Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2024-03-22T16:34:14Zhttps://gitlab.com/sympl.io/sympl/-/issues/350sympl-filesystem-security: Play nicer with composer-based setups2024-03-22T16:34:14ZPaul Cammishsympl-filesystem-security: Play nicer with composer-based setupsComposer tends to put things in public/vendor, which it expects to be executable (copmoser itself, drush, etc), and currently `sympl-filesystem-security` resets these permissions.
A simple fix is to just exclude the contents of public/v...Composer tends to put things in public/vendor, which it expects to be executable (copmoser itself, drush, etc), and currently `sympl-filesystem-security` resets these permissions.
A simple fix is to just exclude the contents of public/vendor when we also exclude public/cgi-binPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/349sympl12 - sympl-php-configure - open_basedir inherits other variables when no...2024-03-15T14:32:24ZPaul Cammishsympl12 - sympl-php-configure - open_basedir inherits other variables when not setWhen `open_basedir` isn't set in an FPM (ie: `disable-php-security` is enabled), it inherits the last setting it had for another site which doe have it set, which will likely break the site.
A workaround for this is to either use a sepa...When `open_basedir` isn't set in an FPM (ie: `disable-php-security` is enabled), it inherits the last setting it had for another site which doe have it set, which will likely break the site.
A workaround for this is to either use a separate pool, or edit the apache config and manually set `open_basedir` to `/`.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/348Automatic install script fails when /etc/apt/sources-list.d is empty2024-02-23T09:57:59ZpcollinsonAutomatic install script fails when /etc/apt/sources-list.d is empty# Summary
When using the install.sh script on a completely vanilla Debian Bookworm system, where /etc/apt/source.list.d is empty, the script fails saying:
```sed: can't read /etc/apt/sources.list.d/*: No such file or directory```
# Ste...# Summary
When using the install.sh script on a completely vanilla Debian Bookworm system, where /etc/apt/source.list.d is empty, the script fails saying:
```sed: can't read /etc/apt/sources.list.d/*: No such file or directory```
# Steps to reproduce
Run install.sh on a system with an empty /etc/apt/sources.list.d
# What is the current bug behavior?
The relevant code starts at line 146 in install.sh, the code is
```
if [ "$(find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' | wc -l )" != "0" ] \
|| [ "$( grep -c '^deb http://packages.mythic-beasts.com/mythic/' /etc/apt/sources.list.d/* )" != "0" ]; then
echo -n "Removing previous Sympl repo..."
find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' -delete
sed -i 's|^deb http://packages.mythic-beasts.com/mythic/.*|#&|' /etc/apt/sources.list.d/*
echo " OK"
fi
```
placing this code in a file and running it with bash -x says:
```
~# bash -x ax
++ find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list'
++ wc -l
+ '[' 0 '!=' 0 ']'
++ grep -c '^deb http://packages.mythic-beasts.com/mythic/' '/etc/apt/sources.list.d/*'
grep: /etc/apt/sources.list.d/*: No such file or directory
+ '[' '' '!=' 0 ']'
+ echo -n 'Removing previous Sympl repo...'
Removing previous Sympl repo...+ find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' -delete
+ sed -i 's|^deb http://packages.mythic-beasts.com/mythic/.*|#&|' '/etc/apt/sources.list.d/*'
sed: can't read /etc/apt/sources.list.d/*: No such file or directory
+ echo ' OK'
OK
```
# What is the expected correct behavior?
I think this code should be skipped if the directory is empty.
# Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
# Possible fixes
I worked around by adding touching a README file in /etc/apt/sources.list.d.
