From 1b62ce024043399d3be998324c2d66e566a5f14f Mon Sep 17 00:00:00 2001 From: "ljf (zamentur)" Date: Fri, 11 Sep 2020 20:27:40 +0200 Subject: [PATCH 01/11] [fix] Reduce right given to ynh users with ssh (#1050) * [fix] Avoid ynh user to be able to use X11 forwarding * [fix] Avoid some bad situations * [fix] Remove chroot restrictions and x11 authorization * Update comments Co-authored-by: Alexandre Aubin --- data/templates/ssh/sshd_config | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config index bd3efdef3..84f06d4e5 100644 --- a/data/templates/ssh/sshd_config +++ b/data/templates/ssh/sshd_config @@ -66,12 +66,19 @@ AcceptEnv LANG LC_* # SFTP stuff Subsystem sftp internal-sftp -Match User sftpusers - ForceCommand internal-sftp - ChrootDirectory /home/%u - AllowTcpForwarding no - GatewayPorts no - X11Forwarding no + +# Forbid users from using their account SSH as a VPN (even if SSH login is disabled) +AllowTcpForwarding no +AllowStreamLocalForwarding no + +# Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled +PermitUserRC no + +Match User admin,root + AllowTcpForwarding yes + AllowStreamLocalForwarding yes + PermitUserRC yes + # root login is allowed on local networks # It's meant to be a backup solution in case LDAP is down and From 56644a5ffe66f65d75efa107f8bb987d0dc42cab Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 11 Sep 2020 20:36:29 +0200 Subject: [PATCH 02/11] Update changelog for 4.0.7.1 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 34d0da4dd..44f1d33ab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +yunohost (4.0.7.1) stable; urgency=low + + - Forbid users from using SSH as a VPN (even if SSH login is disabled) (#1050) + + -- Alexandre Aubin Fri, 11 Sep 2020 21:06:09 +0200 + yunohost (4.0.7) stable; urgency=low - [fix] Require explicitly php7.3-foo packages because in some cases Sury's php7.4- packages are installed and php7.3-fpm doesn't get installed ... (1288159a) From 8d4f36e13160f6002ecec4d99250c6f2ea2d9414 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 14 Sep 2020 17:06:40 +0200 Subject: [PATCH 03/11] Remove pipe char when trying to re-run apt with dry-run ... Because apt becomes absolutely crazy and make every package installed conflict with weird stuff --- data/helpers.d/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index 1a4a9f74a..1e880af76 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -198,7 +198,7 @@ ynh_package_install_from_equivs () { # (the following is ran inside { } to not start a subshell otherwise ynh_die wouldnt exit the original process) # Get the list of dependencies from the deb local dependencies="$(dpkg --info "$TMPDIR/${pkgname}_${pkgversion}_all.deb" | grep Depends | \ - sed 's/^ Depends: //' | sed 's/,//g')" + sed 's/^ Depends: //' | sed 's/,//g' | tr -d '|')" # Fake an install of those dependencies to see the errors # The sed command here is, Print only from '--fix-broken' to the end. ynh_package_install $dependencies --dry-run | sed --quiet '/--fix-broken/,$p' >&2 From 7dcf4b008b246ccecc15f802718f84639caa0b48 Mon Sep 17 00:00:00 2001 From: Kayou Date: Tue, 15 Sep 2020 20:53:26 +0200 Subject: [PATCH 04/11] Epic bugfix --- data/helpers.d/php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/php b/data/helpers.d/php index 489c448a8..c538d8688 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -219,7 +219,7 @@ ynh_add_fpm_config () { if [ -e "../conf/php-fpm.ini" ] then - ynh_print_warn -message="Packagers ! Please do not use a separate php ini file, merge your directives in the pool file instead." + ynh_print_warn --message="Packagers ! Please do not use a separate php ini file, merge your directives in the pool file instead." finalphpini="$fpm_config_dir/conf.d/20-$app.ini" ynh_backup_if_checksum_is_different "$finalphpini" cp ../conf/php-fpm.ini "$finalphpini" From d2c0cc9240cae8ac200559fb2ad94961768396a5 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 16 Sep 2020 15:24:09 +0200 Subject: [PATCH 05/11] Use php7.3 by default in CLI --- data/hooks/conf_regen/10-apt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/hooks/conf_regen/10-apt b/data/hooks/conf_regen/10-apt index 4ce838e4c..5446c262c 100755 --- a/data/hooks/conf_regen/10-apt +++ b/data/hooks/conf_regen/10-apt @@ -18,6 +18,9 @@ Pin-Priority: -1" >> "/etc/apt/preferences.d/extra_php_version" do_post_regen() { regen_conf_files=$1 + + # Make sure php7.3 is the default version when using php in cli + update-alternatives --set php /usr/bin/php7.3 } FORCE=${2:-0} From 532cd5e87ec96f762287dd917b2bfbbe9175f7b7 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 16 Sep 2020 15:27:32 +0200 Subject: [PATCH 06/11] Force locale to C during postgresql migration to avoid some stupid issue related to locale --- src/yunohost/data_migrations/0017_postgresql_9p6_to_11.