Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-06-07T14:33:10Zhttps://gitlab.com/sympl.io/sympl/-/issues/128Symbiosis: Apache PHP7 module isn't enabled automatically following dist-upgr...2019-06-07T14:33:10ZPaul CammishSymbiosis: Apache PHP7 module isn't enabled automatically following dist-upgrade from Symbiosis JessieImported from https://www.github.com/BytemarkHosting/symbiosis/issues/116
During the dist-upgrade from Symbiosis Jessie to Stretch, Apache will not enable the PHP7 module as it conflicts with PHP5 (which should already be enabled). The ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/116
During the dist-upgrade from Symbiosis Jessie to Stretch, Apache will not enable the PHP7 module as it conflicts with PHP5 (which should already be enabled). The PHP5 module should therefore be explicitly disabled in favour of PHP7.https://gitlab.com/sympl.io/sympl/-/issues/149Symbiosis: Logrotate cron error for prosody when it's not running2019-06-07T14:25:51ZPaul CammishSymbiosis: Logrotate cron error for prosody when it's not runningImported from https://www.github.com/BytemarkHosting/symbiosis/issues/131
The logrotate cron will email the following warning every week if prosody isn't active:
<pre>
/etc/cron.daily/logrotate:
error: error running shared postrotate s...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/131
The logrotate cron will email the following warning every week if prosody isn't active:
<pre>
/etc/cron.daily/logrotate:
error: error running shared postrotate script for
'/var/log/prosody/prosody.log /var/log/prosody/prosody.err '
run-parts: /etc/cron.daily/logrotate exited with return code 1
</pre>
It looks like this is because the postrotate tries to check for the existence of `/var/run/prosody/prosody.pid` which won't be there when prosody is disabled (by default):
<pre>
[ -e /var/run/prosody/prosody.pid ] && /etc/init.d/prosody reload > /dev/null
</pre>
We should be able to suppress that by changing this line to e.g
<pre>
/etc/init.d/prosody reload > /dev/null
</pre>Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/158Symbiosis: On Stretch, httpd.postinst doesn't correctly preserve `no-stats` s...2019-06-07T10:51:39ZPaul CammishSymbiosis: On Stretch, httpd.postinst doesn't correctly preserve `no-stats` settingsImported from https://www.github.com/BytemarkHosting/symbiosis/issues/124
This is what I think should happen:
1. If `no-stats` is present and not set to `false`: remove, as this is the default now.
2. If `no-stats` is present and set t...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/124
This is what I think should happen:
1. If `no-stats` is present and not set to `false`: remove, as this is the default now.
2. If `no-stats` is present and set to `false`: move to `stats` and truncate, ensuring stats are enabled.
3. If `no-stats` isn't present: create `stats`.
4. Otherwise do nothing.
Patrick advised that we can potentially not do (3) and just put in release notes that the default is now that stats are disabled by default, as we use webalizer which is old and clunky and potentially many customers don't use it.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/171Symbiosis: Roundcube sieve breaks following dist-upgrade from Symbiosis Jessi...2019-06-07T10:51:35ZPaul CammishSymbiosis: Roundcube sieve breaks following dist-upgrade from Symbiosis Jessie to StretchImported from https://www.github.com/BytemarkHosting/symbiosis/issues/118
Roundcube returns an `Unable to connect to managesieve server` warning when attempting to access the `Filters` or `Vacation` setting. This is due to a change in t...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/118
Roundcube returns an `Unable to connect to managesieve server` warning when attempting to access the `Filters` or `Vacation` setting. This is due to a change in the sieve directory structure when moving from Jessie to Stretch.
In Symbiosis Jessie, the structure is as follows:
<pre>
root@symbiosis2:/usr/share/roundcube# ls -al /srv/symbiosis2.default.aladlow.uk0.bigv.io/mailboxes/root/
total 24
drwxr-sr-x 4 admin admin 4096 May 11 11:31 .
drwxr-sr-x 4 admin admin 4096 May 17 12:57 ..
drwx--S--- 9 admin admin 4096 May 27 16:05 Maildir
-rw-r--r-- 1 admin admin 105 May 27 12:51 password
lrwxrwxrwx 1 admin admin 23 May 11 11:30 sieve -> sieve.d/roundcube.sieve
drwx--S--- 3 admin admin 4096 May 11 11:30 sieve.d
</pre>
And in Symbiosis Stretch:
<pre>
root@symbiosis2:/usr/share/roundcube# ls -al /srv/symbiosis2.default.aladlow.uk0.bigv.io/mailboxes/root/
total 20
drwxr-sr-x 4 admin admin 4096 May 27 16:08 .