However the code may need to be
```
if [ "$(find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' | wc -l )" != "0" ]; then
if [ "$( grep -c '^deb http://packages.mythic-beasts.com/mythic/' /etc/apt/sources.list.d/* )" != "0" ]; then
echo -n "Removing previous Sympl repo..."
find /etc/apt/sources.list.d/ -mindepth 1 -maxdepth 1 -type f -name 'sympl_*.list' -delete
sed -i 's|^deb http://packages.mythic-beasts.com/mythic/.*|#&|' /etc/apt/sou rces.list.d/*
echo " OK"
fi
fi
```
Caveat: edited but not tested.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/347Job Failed #53144455842024-03-15T14:31:33ZPaul CammishJob Failed #5314445584Job [#5314445584](https://gitlab.com/sympl.io/sympl/-/jobs/5314445584) failed for 50b44f390188f58a2fee8eccd3d6aac41e5c62a0:
```
Enable PHP8.0-FPM... E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 111533 (unatte...Job [#5314445584](https://gitlab.com/sympl.io/sympl/-/jobs/5314445584) failed for 50b44f390188f58a2fee8eccd3d6aac41e5c62a0:
```
Enable PHP8.0-FPM... E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 111533 (unattended-upgr)
```
Need to ensure unattended-upgrades is fully disabled/stopped before running testsPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/346Job Failed #53108992702023-11-08T14:48:59ZPaul CammishJob Failed #5310899270Job [#5310899270](https://gitlab.com/sympl.io/sympl/-/jobs/5310899270) failed for 8a6de491361f8bc509ebb5bf224db975f70aad84:
```
+ symbiosis-firewall-whitelist --verbose
<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_requir...Job [#5310899270](https://gitlab.com/sympl.io/sympl/-/jobs/5310899270) failed for 8a6de491361f8bc509ebb5bf224db975f70aad84:
```
+ symbiosis-firewall-whitelist --verbose
<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- symbiosis_utmp (LoadError)
```
Need to make sure symbiosis_utmp.so is compiled and placed in the right locationPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/345sympl-ssl fails to override ssl-only config for a site during ACME HTTP-01 ch...2023-06-14T19:10:52ZLauren Kellysympl-ssl fails to override ssl-only config for a site during ACME HTTP-01 challenge verification# Summary
sympl-ssl will fail to obtain/renew certificates for a site which has had the ssl-only config option enabled.
I understand it is meant to override this during HTTP-01 challenge verification; this doesn't seem to work.
# Ste...# Summary
sympl-ssl will fail to obtain/renew certificates for a site which has had the ssl-only config option enabled.
I understand it is meant to override this during HTTP-01 challenge verification; this doesn't seem to work.
# Steps to reproduce
1. Automatically install Sympl on Debian 10.
2. `sympl web create example.com`
3. `touch /srv/example.com/config/ssl-only`
4. `sudo sympl-web-reconfigure example.com`
5. `sudo sympl-ssl --verbose example.com`
# What is the current bug behavior?
Let's Encrypt is unable to verify the HTTP-01 challenge, as the forced HTTPS redirection is not disabled during the certificate renewal process (or at least overriden for .well-known/acme-challenge/*)
# What is the expected correct behavior?
Acme challenge verification succeeds, as http://example.com/.well-known/acme-challenge/* does not engage the HTTPS direct configured by ssl-only, during the verification process.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/343Can't deliver to local mailboxes - "Tainted arg 6 for dovecot_lda transport"2023-05-12T15:34:14ZPaul CammishCan't deliver to local mailboxes - "Tainted arg 6 for dovecot_lda transport"Exim is logging:
```
<address> R=vhost_forward_sieve T=dovecot_lda: Tainted arg 6 for dovecot_lda transport command: '<address>'
```
...for local mail.
Likely some more de-tainting will be required.Exim is logging:
```
<address> R=vhost_forward_sieve T=dovecot_lda: Tainted arg 6 for dovecot_lda transport command: '<address>'
```
...for local mail.