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/yunohost/data_migrations/0017_postgresql_9p6_to_11.py b/src/yunohost/data_migrations/0017_postgresql_9p6_to_11.py index 955393c5b..ce12855d8 100644 --- a/src/yunohost/data_migrations/0017_postgresql_9p6_to_11.py +++ b/src/yunohost/data_migrations/0017_postgresql_9p6_to_11.py @@ -36,9 +36,9 @@ class MyMigration(Migration): raise YunohostError("migration_0017_not_enough_space", path="/var/lib/postgresql/") self.runcmd("systemctl stop postgresql") - self.runcmd("pg_dropcluster --stop 11 main || true") # We do not trigger an exception if the command fails because that probably means cluster 11 doesn't exists, which is fine because it's created during the pg_upgradecluster) - self.runcmd("pg_upgradecluster -m upgrade 9.6 main") - self.runcmd("pg_dropcluster --stop 9.6 main") + self.runcmd("LC_ALL=C pg_dropcluster --stop 11 main || true") # We do not trigger an exception if the command fails because that probably means cluster 11 doesn't exists, which is fine because it's created during the pg_upgradecluster) + self.runcmd("LC_ALL=C pg_upgradecluster -m upgrade 9.6 main") + self.runcmd("LC_ALL=C pg_dropcluster --stop 9.6 main") self.runcmd("systemctl start postgresql") def package_is_installed(self, package_name): From 92068590a202d06db1698d22c73012df2b69df79 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 16 Sep 2020 16:14:03 +0200 Subject: [PATCH 07/11] [enh] Better problematic apt dependencies auto-investigation mechanism (#1051) * [enh] Better problematic apt dependencies auto-investigation mechanism * Misc tweak / fixes following tests --- data/helpers.d/apt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index 1e880af76..59f233c60 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -191,17 +191,17 @@ ynh_package_install_from_equivs () { cp "$controlfile" "${TMPDIR}/control" (cd "$TMPDIR" LC_ALL=C equivs-build ./control 1> /dev/null - dpkg --force-depends --install "./${pkgname}_${pkgversion}_all.deb" 2>&1) + LC_ALL=C dpkg --force-depends --install "./${pkgname}_${pkgversion}_all.deb" 2>&1 | tee ./dpkg_log) ynh_package_install --fix-broken || \ { # If the installation failed # (the following is ran inside { } to not start a subshell otherwise ynh_die wouldnt exit the original process) - # Get the list of dependencies from the deb - local dependencies="$(dpkg --info "$TMPDIR/${pkgname}_${pkgversion}_all.deb" | grep Depends | \ - sed 's/^ Depends: //' | sed 's/,//g' | tr -d '|')" + # Parse the list of problematic dependencies from dpkg's log ... + # (relevant lines look like: "foo-ynh-deps depends on bar; however:") + local problematic_dependencies="$(cat $TMPDIR/dpkg_log | grep -oP '(?<=-ynh-deps depends on ).*(?=; however)' | tr '\n' ' ')" # Fake an install of those dependencies to see the errors - # The sed command here is, Print only from '--fix-broken' to the end. - ynh_package_install $dependencies --dry-run | sed --quiet '/--fix-broken/,$p' >&2 + # The sed command here is, Print only from 'Reading state info' to the end. + [[ -n "$problematic_dependencies" ]] && ynh_package_install $problematic_dependencies --dry-run 2>&1 | sed --quiet '/Reading state info/,$p' | grep -v "fix-broken\|Reading state info" >&2 ynh_die --message="Unable to install dependencies"; } [[ -n "$TMPDIR" ]] && rm --recursive --force $TMPDIR # Remove the temp dir. From b59ed4120b698c5efca05c3cf830ae47fdd0824f Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 16 Sep 2020 16:18:10 +0200 Subject: [PATCH 08/11] Diagnose ssl libs installed from sury (#1053) * Small fix / syntax improvement in apt conf regen hook * Diagnose, report and add a tip if some ssl libs are installed from Sury (shouldnt happen with the new pinning strategy, but some user still encounter issues because of this because of legacy