drwxr-sr-x 4 admin admin 4096 May 17 12:57 ..
lrwxrwxrwx 1 admin admin 21 May 27 16:08 .dovecot.sieve -> sieve/roundcube.sieve
drwx--S--- 9 admin admin 4096 May 27 16:05 Maildir
-rw-r--r-- 1 admin admin 105 May 27 12:51 password
drwx--S--- 3 admin admin 4096 May 27 16:08 sieve
</pre>
To resolve this, the `sieve.d` directory should be renamed to `sieve`, and the `sieve` symlink to `.dovecot.sieve`.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/174Symbiosis: Skel missing file references2019-06-20T13:24:53ZPaul CammishSymbiosis: Skel missing file referencesImported from https://www.github.com/BytemarkHosting/symbiosis/issues/135
When a new domain directory is created within `/srv/`, Symbiosis Stretch will create appropriate `config`, and `public` sub-directories.
The `/srv/domain.com/pu...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/135
When a new domain directory is created within `/srv/`, Symbiosis Stretch will create appropriate `config`, and `public` sub-directories.
The `/srv/domain.com/public/htdocs/index.html` file generated refers to incorrect file paths, as it looks for `/bytemark/bytemark.css` and `/bytemark/bytemark.png`, but the `bytemark/` directory doesn't exist.
Additionally, the index points to the Jessie Symbiosis docs, where they should be for Stretch.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/198Warning during installation about gcc not being found2019-06-07T10:51:32ZPaul CammishWarning during installation about gcc not being foundDuring install, I see the following:
```
Setting up symbiosis-common (2018:0616) ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) reque...During install, I see the following:
```
Setting up symbiosis-common (2018:0616) ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
Shadow passwords are now on.
Adding 'admin' account
Adding user `admin' ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding new group `admin' (1001) ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding new user `admin' (1001) with group `admin' ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Not creating home directory `/srv'.
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding user `admin' to group `adm' ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding user admin to group adm
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Done.
Adding user `admin' to group `www-data' ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding user admin to group www-data
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Done.
sh: 1: gcc: not found
/usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- faraday (LoadError)
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/acme-client.rb:3:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/symbiosis/ssl/letsencrypt.rb:6:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/bin/symbiosis-ssl:161:in `<main>'
W: SSL certificate generation failed. Retrying with a self-signed certificate...
sh: 1: gcc: not found
/usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- faraday (LoadError)
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/acme-client.rb:3:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/symbiosis/ssl/letsencrypt.rb:6:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/bin/symbiosis-ssl:161:in `<main>'
sh: 1: gcc: not found
/usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- faraday (LoadError)
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/acme-client.rb:3:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/symbiosis/ssl/letsencrypt.rb:6:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/bin/symbiosis-ssl:161:in `<main>'
Created symlink /etc/systemd/system/multi-user.target.wants/symbiosis-skel.path → /lib/systemd/system/symbiosis-skel.path.
symbiosis-skel.service is a disabled or a static unit, not starting it.
```
Installation seems to continue and succeed.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/199symbiosis-ssl reports `Failed: signature type 'none' in JWS header is not sup...2019-06-07T10:51:28ZPaul Cammishsymbiosis-ssl reports `Failed: signature type 'none' in JWS header is not supported` when trying to get cert.As mentioned in #198
```
* Examining certificates for example.domain
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
!! Failed: signature type 'none' in JWS header is not supported,...As mentioned in #198
```
* Examining certificates for example.domain
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
!! Failed: signature type 'none' in JWS header is not supported, expected one of RS256, ES256, ES384 or ES512
* Examining certificates for localhost.localdomain
Current SSL set 0: self-signed for /CN=localhost.localdomain, expires 2020-04-15 16:32:06 UTC
```
Possible dependency or other issueSympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/152Symbiosis: Method redefined' and 'variable not initialized' warnings returned...2019-06-07T14:39:39ZPaul CammishSymbiosis: Method redefined' and 'variable not initialized' warnings returned from symbiosis-httpd-configure when '--verbose' flag usedImported from https://www.github.com/BytemarkHosting/symbiosis/issues/122
Running `symbiosis-httpd-configure` with the `--verbose` flag appended, e.g `symbiosis-httpd-configure -vdf`, returns the following:
<pre>
root@symbiosis2:/etc/e...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/122
Running `symbiosis-httpd-configure` with the `--verbose` flag appended, e.g `symbiosis-httpd-configure -vdf`, returns the following:
<pre>
root@symbiosis2:/etc/exim4# symbiosis-httpd-configure -vdf
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff
Domain: symbiosis2.default.aladlow.uk0.bigv.io
Current SSL set 6: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-09-07 22:00:16 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
Configuration: example.site.net.conf
Forcing re-creation of configuration due to --force.
