5106R/5107R/5108R YUM updates
Updates for BlueOnyx were released tonight which deal with PHP email security and SSL certificates.
The following updates were released tonight:
base-apache (5107R + 5108R):
There appears to be some weird problem with SSL certificates on BlueOnyx 5107R and 5108R. The GUI management pages for these certainly have a few issues which need to be addressed. At this time the import and setup of SSL certificates appears to have a "hit and miss" success rate. This is still being worked on.
In the meantime this update fixes another problem related with SSL certificates: If SSL is enabled for a Vsite, then it may happen that web access to that site may redirect endlessly. To fix that one a certain RewriteRule has been removed from the Apache Vhost container. This update will make sure that the offending RewriteRule is commented out in existing Vsites and that new Vsites will directly have it commented out.
The offending RewriteRule is highlighted in red in the example Vhost container:
<VirtualHost 192.168.8.129:80> ServerName 5108r1.smd.net ServerAdmin admin DocumentRoot /home/.sites/28/site1/web ErrorDocument 401 /error/401-authorization.html ErrorDocument 403 /error/403-forbidden.html ErrorDocument 404 /error/404-file-not-found.html ErrorDocument 500 /error/500-internal-server-error.html RewriteEngine on #RewriteRule ^/(.*) http://5108r1.smd.net/$1 [L,R=301]
base-vsite (5106R, 5107R + 5108R):
This update to base-vsite improves the PHP security model of BlueOnyx one step further.
Right now we support two different PHP implementations:
- The traditional mod_php implementation of PHP.
- The more secure suPHP approach using CGI/FastCG.
Both have their benefits and drawbacks, but suPHP generally offers the best protection.
As recently discussed on the BlueOnyx mailing list it can sometimes be difficult to find out which PHP scripts have sent emails. If there is an old and vulnerable PHP script that has been tricked into sending SPAM, then the usual tools and methods we have at hand for finding the culprit leave a lot to be desired.
If suPHP is enabled on all Vsites, the headers of the sent emails will at least tell us the username of the offending user. But if mod_php is used instead, then all you have left is going through your logfiles at a painstakenly pace.
This updated base-vsite module will change this:
If a PHP script now uses the PHP mail() function, it will not talk directly to sendmail for the delivery, but will use a small round about through the new executeable /usr/sausalito/sbin/phpsendmail instead.
This binary will log all PHP related email traffic to /var/log/maillog in an easy to understand fashion, which will make it very easy to see which script sent which email.
Additionally emails generated and sent by PHP scripts will have a "X-PHP-Originating-Script" header, which tells us the numeric user ID of the owner of the sending script and the name of the sending script:
This information can then be used to look up the offending script in /var/log/maillog.
The '502' in the above examle tells us that the numeric user ID of the owner of the script was '502'. After the colon we see the name (just the name - not the path!) of the offending script. In this case here 'mail.php'.
Now if we have such an email in front of us and would need to find out which site and user the email really came from on our server, we would need to take a look at /var/log/maillog like this:
cat /var/log/maillog|grep uid=502|grep mail.php
So we grep for the numeric user ID (502 in this case) and the name of the script (mail.php) that was listed in the "X-PHP-Originating-Script:" header of said email.
Or if we wanted to see just the log entries of all PHP related email activity, we could use this command:
cat /var/log/maillog|grep sendmail-wrapper-php
That will show us all PHP related email activity.
Apr 19 01:10:18 5108r root: sendmail-wrapper-php: site=5108r1.smd.net, client=10.1.128.1, script=/home/.sites/28/site1/web/mailtest/mailtest/mail.php, uid=502, user=xxx_admin Apr 19 01:35:01 5108r root: sendmail-wrapper-php: site=5108r1.smd.net, client=10.1.128.1, script=/home/.sites/28/site1/web/mailtest/mailtest/mail.php, uid=502, user=xxx_admin
For more technical information about this update, please see this message on the BlueOnyx mailing list.
The updated "base-vsite" was made available at 03:50 a.m. Central European Time and it contained several problems which have had a negative impact on PHP enabled websites.
At 10:30 a.m. Central European Time a fixed version of "base-vsite" (version number: 3.0-132BX99) was made available.
If your server is having problems with displaying PHP scripts, then please do the following to fix the issue:
1.) Login as "admin" by SSH and use "su -" to gain root access,
2.) Run the following commands:
yum clean all yum update -y
That will fetch and install the fixed "base-vsite" RPMs. A reboot or restart of any service is not required.
More detailed information about why the problem happened and what was done to fix it will be posted shortly.
We aplogize for any problems that this update has caused.