[BlueOnyx:10197] Re: 5106R/5107R/5108R YUM updates

Christoph Schneeberger cschnee at box.telemedia.ch
Fri Apr 20 01:31:25 -05 2012 

Good morning Michael,

I appreciate the idea behind these updates very much. But since they
were automagically deployed on some of our VPS we get problems with
sites (mostly sites which had safe_mode enabled):

PHP Warning:
Unknown: SAFE MODE Restriction in effect.  The script whose uid is 504 is
not allowed to access /usr/sausalito/configs/php/set_php_headers.php owned
by uid 0 in Unknown on line 0


On sites with Solarspeed PHP all safe_mode related settings seem to have
disappeared from the PHP Section of SiteManagement since the update.

Also all Squirrelmail on regular 5106R (with stock PHP) fail now after
the updated with the following errors in log:

Unknown: open_basedir restriction in effect. File(/usr/sausalito/configs/php/set_php_headers.php) is not within the allowed path(s): (/home/:/tmp/:/var/lib/php/session/:/usr/share/squirrelmail/:/etc/squirrelmail/:/var/spool/squirrelmail/:/var/lib/squirrelmail/prefs/) in Unknown on line 0
PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0
PHP Warning:  Unknown: Failed opening '/usr/sausalito/configs/php/set_php_headers.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in Unknown on line 0


I am further looking into these problems but this is what I've been able
to find since Nagios got me out of bed ;-P

Cheers,
Christoph


Michael Stauber wrote:
> Hi all,
>
> The following YUM updates have just been released:
>
> base-apache (5107R + 5108R):
> ==========================
>
> There appears to be some weird problem with SSL certificates on BlueOnyx 5107R 
> and 5108R. The GUI management pages for these certainly have a few issues 
> which need to be addressed. At this time the import and setup of SSL 
> certificates appears to have a "hit and miss" success rate. This is still 
> being worked on.
>
> In the meantime this update fixes another problem related with SSL 
> certificates: If SSL is enabled for a Vsite, then it may happen that web 
> access to that site may redirect endlessly. To fix that one a certain 
> RewriteRule has been removed from the Apache Vhost container.  This update 
> will make sure that the offending RewriteRule is commented out in existing 
> Vsites and that new Vsites will directly have it commented out.
>
> base-vsite (5106R, 5107R + 5108R):
> =============================
>
> This update to base-vsite improves the PHP security model of BlueOnyx one step 
> further.
>
> Right now we support two different PHP implementations:
>
>     - The traditional mod_php implementation of PHP.
>     - The more secure suPHP approach using CGI/FastCG.
>
> Both have their benefits and drawbacks, but suPHP generally offers the best 
> protection.
>
> As recently discussed on the BlueOnyx mailing list it can sometimes be 
> difficult to find out which PHP scripts have sent emails. If there is an old 
> and vulnerable PHP script that has been tricked into sending SPAM, then the 
> usual tools and methods we have at hand for finding the culprit leave a lot to 
> be desired.
>
> If suPHP is enabled on all Vsites, the headers of the sent emails will at 
> least tell us the username of the offending user. But if mod_php is used 
> instead, then all you have left is going through your logfiles at a 
> painstakenly pace.
>
> This updated base-vsite module will change this:
>
> If a PHP script now uses the PHP mail() function, it will not talk directly to 
> sendmail for the delivery, but will use a small round about through the new 
> executeable /usr/sausalito/sbin/phpsendmail instead.
>
> This binary will log all PHP related email traffic to /var/log/maillog in an 
> easy to understand fashion, which will make it very easy to see which script 
> sent which email.
>
> Additionally emails generated and sent by PHP scripts will have a "X-PHP-
> Originating-Script" header, which tells us the numeric user ID of the owner of 
> the sending script and the name of the sending script:
>
> X-PHP-Originating-Script: 502:mail.php
>
> This information can then be used to look up the offending script in 
> /var/log/maillog.
>
> The '502' in the above examle tells us that the numeric user ID of the owner 
> of the script was '502'. After the colon we see the name (just the name - not 
> the path!) of the offending script. In this case here 'mail.php'.
>
> Now if we have such an email in front of us and would need to find out which 
> site and user the email really came from on our server, we would need to take 
> a look at /var/log/maillog like this:
>
> cat /var/log/maillog|grep uid=502|grep mail.php
>
> So we grep for the numeric user ID (502 in this case) and the name of the 
> script (mail.php) that was listed in the "X-PHP-Originating-Script:" header of 
> said email.
>
> Or if we wanted to see just the log entries of all PHP related email activity, 
> we could use this command:
>
> cat /var/log/maillog|grep sendmail-wrapper-php
>
> That will show us all PHP related email activity.
>
> Example:
>
> Apr 19 01:10:18 5108r root: sendmail-wrapper-php: site=5108r1.smd.net, 
> client=10.1.128.1, 
> script=/home/.sites/28/site1/web/mailtest/mailtest/mail.php, uid=502, 
> user=xxx_admin
> Apr 19 01:35:01 5108r root: sendmail-wrapper-php: site=5108r1.smd.net, 
> client=10.1.128.1, 
> script=/home/.sites/28/site1/web/mailtest/mailtest/mail.php, uid=502, 
> user=xxx_admin
>
> For more technical information about this update, please see [BlueOnyx:10186] 
> on the BlueOnyx mailing list.
>
>

More information about the Blueonyx mailing list