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:70: warning: instance variable @tempfiles not initialized
Syntax OK
</pre>
Notably:
`/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff`
`/usr/lib/ruby/vendor_ruby/diffy/diff.rb:70: warning: instance variable @tempfiles not initialized`
These probably shouldn't be displayed as standard.
Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/223Ruby scripts have output noise when run in verbose.2019-06-07T14:21:08ZPaul CammishRuby scripts have output noise when run in verbose.The --verbose fag sets the ruby $VERBOSE variable, with is outputting various warnings.
Changing the name of this variable should avoid the collision.
symbiosis-dns-generate --verbose
```
Falling back to gcc to determine sizeof size_t....The --verbose fag sets the ruby $VERBOSE variable, with is outputting various warnings.
Changing the name of this variable should avoid the collision.
symbiosis-dns-generate --verbose
```
Falling back to gcc to determine sizeof size_t.
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff
/usr/lib/ruby/vendor_ruby/erubis/enhancer.rb:517: warning: instance variable @prefixrexp not initialized
```
symbiosis-firewall --verbose
```
Falling back to gcc to determine sizeof size_t.
readnews defined twice. Ignoring definition for port 532
dicom defined twice. Ignoring definition for port 11112
```
symbiosis-firewall-blacklist --verbose
```
Falling back to gcc to determine sizeof size_t.
```
symbiosis-firewall-whitelist --verbose
```
Falling back to gcc to determine sizeof size_t.
```
symbiosis-httpd-generate-stats --verbose
```
Falling back to gcc to determine sizeof size_t.
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff
```
symbiosis-httpd-rotate-logs --verbose
```
Falling back to gcc to determine sizeof size_t.
```
symbiosis-ssl
```
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
```Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/13poppass_handler.rb no longer checks passwords for complexity2019-06-10T15:01:30ZPaul Cammishpoppass_handler.rb no longer checks passwords for complexity`email/lib/symbiosis/email/poppass_handler.rb` has been switched from ruby-cracklib to plain ruby-password.
As part of the change (quick fix), it no longer enforces password complexity, allowing weak and possibly compromisable passwords.`email/lib/symbiosis/email/poppass_handler.rb` has been switched from ruby-cracklib to plain ruby-password.
As part of the change (quick fix), it no longer enforces password complexity, allowing weak and possibly compromisable passwords.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/16symbiosis-encrypt-password doesn't check for weak passwords2019-06-10T15:01:46ZPaul Cammishsymbiosis-encrypt-password doesn't check for weak passwordsNeeds to be updated to use ruby-password rather than cracklibNeeds to be updated to use ruby-password rather than cracklibSympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/17symbiosis-password-test doesn't do anything serious2019-06-10T15:01:48ZPaul Cammishsymbiosis-password-test doesn't do anything seriousThis will also need the old ruby-cracklib code swapping to use ruby-password.
As is, it won't check for weak passwords, which is it's core function.This will also need the old ruby-cracklib code swapping to use ruby-password.
As is, it won't check for weak passwords, which is it's core function.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/217sympl-backup: Pre/post backup scripts need updating2019-06-13T23:36:45ZPaul Cammishsympl-backup: Pre/post backup scripts need updatingThey do 3 things:
1. Sync a copy of any existing backups from the backup space.
2. Dump MySQL and Postgres(!?) databases, although not particularly well.
3. Sync the result of the backups to the backup space once complete.
This uses the...They do 3 things:
1. Sync a copy of any existing backups from the backup space.
2. Dump MySQL and Postgres(!?) databases, although not particularly well.
3. Sync the result of the backups to the backup space once complete.
This uses the old deprecated Bytemark backup space, determining the destination server via the hostname of the local server, although this can be configured.
It's probably worth replacing the backup sync functionality with a couple of popular options and replacing the SQL dump script with something more modern which doesn't lock tables when dumping.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/229sympl-webmail: Roundcube configuration is broken2019-06-13T18:38:57ZPaul Cammishsympl-webmail: Roundcube configuration is brokenIt's unclear why, but it may be due to the defaults being misapplied on install, but it reports a problem connecting to the database.