installs) --- data/hooks/conf_regen/10-apt | 5 +++-- data/hooks/diagnosis/00-basesystem.py | 23 +++++++++++++++++++++++ locales/en.json | 2 ++ 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/data/hooks/conf_regen/10-apt b/data/hooks/conf_regen/10-apt index 5446c262c..09789470b 100755 --- a/data/hooks/conf_regen/10-apt +++ b/data/hooks/conf_regen/10-apt @@ -7,12 +7,13 @@ do_pre_regen() { mkdir --parents "${pending_dir}/etc/apt/preferences.d" - for package in "php" "php-fpm" "php-mysql" "php-xml" "php-zip" "php-mbstring" "php-ldap" "php-gd" "php-curl" "php-bz2" "php-json" "php-sqlite3" "php-intl" "openssl" "libssl1.1" "libssl-dev" + packages_to_refuse_from_sury="php php-fpm php-mysql php-xml php-zip php-mbstring php-ldap php-gd php-curl php-bz2 php-json php-sqlite3 php-intl openssl libssl1.1 libssl-dev" + for package in $packages_to_refuse_from_sury do echo " Package: $package Pin: origin \"packages.sury.org\" -Pin-Priority: -1" >> "/etc/apt/preferences.d/extra_php_version" +Pin-Priority: -1" >> "${pending_dir}/etc/apt/preferences.d/extra_php_version" done } diff --git a/data/hooks/diagnosis/00-basesystem.py b/data/hooks/diagnosis/00-basesystem.py index ec802c870..95d6c0d24 100644 --- a/data/hooks/diagnosis/00-basesystem.py +++ b/data/hooks/diagnosis/00-basesystem.py @@ -83,6 +83,29 @@ class BaseSystemDiagnoser(Diagnoser): details=["diagnosis_security_vulnerable_to_meltdown_details"] ) + bad_sury_packages = list(self.bad_sury_packages()) + if bad_sury_packages: + cmd_to_fix = "apt install --allow-downgrades " \ + + " ".join(["%s=%s" % (package, version) for package, version in bad_sury_packages]) + yield dict(meta={"test": "packages_from_sury"}, + data={"cmd_to_fix": cmd_to_fix}, + status="WARNING", + summary="diagnosis_package_installed_from_sury", + details=["diagnosis_package_installed_from_sury_details"]) + + def bad_sury_packages(self): + + packages_to_check = ["openssl", "libssl1.1", "libssl-dev"] + for package in packages_to_check: + cmd = "dpkg --list | grep '^ii' | grep gbp | grep -q -w %s" % package + # If version currently installed is not from sury, nothing to report + if os.system(cmd) != 0: + continue + + cmd = "LC_ALL=C apt policy %s 2>&1 | grep http -B1 | tr -d '*' | grep '+deb' | grep -v 'gbp' | head -n 1 | awk '{print $1}'" % package + version_to_downgrade_to = check_output(cmd).strip() + yield (package, version_to_downgrade_to) + def is_vulnerable_to_meltdown(self): # meltdown CVE: https://security-tracker.debian.org/tracker/CVE-2017-5754 diff --git a/locales/en.json b/locales/en.json index 3240cffe7..9e54e4c44 100644 --- a/locales/en.json +++ b/locales/en.json @@ -143,6 +143,8 @@ "diagnosis_basesystem_ynh_single_version": "{package} version: {version} ({repo})", "diagnosis_basesystem_ynh_main_version": "Server is running YunoHost {main_version} ({repo})", "diagnosis_basesystem_ynh_inconsistent_versions": "You are running inconsistent versions of the YunoHost packages... most probably because of a failed or partial upgrade.", + "diagnosis_package_installed_from_sury": "Some system packages should be downgraded", + "diagnosis_package_installed_from_sury_details": "Some packages were inadvertendly installed from a third-party repository called Sury. The Yunohost team improved the strategy that handle these packages, but it's expected that some setups that installed PHP7.3 apps while still on Stretch have some remaining inconsistencies. To fix this situation, you should try running the following command: {cmd_to_fix}", "diagnosis_display_tip": "To see the issues found, you can go to the Diagnosis section of the webadmin, or run 'yunohost diagnosis show --issues' from the command-line.", "diagnosis_failed_for_category": "Diagnosis failed for category '{category}': {error}", "diagnosis_cache_still_valid": "(Cache still valid for {category} diagnosis. Won't re-diagnose it yet!)", From 776c1ab84bdbabb43014e6daacc34113ac924624 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 16 Sep 2020 16:27:49 +0200 Subject: [PATCH 09/11] Update changelog for 4.0.8 --- debian/changelog | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/debian/changelog b/debian/changelog index 44f1d33ab..949de67d7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,21 @@ +yunohost (4.0.8) stable; urgency=low + + - [fix] Diagnose ssl libs installed