[BlueOnyx:10196] 5106R/5107R/5108R YUM updates
Michael Stauber
mstauber at blueonyx.it
Thu Apr 19 21:35:51 -05 2012
Hi all,
The following YUM updates have just been released:
base-apache (5107R + 5108R):
==========================
There appears to be some weird problem with SSL certificates on BlueOnyx 5107R
and 5108R. The GUI management pages for these certainly have a few issues
which need to be addressed. At this time the import and setup of SSL
certificates appears to have a "hit and miss" success rate. This is still
being worked on.
In the meantime this update fixes another problem related with SSL
certificates: If SSL is enabled for a Vsite, then it may happen that web
access to that site may redirect endlessly. To fix that one a certain
RewriteRule has been removed from the Apache Vhost container. This update
will make sure that the offending RewriteRule is commented out in existing
Vsites and that new Vsites will directly have it commented out.
base-vsite (5106R, 5107R + 5108R):
=============================
This update to base-vsite improves the PHP security model of BlueOnyx one step
further.
Right now we support two different PHP implementations:
- The traditional mod_php implementation of PHP.
- The more secure suPHP approach using CGI/FastCG.
Both have their benefits and drawbacks, but suPHP generally offers the best
protection.
As recently discussed on the BlueOnyx mailing list it can sometimes be
difficult to find out which PHP scripts have sent emails. If there is an old
and vulnerable PHP script that has been tricked into sending SPAM, then the
usual tools and methods we have at hand for finding the culprit leave a lot to
be desired.
If suPHP is enabled on all Vsites, the headers of the sent emails will at
least tell us the username of the offending user. But if mod_php is used
instead, then all you have left is going through your logfiles at a
painstakenly pace.
This updated base-vsite module will change this:
If a PHP script now uses the PHP mail() function, it will not talk directly to
sendmail for the delivery, but will use a small round about through the new
executeable /usr/sausalito/sbin/phpsendmail instead.
This binary will log all PHP related email traffic to /var/log/maillog in an
easy to understand fashion, which will make it very easy to see which script
sent which email.
Additionally emails generated and sent by PHP scripts will have a "X-PHP-
Originating-Script" header, which tells us the numeric user ID of the owner of
the sending script and the name of the sending script:
X-PHP-Originating-Script: 502:mail.php
This information can then be used to look up the offending script in
/var/log/maillog.
The '502' in the above examle tells us that the numeric user ID of the owner
of the script was '502'. After the colon we see the name (just the name - not
the path!) of the offending script. In this case here 'mail.php'.
Now if we have such an email in front of us and would need to find out which
site and user the email really came from on our server, we would need to take
a look at /var/log/maillog like this:
cat /var/log/maillog|grep uid=502|grep mail.php
So we grep for the numeric user ID (502 in this case) and the name of the
script (mail.php) that was listed in the "X-PHP-Originating-Script:" header of
said email.
Or if we wanted to see just the log entries of all PHP related email activity,
we could use this command:
cat /var/log/maillog|grep sendmail-wrapper-php
That will show us all PHP related email activity.
Example:
Apr 19 01:10:18 5108r root: sendmail-wrapper-php: site=5108r1.smd.net,
client=10.1.128.1,
script=/home/.sites/28/site1/web/mailtest/mailtest/mail.php, uid=502,
user=xxx_admin
Apr 19 01:35:01 5108r root: sendmail-wrapper-php: site=5108r1.smd.net,
client=10.1.128.1,
script=/home/.sites/28/site1/web/mailtest/mailtest/mail.php, uid=502,
user=xxx_admin
For more technical information about this update, please see [BlueOnyx:10186]
on the BlueOnyx mailing list.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list