This will need tests created also, as they are missing at present.It's unclear why, but it may be due to the defaults being misapplied on install, but it reports a problem connecting to the database.
This will need tests created also, as they are missing at present.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/204"Not running MySQL backup tests, since not all the requirements are in place."2019-05-28T11:58:08ZPaul Cammish"Not running MySQL backup tests, since not all the requirements are in place."It looks like the relevant ruby libraries are missing for symbiosis-test from the repo/install (and would have been on the build box), but an attempt to track the relevant version down didn't come up with a perfect match.
This can proba...It looks like the relevant ruby libraries are missing for symbiosis-test from the repo/install (and would have been on the build box), but an attempt to track the relevant version down didn't come up with a perfect match.
This can probably just be rewritten in bash, as it's some simple SQL queries.Testing SuitePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/205"Quota exceeded (mailbox for user is full)"2019-05-28T11:58:11ZPaul Cammish"Quota exceeded (mailbox for user is full)"Symbiosis-test outputs `Quota exceeded (mailbox for user is full)` twice while running. This may be a bug, or it may be operating normally. Either way it should be fixed or supressed.Symbiosis-test outputs `Quota exceeded (mailbox for user is full)` twice while running. This may be a bug, or it may be operating normally. Either way it should be fixed or supressed.Testing SuitePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/206symbiosis-test skips phpmyadmin tests2019-05-28T11:58:10ZPaul Cammishsymbiosis-test skips phpmyadmin testsIt looks like due to the changes to MariaDB, the tests which expect to log in to phpmyadmin as root/debian-sys-maint are failing.
```
Skipping phpmyadmin debian-sys-maint auth test - password not found.
Skipping phpmyadmin root auth tes...It looks like due to the changes to MariaDB, the tests which expect to log in to phpmyadmin as root/debian-sys-maint are failing.
```
Skipping phpmyadmin debian-sys-maint auth test - password not found.
Skipping phpmyadmin root auth test - password not found.
```
This should be fairly simple to fix to use the generated 'admin' username/password, and ensure the passwordless logins fail.Testing SuitePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/220Web stats are insecure and need updating2019-06-12T13:10:49ZPaul CammishWeb stats are insecure and need updatingIt's unclear if the stats stuff even gets used, as it's not mentioned much in the old Symbiosis docs.
However, some time ago it was supposed to be disabled by default, but that's not the case, so it's automatically generated for each si...It's unclear if the stats stuff even gets used, as it's not mentioned much in the old Symbiosis docs.
However, some time ago it was supposed to be disabled by default, but that's not the case, so it's automatically generated for each site at /stats, and doesn't require any auth at all.
This should either be secured properly, or replaced with something a bit more up to date, like goaccess which has a package and is realtime.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/230sympl-web: Logs directory is not automatically created2019-06-12T13:11:07ZPaul Cammishsympl-web: Logs directory is not automatically createdThis looks to happen when the directory is not owned by a non-system user, and is likely in `sympl-web-logger`
Adding this to sympl-web-configure in a relevant place should fix it:
```ruby
dirname = File.dirname("#{domain.directory}...This looks to happen when the directory is not owned by a non-system user, and is likely in `sympl-web-logger`
Adding this to sympl-web-configure in a relevant place should fix it:
```ruby
dirname = File.dirname("#{domain.directory}/public/logs/.")
unless File.directory?(dirname)
verbose "\tCReating log directory #{dirname}"
FileUtils.mkdir_p(dirname)
FileUtils.chown_R 'sympl', 'sympl', dirname, :verbose => true
end
```Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/231sympl-filesystem-security: /srv/example.com/public is not set 27752019-06-12T13:11:10ZPaul Cammishsympl-filesystem-security: /srv/example.com/public is not set 2775Looks like I missed this when I was putting the script together, should be a simple fix:
`find "${domain}/public" ! -type l ! \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)`
sympl-filesyste...Looks like I missed this when I was putting the script together, should be a simple fix:
`find "${domain}/public" ! -type l ! \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)`
sympl-filesystem-security should also check config/ssl/sets exists before trying to do anything with it
Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/232Sympl determines host name incorrectly during install2022-04-26T09:50:34ZPaul CammishSympl determines host name incorrectly during installDuring the install, sympl creates a 'default' directory based on the hostname of the machine. However, it incorrectly uses the domain 'localdomain' when creating this directory.
