/smtplog.mlb -bin/mysql-fixperms: $(COMMON_MLTON_DEPS) src/mysql-fixperms.mlb - $(MLTON) -output bin/mysql-fixperms src/mysql-fixperms.mlb - bin/fwtool: $(COMMON_MLTON_DEPS) src/fwtool.mlb $(MLTON) -output bin/fwtool src/fwtool.mlb @@ -254,7 +247,6 @@ install: install_sos -cp bin/vmail /usr/local/bin/ -cp bin/setsa /usr/local/bin/ -cp bin/smtplog /usr/local/bin/ - -cp bin/mysql-fixperms /usr/local/bin/ -cp bin/vmailpasswd /usr/local/bin/ -cp bin/webbw /usr/local/sbin/ -cp bin/domtool-tail /usr/local/bin/ diff --git a/src/main-mysql-fixperms.sml b/src/main-mysql-fixperms.sml deleted file mode 100644 index 1e49f0f..0000000 --- a/src/main-mysql-fixperms.sml +++ /dev/null @@ -1,24 +0,0 @@ -(* HCoop Domtool (http://hcoop.sourceforge.net/) - * Copyright (c) 2007, Adam Chlipala - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - *) - -(* Driver for requesting MySQL DROP permission granting *) - -val _ = - case CommandLine.arguments () of - [] => Main.requestMysqlFixperms () - | _ => print "Invalid command-line arguments\n" diff --git a/src/main.sig b/src/main.sig index bea8247..ffee519 100644 --- a/src/main.sig +++ b/src/main.sig @@ -77,8 +77,6 @@ signature MAIN = sig val requestSmtpLog : string -> unit - val requestMysqlFixperms : unit -> unit - val requestApt : {node : string, pkg : string} -> OS.Process.status val requestAptExists : {node : string, pkg : string} -> OS.Process.status val requestCron : {node : string, uname : string} -> OS.Process.status diff --git a/src/main.sml b/src/main.sml index dfe0bd5..c6272f2 100644 --- a/src/main.sml +++ b/src/main.sml @@ -754,23 +754,6 @@ fun requestSmtpLog domain = OpenSSL.close bio end -fun requestMysqlFixperms () = - let - val (_, context) = requestContext (fn () => ()) - val bio = OpenSSL.connect true (context, - Config.Dbms.dbmsNode ^ ":" ^ Int.toString Config.slavePort) - in - Msg.send (bio, MsgMysqlFixperms); - case Msg.recv bio of - NONE => print "Server closed connection unexpectedly.\n" - | SOME m => - case m of - MsgOk => print "Permissions granted.\n" - | MsgError s => print ("Failed: " ^ s ^ "\n") - | _ => print "Unexpected server reply.\n"; - OpenSSL.close bio - end - fun requestApt {node, pkg} = let val (user, context) = requestContext (fn () => ()) @@ -1847,16 +1830,6 @@ fun slave () = ("Invalid database name " ^ user ^ "_" ^ dbname, SOME ("Invalid database name " ^ dbname))) (fn () => ()) - | MsgMysqlFixperms => - (print "Starting mysql-fixperms\n"; - doIt (fn () => if OS.Process.isSuccess - (OS.Process.system "/usr/bin/sudo -H /afs/hcoop.net/common/etc/scripts/mysql-grant-table-drop") then - ("Requested mysql-fixperms", - NONE) - else - ("Requested mysql-fixperms, but execution failed!", - SOME "Script execution failed.")) - (fn () => ())) | MsgFirewallRegen => doIt (fn () => (Acl.read Config.aclFile; if Acl.query {user = user, class = "priv", value = "all"} then diff --git a/src/msg.sml b/src/msg.sml index eb04648..23ec652 100644 --- a/src/msg.sml +++ b/src/msg.sml @@ -238,7 +238,7 @@ fun send (bio, m) = | MsgGrantDb {dbtype, dbname} => (OpenSSL.writeInt (bio, 37); OpenSSL.writeString (bio, dbtype); OpenSSL.writeString (bio, dbname)) - | MsgMysqlFixperms => OpenSSL.writeInt (bio, 38) + (* | MsgMysqlFixperms => OpenSSL.writeInt (bio, 38) *) | MsgDescribe dom => (OpenSSL.writeInt (bio, 39); OpenSSL.writeString (bio, dom)) | MsgDescription s => (OpenSSL.writeInt (bio, 40); @@ -365,7 +365,7 @@ fun recv bio = (SOME dbtype, SOME dbname) => SOME (MsgGrantDb {dbtype = dbtype, dbname = dbname}) | _ => NONE) - | 38 => SOME MsgMysqlFixperms + (* | 38 => SOME MsgMysqlFixperms *) | 39 => Option.map MsgDescribe (OpenSSL.readString bio) | 40 => Option.map MsgDescription (OpenSSL.readString bio) | 41 => SOME MsgReUsers diff --git a/src/msgTypes.sml b/src/msgTypes.sml index c815960..aece410 100644 --- a/src/msgTypes.sml +++ b/src/msgTypes.sml @@ -125,7 +125,7 @@ datatype msg = (* MsgRegenerate without actual publishing of configuration *) | MsgGrantDb of {dbtype : string, dbname : string} (* Grant all allowed privileges on a DBMS database to the user *) - | MsgMysqlFixperms + (* | MsgMysqlFixperms *) (* Run the script to grant DROP privileges on MySQL tables to owning users *) | MsgDescribe of string (* Ask for a listing of all of a domain's real configuration *) diff --git a/src/plugins/domtool-mysql b/src/plugins/domtool-mysql index b3690ff..0d1710e 100755 --- a/src/plugins/domtool-mysql +++ b/src/plugins/domtool-mysql @@ -32,7 +32,7 @@ case $1 in chmod 770 $DIR/$DBNAME ln -sf $DIR/$DBNAME /var/lib/mysql/$DBNAME chmod g+rw -R $DIR/$DBNAME/ - sudo -H mysql -e "GRANT CREATE,CREATE TEMPORARY TABLES,SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,LOCK TABLES,GRANT OPTION ON TABLE * TO '$USERNAME'@$WHERE;" $DBNAME + sudo -H mysql -e "GRANT ALL ON TABLE * TO '$USERNAME'@$WHERE WITH GRANT OPTION;" $DBNAME sudo -H mysql -e "FLUSH PRIVILEGES;" ;; @@ -50,7 +50,7 @@ case $1 in DBNAME_BASE=$3 DBNAME="${USERNAME}_${DBNAME_BASE}" - sudo -H mysql -e "GRANT CREATE,SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,LOCK TABLES,GRANT OPTION ON TABLE * TO '$USERNAME'@$WHERE;" $DBNAME + sudo -H mysql -e "GRANT ALL ON TABLE * TO '$USERNAME'@$WHERE WITH GRANT OPTION;" $DBNAME ;; *) -- 2.20.1 From 9508dec7476457717d3606f868783e90ebc2d653 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Sat, 6 Nov 2021 15:29:31 -0400 Subject: [PATCH 7/7] mysql: revoke permissions when dropping database Grants are not automatically deleted. Also have to explicitly revoke grant option or a "USAGE WITH GRANT OPTION" grant is left behind. --- src/plugins/domtool-mysql | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/plugins/domtool-mysql b/src/plugins/domtool-mysql index 0d1710e..4e549e6 100755 --- a/src/plugins/domtool-mysql +++ b/src/plugins/domtool-mysql @@ -42,7 +42,10 @@ case $1 in DBNAME_BASE=$3 DBNAME="${USERNAME}_${DBNAME_BASE}" + sudo -H mysql -e "REVOKE ALL ON TABLE * FROM '$USERNAME'@$WHERE;" $DBNAME + sudo -H mysql -e "REVOKE GRANT OPTION ON TABLE * FROM '$USERNAME'@$WHERE;" $DBNAME sudo -H mysql -e "DROP DATABASE $DBNAME;" + ;; grant) -- 2.20.1