from sury (#1053) + - [enh] Better problematic apt dependencies auto-investigation mechanism (#1051, 8d4f36e1) + - [fix] Force locale to C during postgresql migration to avoid some stupid issue related to locale (d532cd5e) + - [fix] Use php7.3 by default in CLI (82c0cc92) + - [fix] Typo in fpm_config helper led to install process hanging forever (7dcf4b00) + + Thanks to all contributors <3 ! (Kayou) + + -- Alexandre Aubin Wed, 16 Sep 2020 16:23:04 +0200 + yunohost (4.0.7.1) stable; urgency=low - Forbid users from using SSH as a VPN (even if SSH login is disabled) (#1050) + Thanks to all contributors <3 ! (ljf) + -- Alexandre Aubin Fri, 11 Sep 2020 21:06:09 +0200 yunohost (4.0.7) stable; urgency=low From d34d6b1949a0e3633d3b6e109207d31cd6ef1cbc Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 4 Nov 2020 17:22:37 +0100 Subject: [PATCH 10/11] App installs logs were still disclosing secrets when shared sometimes... --- locales/en.json | 1 - src/yunohost/app.py | 8 +++++++- src/yunohost/hook.py | 7 +------ src/yunohost/log.py | 1 + 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/locales/en.json b/locales/en.json index 9e54e4c44..e3b0c12a2 100644 --- a/locales/en.json +++ b/locales/en.json @@ -294,7 +294,6 @@ "dyndns_registration_failed": "Could not register DynDNS domain: {error:s}", "dyndns_domain_not_provided": "DynDNS provider {provider:s} cannot provide domain {domain:s}.", "dyndns_unavailable": "The domain '{domain:s}' is unavailable.", - "executing_command": "Executing command '{command:s}'...", "executing_script": "Executing script '{script:s}'...", "extracting": "Extracting...", "experimental_feature": "Warning: This feature is experimental and not considered stable, you should not use it unless you know what you are doing.", diff --git a/src/yunohost/app.py b/src/yunohost/app.py index 00472744f..aca4a9354 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -743,7 +743,13 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu env_dict["YNH_APP_ID"] = app_id env_dict["YNH_APP_INSTANCE_NAME"] = app_instance_name env_dict["YNH_APP_INSTANCE_NUMBER"] = str(instance_number) - operation_logger.extra.update({'env': env_dict}) + + env_dict_for_logging = env_dict.copy() + for arg_name, arg_value_and_type in args_odict.items(): + if arg_value_and_type[1] == "password": + del env_dict_for_logging["YNH_APP_ARG_%s" % arg_name.upper()] + + operation_logger.extra.update({'env': env_dict_for_logging}) # We'll check that the app didn't brutally edit some system configuration manually_modified_files_before_install = manually_modified_files() diff --git a/src/yunohost/hook.py b/src/yunohost/hook.py index b57300f54..9ffe6e01c 100644 --- a/src/yunohost/hook.py +++ b/src/yunohost/hook.py @@ -398,12 +398,7 @@ def _hook_exec_bash(path, args, no_trace, chdir, env, user, return_format, logge for k, v in env.items()]), cmd) command.append(cmd.format(script=cmd_script, args=cmd_args)) - if logger.isEnabledFor(log.DEBUG): - logger.debug(m18n.n('executing_command', command=' '.join(command))) - else: - logger.debug(m18n.n('executing_script', script=path)) - - logger.debug("About to run the command '%s'" % command) + logger.debug("Executing command '%s'" % ' '.join(command)) returncode = call_async_output( command, loggers, shell=False, cwd=chdir, diff --git a/src/yunohost/log.py b/src/yunohost/log.py index c71de2ab3..615970b26 100644 --- a/src/yunohost/log.py +++ b/src/yunohost/log.py @@ -467,6 +467,7 @@ class OperationLogger(object): 'started_at': self.started_at, 'operation': self.operation, 'yunohost_version': get_ynh_package_version("yunohost")["version"], + 'interface': msettings.get('interface') == 'api', } if self.related_to is not None: data['related_to'] = self.related_to From d4813e137805d9502eb016a45bc503b4a82622b6 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 4 Nov 2020 17:26:31 +0100 Subject: [PATCH 11/11] Update changelog for 4.0.8.1 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 949de67d7..e2f35a9c4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +yunohost (4.0.8.1) stable; urgency=low + + - [fix] App installs logs were still disclosing secrets when shared sometimes ... + + -- Alexandre Aubin Wed, 04 Nov 2020 17:24:52 +0100 + yunohost (4.0.8) stable; urgency=low - [fix] Diagnose ssl libs installed from sury (#1053)