On a clean debian machine, the /etc/hostname file contains...During the install, sympl creates a 'default' directory based on the hostname of the machine. However, it incorrectly uses the domain 'localdomain' when creating this directory.
On a clean debian machine, the /etc/hostname file contains a bare hostname. Code in core/debian/postinst uses this file as the hostname, and if it sees a 'bare' hostname, appends 'localdomain' to the hostname read from the file.
The debian installation had a full hostname specified, and typing
hostname -f
retrieves this full host name correctly.
The postinst script will also fall back to using hostname -f if /etc/hostname exists.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/235mail: Dovecot config entries obsoleted.2019-06-24T14:12:23ZPaul Cammishmail: Dovecot config entries obsoleted.```
ssl_protocols -> ssl_min_protocol
ssl_dh_parameters_length -> x
```
Possibly some others, so worth checking against a plain config.```
ssl_protocols -> ssl_min_protocol
ssl_dh_parameters_length -> x
```
Possibly some others, so worth checking against a plain config.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/236mail: Exim - Warning: purging the environment.2019-06-24T14:24:24ZPaul Cammishmail: Exim - Warning: purging the environment.On starting exim reports:
`Warning: purging the environment.`
`use keep_environment`
IIRC this is a thing from Jessie, so may have turned up again (or just not been fixed).On starting exim reports:
`Warning: purging the environment.`
`use keep_environment`
IIRC this is a thing from Jessie, so may have turned up again (or just not been fixed).Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/237core: ssl certs not getting linked on install2019-06-24T14:11:29ZPaul Cammishcore: ssl certs not getting linked on installLooks like something is borking along the way, probably preventing sympl-core from betting properly configured.
Should be fairly easy to fix.Looks like something is borking along the way, probably preventing sympl-core from betting properly configured.
Should be fairly easy to fix.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/238mail: Sieve tests failing2019-07-02T16:38:04ZPaul Cammishmail: Sieve tests failingLooks like two tests are failing at present.
* test_deliver_with_sieve
* test_deliver_with_sieve_for_local_users
Likely a change to sieve configuration as with Stretch.Looks like two tests are failing at present.
* test_deliver_with_sieve
* test_deliver_with_sieve_for_local_users
Likely a change to sieve configuration as with Stretch.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/240Job Failed #7680 - net_connect_unix(/var/run/dovecot/stats-writer)2019-06-26T16:11:45ZPaul CammishJob Failed #7680 - net_connect_unix(/var/run/dovecot/stats-writer)Job [#7680](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/7680) failed for f7d32cae365d7e879cd6d3987ec68d63d0f125c8:
```
run-parts: executing autotest/test.d/90-symbiosis-test
Running sympl-test...
Loaded suite /usr/bin/sympl-test...Job [#7680](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/7680) failed for f7d32cae365d7e879cd6d3987ec68d63d0f125c8:
```
run-parts: executing autotest/test.d/90-symbiosis-test
Running sympl-test...
Loaded suite /usr/bin/sympl-test
Started
...............................................................................
.......................................lda(test@h2t4nehquz.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
.lda(sympl-test@quick.sympl.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
.lda(test@tsn3b3s36c.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
.lda(test@cu9yts5qtz.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
F
===============================================================================
Failure: test_deliver_with_sieve(TestDovecot)
/etc/sympl/test.d/tc_dovecot.rb:371:in `do_test_deliver_with_sieve'
/etc/sympl/test.d/tc_dovecot.rb:382:in `test_deliver_with_sieve'
379:
380: def test_deliver_with_sieve
381: @mailbox.create
=> 382: do_test_deliver_with_sieve(@mailbox)
383: end
384:
385: def test_deliver_with_sieve_for_local_users
Found 1 messages in Maildir/new rather than 0
<0> expected but was
<1>
===============================================================================
.lda(sympl-test@quick.sympl.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
F
===============================================================================
Failure: test_deliver_with_sieve_for_local_users(TestDovecot)
/etc/sympl/test.d/tc_dovecot.rb:371:in `do_test_deliver_with_sieve'
/etc/sympl/test.d/tc_dovecot.rb:391:in `test_deliver_with_sieve_for_local_users'
388: mailbox = do_setup_local_mailbox(test_user)
389: sieve_file = File.join(mailbox.directory, ".sieve")
390:
=> 391: do_test_deliver_with_sieve(mailbox)
392: ensure
393: File.unlink(sieve_file) if sieve_file and File.exist?(sieve_file)
394: end
Found 1 messages in Maildir/new rather than 0
<0> expected but was
<1>
===============================================================================
...............................................................................