Likely some more de-tainting will be required.Sympl 12 (bookworm)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/342sympl-web-generate-stats doesnt always generate statistics2023-05-09T08:43:21ZPaul Cammishsympl-web-generate-stats doesnt always generate statisticsIt looks to be checking the files to see if there have been any changes, where this is not really relevant - awffull is fine being passed the same information multiple times, or empty log files.It looks to be checking the files to see if there have been any changes, where this is not really relevant - awffull is fine being passed the same information multiple times, or empty log files.Sympl 12 (bookworm)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/341Error: test_ssl_fetch_new_certificate(SSLTest): OpenSSL::X509::RequestError: ...2023-06-10T20:45:15ZPaul CammishError: test_ssl_fetch_new_certificate(SSLTest): OpenSSL::X509::RequestError: illegal zero content```
Error: test_ssl_fetch_new_certificate(SSLTest): OpenSSL::X509::RequestError: illegal zero content
/usr/lib/ruby/3.1.0/openssl/x509.rb:387:in `to_der'
/usr/lib/ruby/3.1.0/openssl/x509.rb:387:in `=='
/etc/sympl/test.d/tc_ssl.rb:745:in ...```
Error: test_ssl_fetch_new_certificate(SSLTest): OpenSSL::X509::RequestError: illegal zero content
/usr/lib/ruby/3.1.0/openssl/x509.rb:387:in `to_der'
/usr/lib/ruby/3.1.0/openssl/x509.rb:387:in `=='
/etc/sympl/test.d/tc_ssl.rb:745:in `test_ssl_fetch_new_certificate'
742: assert_equal(set.bundle, [ca_cert])
743: assert_equal(set.key, key)
744: assert_equal(set.certificate, cert)
=> 745: assert_equal(set.request, request)
746:
747: assert_equal("0", @domain.ssl_next_set_name)
748: set.name = "0"
```Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/340CI: "TMPDIR is not writable: /tmp/user/0" (Bookworm)2023-05-04T13:41:04ZPaul CammishCI: "TMPDIR is not writable: /tmp/user/0" (Bookworm)Theres quite a few warnings/errors being thrown in the CI with
```
TMPDIR is not writable: /tmp/user/0
TMP is not writable: /tmp/user/0
TEMP is not writable: /tmp/user/0
```Theres quite a few warnings/errors being thrown in the CI with
```
TMPDIR is not writable: /tmp/user/0
TMP is not writable: /tmp/user/0
TEMP is not writable: /tmp/user/0
```Sympl 12 (bookworm)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/339domain/mailbox.rb - "warning: constant Struct::Passwd is deprecated" (Bookworm)2023-05-04T13:41:21ZPaul Cammishdomain/mailbox.rb - "warning: constant Struct::Passwd is deprecated" (Bookworm)A number of ruby warnings for `Struct::Passwd` used in mails domain/mailbox.rb.A number of ruby warnings for `Struct::Passwd` used in mails domain/mailbox.rb.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/338sympl-mail-dict-proxy - passed username incorrect? (bookworm)2023-06-10T20:43:17ZPaul Cammishsympl-mail-dict-proxy - passed username incorrect? (bookworm)Something changes with bookworm, and it now seems to dict proxy is now being sent `Lshared/passdb/<username><tab><username>` rather than the expected `Lshared/passdb/<username>`.
Trimming the tab and everything after this 'fixes' it, bu...Something changes with bookworm, and it now seems to dict proxy is now being sent `Lshared/passdb/<username><tab><username>` rather than the expected `Lshared/passdb/<username>`.
Trimming the tab and everything after this 'fixes' it, but it needs investigation as to why this happens.https://gitlab.com/sympl.io/sympl/-/issues/337Build: docker build image not based on bookworm2023-05-02T12:02:32ZPaul CammishBuild: docker build image not based on bookwormThe docker build image is currently a clone of the buster image, so is building things slightly wrong, which may account for errors in `sympl-firewall`.
This should be fixed up ASAP.The docker build image is currently a clone of the buster image, so is building things slightly wrong, which may account for errors in `sympl-firewall`.