.......................
Finished in 102.66534708 seconds.
-------------------------------------------------------------------------------
226 tests, 1495 assertions, 2 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications
99.115% passed
-------------------------------------------------------------------------------
2.20 tests/s, 14.56 assertions/s
```
This may simply be the way the testing interfaces with dovecot, as the 'stats' functionality in Dovecot has changed.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/242sympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crt2019-06-26T14:59:50ZPaul Cammishsympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crtAs is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.As is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/244Incorrect permissions on dkim selector file2019-06-28T16:43:46ZPaul CammishIncorrect permissions on dkim selector fileMy dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlys...My dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlysympl.gentlyhosting.uk/config/dkim: Permission denied (euid=105 egid=109)
What should the permissions / ownership be set to? The uid / gid referred to in the error are both Debian-exim. Can sympl automatically adjust these permissions if a specific set are required?Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/246Roundcube unable to send mail in Buster.2019-07-02T16:38:13ZPaul CammishRoundcube unable to send mail in Buster.Needs confirming if this is affecting Stretch also.Needs confirming if this is affecting Stretch also.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/249sympl-ssl - IPv6 Only DNS Resolution2021-02-12T18:08:30ZPaul Cammishsympl-ssl - IPv6 Only DNS ResolutionDNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts befor...DNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts before running.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/254sympl-firewall: iptables email warning (buster)2019-08-16T17:51:06ZPaul Cammishsympl-firewall: iptables email warning (buster)It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/255sympl-web-rotate-logs doesnt work2019-07-09T19:27:36ZPaul Cammishsympl-web-rotate-logs doesnt workThis is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the...This is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the logger processes to reload, not Apache.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/259Running backups manually seems to cause issues2019-08-19T07:25:08ZPaul CammishRunning backups manually seems to cause issuesIt appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probabl...It appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probably check for a generic user with full mysql access rather than just root (or the root or Sympl user), and/or automatically use the `--force` flag when triggering backups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/261sympl-ssl fails in NAT64 environments with IPv4 addresses2019-09-17T13:45:19ZPaul Cammishsympl-ssl fails in NAT64 environments with IPv4 addressesThis is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.This is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/265sympl-backup triggers `tar` warnings2019-09-17T13:45:19ZPaul Cammishsympl-backup triggers `tar` warningshttps://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar:...https://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar: The following options were used after any non-optional arguments in archive create or update mode. These options are positional and affect only arguments that follow them. Please, rearrange them properly.
tar: --no-recursion has no effect
tar: Exiting with failure status due to previous errors
Checking TOC of archive file (< real file, > archive entry)...
```
This is due to changes to `tar` in Buster.
Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/266sympl-firewall uses incron, which is incompatible with some systems2019-09-17T13:58:20ZPaul Cammishsympl-firewall uses incron, which is incompatible with some systemsIn short, incron should be removed if possible - this doesn't work on all filesystems, and many systems use NFS for the filesystem (the Mythic Beasts RPi platform) which causes problems.In short, incron should be removed if possible - this doesn't work on all filesystems, and many systems use NFS for the filesystem (the Mythic Beasts RPi platform) which causes problems.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/272Update sympl-ssl IPv6 only to support Let's Encrypt ACMEv22019-12-27T18:11:03ZPaul CammishUpdate sympl-ssl IPv6 only to support Let's Encrypt ACMEv2I've been wondering why a Mythic Beasts hosted RPi site wasn't updating the SSL certificate. (Luckily I've got an alert through Status Cake for it.)
Looking in the `/etc/hosts` file, I noticed many lines of the form (output from `cat`):...I've been wondering why a Mythic Beasts hosted RPi site wasn't updating the SSL certificate. (Luckily I've got an alert through Status Cake for it.)
Looking in the `/etc/hosts` file, I noticed many lines of the form (output from `cat`):
```
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
```
Knowing that the v02 API is now needed, I adjusted it to remove the new line, and switched to the v2 url, and then running `sudo sympl-ssl --verbose subdomain.example.com` worked as expected instead of giving the error:
```
Current SSL set 14: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2019-12-08 06:19:41 UTC
The current certificate expires in 4 days.
Fetching a new certificate from LetsEncrypt.
!! Failed: execution expired
```
Could the workaround please be updated for the new API (changing the 1 to a 2 in the url)?Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/276sympl-webmail: Roundcube fails to import contacts2020-01-28T13:26:56ZPaul Cammishsympl-webmail: Roundcube fails to import contactsSee https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.See https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/279sympl-monit: Security warning emails on hostname resolution failure2020-04-20T10:41:34ZPaul Cammishsympl-monit: Security warning emails on hostname resolution failureIf for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.If for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/280sympl-core: sympl-filesystem-security breaks access to config/stats-htaccess2020-04-20T10:41:34ZPaul Cammishsympl-core: sympl-filesystem-security breaks access to config/stats-htaccessReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsPaul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/281sympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sni2020-04-20T10:41:32ZPaul Cammishsympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sniObviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Obviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Paul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/290sympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewal...2020-04-27T17:06:12ZPaul Cammishsympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewall/local.d/*The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/292sympl-web: Seperate packages needed for i386, amd64 and armhf2020-04-22T11:56:50ZPaul Cammishsympl-web: Seperate packages needed for i386, amd64 and armhfAt the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't st...At the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't start it.
This should be a reasonably simple fix to cross-compile it and package it appropriately.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/293sympl-web: SSL Stapling is enabled for self-signed certs2020-04-22T11:58:37ZPaul Cammishsympl-web: SSL Stapling is enabled for self-signed certsFrom https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.l...From https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.localdomain / issuer: CN=raspberrypi.localdomain / serial: 5E9F307C / notbefore: Apr 21 17:42:20 2020 GMT / notafter: Apr 21 17:42:20 2021 GMT]
[Tue Apr 21 19:07:29.793961 2020] [ssl:error] [pid 585] AH02604: Unable to configure certificate raspberrypi.localdomain:443:0 for stapling
```
It looks like `sympl-web/lib/symbiosis/config_files/apache.rb` has the relevant code, and probably needs a tweak to move the decision to use SSL stapling there if it's a self-signed cert, and out of the templates.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/295sympl-cli: running some commands as root doesn't ensure result has the right ...2020-09-09T17:23:53ZPaul Cammishsympl-cli: running some commands as root doesn't ensure result has the right ownerExample: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Example: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/296sympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl...2020-09-09T17:23:25ZPaul Cammishsympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl_error.log# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/publi...# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/public/logs/ssl_access.log and ssl_error.log
# Example Project
n/a
# What is the current bug behavior?
Configurations are generated for non-ssl sites where the logfiles are ssl_access.log and ssl_error.log
The non-ssl virtualhost for an ssl enabled site correctly sets access.log and error.log.
Template (/etc/sympl/apache.d/non-ssl.template.erb has typos in the relevant config lines.
# What is the expected correct behavior?
Would expect the logs to be access.log and error.log as per non-ssl virtual server on an ssl enabled site.
# Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
# Possible fixes
```
--- non_ssl.template.erb 2020-07-01 22:25:28.000000000 +0100
+++ non_ssl.template.erb.fixed 2020-07-01 22:26:08.000000000 +0100
@@ -87,8 +87,8 @@
</Directory>
# Write logs directly.
- ErrorLog "<%= domain.log_dir %>/ssl_error.log"
- CustomLog "<%= domain.log_dir %>/ssl_access.log" combined
+ ErrorLog "<%= domain.log_dir %>/error.log"
+ CustomLog "<%= domain.log_dir %>/access.log" combined
</VirtualHost>
```
[non_ssl.template.erb.patch](/uploads/3d78c3b9e56263e31a66c8d5c513cbbf/non_ssl.template.erb.patch)
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/297sympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and...2020-07-06T12:45:46ZPaul Cammishsympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and no filesFrom: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The ...From: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The files are backed up okay, but the automatic restore functionality is broken.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/298sympl-filesystem-security: public-group doesn't work2020-09-09T17:23:53ZPaul Cammishsympl-filesystem-security: public-group doesn't work# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name o...# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name of a group that isn't `www-data` in `<domain>/config/public-group` and run `sympl-filesystem-security`.
# Possible fixes
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/core/sbin/sympl-filesystem-security#L50 (and 51) use `id -g $gid`, which seems like it should find the GID of a group, but actually finds the GID of the primary group of user $gid. If no user of the same name as the requested group exists, this fails. The script seems like it will need to use `getent group` and `cut` or `awk` to get the right fields.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/299sympl-core: sympl-filesystem-security reset permissions on public/cgi-bin2020-09-09T17:23:53ZPaul Cammishsympl-core: sympl-filesystem-security reset permissions on public/cgi-binThis causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.This causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/306Sympl 11: Installing sympl-mysql doesnt write the password to /home/sympl2021-02-15T11:33:44ZPaul CammishSympl 11: Installing sympl-mysql doesnt write the password to /home/symplThis is currently causing the testing to fail, and will need looking into.This is currently causing the testing to fail, and will need looking into.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/310sympl-mail: config/antispam doesn't work as expected2024-03-19T17:05:32ZPaul Cammishsympl-mail: config/antispam doesn't work as expectedWhat is expected to happen:
* With the `antispam` file at `/srv/example.com/config/antispam` and empty, spam mail identified as spam should be rejected.