This should be fixed up ASAP.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/336Blocking: Selectable PHP versions2023-06-10T20:41:31ZPaul CammishBlocking: Selectable PHP versionsBookworm will ship with PHP 8.2, which is nice, but a lot of stuff (notably WordPress plugins and themes, for example) is unhappy with, so selectable PHP versions will be pretty much mandatory.
Using Sury's repo from deb.sury.org seems...Bookworm will ship with PHP 8.2, which is nice, but a lot of stuff (notably WordPress plugins and themes, for example) is unhappy with, so selectable PHP versions will be pretty much mandatory.
Using Sury's repo from deb.sury.org seems the way to go, firing up FPM instances as needed, and managing PHP dependencies/extensions/etc based on the ones installed by default, or having a configurable list in `/etc/sympl`, along with a configurable default PHP version for the server, defaulting to the debian shipped version.
This *could* be a separate package, but it would make sense to roll it into `sympl-web` and the exiting templates, and have a selectable PHP version in `config/php`, defaulting to normal base version, with the PHP user/group taken from the existing configs for the site (defaulting to www-data for now), and maybe separate pools per-domain.
Configuration for number of children will be needed, with some basic `config/php-threads` setting with the max number, with a basic minimum and sane values taken from that with divisors would make sense.
It may be moving PHP to FPM wholesale would be the way to go, leaving things like phpmyadmin and roundcube on regular PHP.Sympl 12 (bookworm)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/335Failures: Dovecot2023-05-02T12:02:04ZPaul CammishFailures: DovecotLooks like some breaking changes to the dovecot config in Bookworm, notably mentions of:
```
configuration error - unknown item 'NONEXISTENT' (notify administrator)
configuration error - unknown item 'PREVENT_NO_AUTH' (notify administrat...Looks like some breaking changes to the dovecot config in Bookworm, notably mentions of:
```
configuration error - unknown item 'NONEXISTENT' (notify administrator)
configuration error - unknown item 'PREVENT_NO_AUTH' (notify administrator)
```
...in the logs when installing.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/334Failure: test_acl_check_antivirus(Exim4ConfigTest)2023-05-04T13:42:09ZPaul CammishFailure: test_acl_check_antivirus(Exim4ConfigTest)```
Failure: test_acl_check_antivirus(Exim4ConfigTest)
/etc/sympl/test.d/tc_exim4.rb:280:in `block in do_acl_script'
/etc/sympl/test.d/tc_exim4.rb:263:in `open'
/etc/sympl/test.d/tc_exim4.rb:263:in `do_acl_script'
/etc/sympl/test.d/tc_ex...```
Failure: test_acl_check_antivirus(Exim4ConfigTest)
/etc/sympl/test.d/tc_exim4.rb:280:in `block in do_acl_script'
/etc/sympl/test.d/tc_exim4.rb:263:in `open'
/etc/sympl/test.d/tc_exim4.rb:263:in `do_acl_script'
/etc/sympl/test.d/tc_exim4.rb:414:in `test_acl_check_antivirus'
411: system('sync ; date=$(date "+%Y-%m-%d %H:%M:%S") ; systemctl reload clamav-daemon.service ; timeout 120 journalctl -u clamav-daemon.service --since="$date" --follow | while read line ; do if [ $( echo $line | grep -c "[0-9]* signatures" ) -eq 1 ]; then killall "journalctl" 2>&1 >/dev/null ; fi ; done ; sleep 1')
412:
413: # OK the file is there now, so reject (as per default)
=> 414: do_acl_script('exim4_acl_tests/antivirus_reject')
415:
416: # OK, now the file contains "tag" so accept, and tag
417: File.open(File.join(config_dir, "antivirus"),"w+"){|fh| fh.puts("tag my mail")}
ACL test failed after line 21 of exim4_acl_tests/antivirus_reject (OK id=1ptavD-0002QU-1n)
<550> expected but was
<250>
diff:
? 550
? 2
? ?
```Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/333symbiosis_utmp.so fails to load2023-05-02T15:52:19ZPaul Cammishsymbiosis_utmp.so fails to loadsymbiosis_utmp.so is failing to load, possibly because it's currently built with the wrong toolset (bullseye not bookworm).symbiosis_utmp.so is failing to load, possibly because it's currently built with the wrong toolset (bullseye not bookworm).Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/332Error: test_smtp_capabilities(TestEximLive)2023-06-10T20:43:59ZPaul CammishError: test_smtp_capabilities(TestEximLive)```
Error: test_smtp_capabilities(TestEximLive): OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=10.0.2.15:25 state=error: sslv3 alert illegal parameter
/usr/lib/ruby/3.1.0/net/protocol.rb:46:in `connect_nonblock'
/usr/li...```
Error: test_smtp_capabilities(TestEximLive): OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=10.0.2.15:25 state=error: sslv3 alert illegal parameter
/usr/lib/ruby/3.1.0/net/protocol.rb:46:in `connect_nonblock'
/usr/lib/ruby/3.1.0/net/protocol.rb:46:in `ssl_socket_connect'
/usr/lib/ruby/gems/3.1.0/gems/net-smtp-0.3.1/lib/net/smtp.rb:673:in `tlsconnect'
/usr/lib/ruby/gems/3.1.0/gems/net-smtp-0.3.1/lib/net/smtp.rb:649:in `do_start'
/usr/lib/ruby/gems/3.1.0/gems/net-smtp-0.3.1/lib/net/smtp.rb:604:in `start'
/etc/sympl/test.d/tc_exim4_live.rb:67:in `test_smtp_capabilities'
64: smtp = Net::SMTP.new('public_ip', 25)
65: smtp.debug_output = $stdout if $DEBUG
66:
=> 67: smtp.start do
68: assert(smtp.capable_starttls?,"STARTTLS is not advertised on port 25")
69: assert(!smtp.capable_plain_auth?, "AUTH PLAIN advertised without TLS on public IP")
70: assert(!smtp.capable_login_auth?, "AUTH LOGIN advertised without TLS on public IP")
```Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/331Failure: test_cgi(TestHTTP)2023-05-26T10:54:12ZPaul CammishFailure: test_cgi(TestHTTP)```
Failure: test_cgi(TestHTTP)
/etc/sympl/test.d/tc_http.rb:140:in `block in test_cgi'
137:
138: system ('sympl-web-configure')
139:
=> 140: assert_equal( "500", getCode( "/cgi-bin/test.cgi", @domain.name )...```
Failure: test_cgi(TestHTTP)
/etc/sympl/test.d/tc_http.rb:140:in `block in test_cgi'
137:
138: system ('sympl-web-configure')
139:
=> 140: assert_equal( "500", getCode( "/cgi-bin/test.cgi", @domain.name ),
141: "Fetching /cgi-bin/test.cgi did not return 500" )
142:
143: assert_equal( "500", getCode( "/cgi-bin/test.cgi", "www.#{@domain.name}" ),
/etc/sympl/test.d/tc_http.rb:131:in `test_cgi'
Fetching /cgi-bin/test.cgi did not return 500
<"500">(UTF-8) expected but was
<"404">(ASCII-8BIT)
diff:
? 500
? 4 4
? ? ?
? Encoding: UTF -8
? ASCII BIT
? ??? +++
```Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/330sympl-webmail: Webmail should discourage over-use of the To: field2023-03-16T12:40:32ZPaul Cammishsympl-webmail: Webmail should discourage over-use of the To: fieldAs mentioned in https://forum.sympl.io/t/roundcube-max-disclosed-recipients/320, its possible to have Roundcube ask if you really want to send to lots of disclosed recipients.
This would be nice to add to the default configuration, alth...As mentioned in https://forum.sympl.io/t/roundcube-max-disclosed-recipients/320, its possible to have Roundcube ask if you really want to send to lots of disclosed recipients.
This would be nice to add to the default configuration, although with a reasonably high number.