* With the `antispam` file at `/srv/example.com/config/antispam` and containing `t...What is expected to happen:
* With the `antispam` file at `/srv/example.com/config/antispam` and empty, spam mail identified as spam should be rejected.
* With the `antispam` file at `/srv/example.com/config/antispam` and containing `tag`, spam mail should:
1. have the `X-Spam-Status: spam` header set, and the mail accepted.
2. be delivered to the `Spam` mail folder of the user.
What actually happens is that `1` works as expected, but `2` rejects the mail as spam regardless of the tag setting, *unless* the `config/antispam` file is world-readable, which it likely shouldn't be.
In no instance (apparently inherited from Symbiosis) does the mail actually get placed in the users Spam folder, although it would be *possible* to create a sieve filter to do this, or for Dovecot to handle it, the mail is placed in the normal mail folder.
A quick fix would be to change `/etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/80-enable-antispam-check` to:
```
${if match{${extract{smode}{${stat:VHOST_DIR/${domain}/VHOST_CONFIG_DIR/antispam}}}}{\Nr\N}{\
```
A fix for tagging spam properly would be to enable the subject rewrites by default, by adding the following to `/etc/exim4/system_filter`:
```
if $h_X-Spam-Status: contains "spam"
then
headers add "Original-Subject: $h_subject"
headers remove "Subject"
headers add "Subject: *** SPAM *** $h_original-subject"
endif
```
Note this also affects config/antivirus, which has a similar (undocumented) tagging function for virus infected emails in `/etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/85-enable-antivirus-check`.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/318sympl-core: Cross signed Let's Encrypt bundle flags all LE certs as expired2021-10-04T10:11:53ZPaul Cammishsympl-core: Cross signed Let's Encrypt bundle flags all LE certs as expiredThis is caused by the current Ruby codebase which uses the OpenSSL library to build a certificate store, used to validate certificates.
The bundle now includes an extra cert with a copy of the normal intermediate signed by the now-expir...This is caused by the current Ruby codebase which uses the OpenSSL library to build a certificate store, used to validate certificates.
The bundle now includes an extra cert with a copy of the normal intermediate signed by the now-expired DST X3 Root certificate (used as a workaround for old devices which don't have the new X1 root cert), meaning the bundle is effectively signed twice.
This is fine in the vast majority of cases, but in this instance, the presence of an intermediate signed by an expired root raises an error, which then means sympl-ssl.rb considers the whole chain invalid, leading to it retrieving new certs on every run.
A workaround has been put together in sympl-ssl to remove the expired intermediate from the ssl.bundle and ssl.combined when preceded by the normal cert in !243 !244 !245.
Longer-term, the existing sympl-ssl will be replaced by the new version in development.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/349sympl12 - sympl-php-configure - open_basedir inherits other variables when no...2024-03-15T14:32:24ZPaul Cammishsympl12 - sympl-php-configure - open_basedir inherits other variables when not setWhen `open_basedir` isn't set in an FPM (ie: `disable-php-security` is enabled), it inherits the last setting it had for another site which doe have it set, which will likely break the site.
A workaround for this is to either use a sepa...When `open_basedir` isn't set in an FPM (ie: `disable-php-security` is enabled), it inherits the last setting it had for another site which doe have it set, which will likely break the site.
A workaround for this is to either use a separate pool, or edit the apache config and manually set `open_basedir` to `/`.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/350sympl-filesystem-security: Play nicer with composer-based setups2024-03-22T16:34:14ZPaul Cammishsympl-filesystem-security: Play nicer with composer-based setupsComposer tends to put things in public/vendor, which it expects to be executable (copmoser itself, drush, etc), and currently `sympl-filesystem-security` resets these permissions.
A simple fix is to just exclude the contents of public/v...Composer tends to put things in public/vendor, which it expects to be executable (copmoser itself, drush, etc), and currently `sympl-filesystem-security` resets these permissions.
A simple fix is to just exclude the contents of public/vendor when we also exclude public/cgi-binPaul CammishPaul Cammish