339 Commits (85be902c72bbddac24d2f70abb94e4a328c614e7)

Author	SHA1	Message	Date
Sipwise Jenkins Builder	c028eb2e14	Release new version 10.5.6.2+0~mr10.5.6.2	2 years ago
Sipwise Jenkins Builder	608955ce68	Release new version 10.5.6.1+0~mr10.5.6.1	2 years ago
Sipwise Jenkins Builder	17b756d68f	Release new version 10.5.6.0+0~mr10.5.6.0	2 years ago
Sipwise Jenkins Builder	792339d8b2	Release new version 10.5.5.0+0~mr10.5.5.0	2 years ago
Sipwise Jenkins Builder	1c252518c7	Release new version 10.5.4.0+0~mr10.5.4.0	2 years ago
Michael Prokop	aa7c010571	TT#76552 systemd: reduce hardening for sendmail(1) usage ... If a customer has email templates enabled, adding a subscriber fails due to: | Failed to create subscriber: error when closing pipe to sendmail: | Trace begun at /usr/share/perl5/Email/Sender/Transport/Sendmail.pm line 94 | Email::Sender::Transport::Sendmail::send_email('Email::Sender::Transport::Sendmail=HASH(0x56251dc80e58)', 'Email::Abstract=ARRAY(0x56252f40f0c0)', 'HASH(0x56252f3fd600)') called at /usr/share/perl5/Email/Sender/Role/CommonSending.pm line 45 | Email::Sender::Role::CommonSending::try {...} at /usr/share/perl5/Try/Tiny.pm line 102 | eval {...} at /usr/share/perl5/Try/Tiny.pm line 93 | [...] Similar, sending subscriber reset password mails etc are also failing. When strace-ing ngcp-panel's fcgi process, one can observe: | 25173 openat(AT_FDCWD, "/var/spool/exim4//input//1ogR98-0006Y1-IA-D", O_RDWR|O_CREAT|O_EXCL, 0640) = -1 EACCES (Permission denied) Now, when disabling all of the systemd hardening, it works fine. Comparing such a working with a failing process, the following changes within /proc/$PID/status can be observed: | diff -urN proc.failing/status proc.working/status | --- proc.failing/status 2022-10-06 18:06:08.519873211 +0200 | +++ proc.working/status 2022-10-06 18:08:17.071722642 +0200 | [...] | CapInh: 0000000000000000 | CapPrm: 0000000000000000 | CapEff: 0000000000000000 | -CapBnd: 000001fbffffffff | +CapBnd: 000001ffffffffff | CapAmb: 0000000000000000 | -NoNewPrivs: 1 | -Seccomp: 2 | -Seccomp_filters: 3 | +NoNewPrivs: 0 | +Seccomp: 0 So NoNewPrivs gets enabled, even though we don't explicitly set NoNewPrivileges but e.g. only ProtectClock=yes. This is expected behavior though, quoting from systemd.exec(5) | NoNewPrivileges= | | Takes a boolean argument. If true, ensures that the service | process and all its children can never gain new privileges through | execve() (e.g. via setuid or setgid bits, or filesystem capabilities). | This is the simplest and most effective way to ensure that a process and | its children can never elevate privileges again. Defaults to false, but | certain settings override this and ignore the value of this setting. | This is the case when SystemCallFilter=, SystemCallArchitectures=, | RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, | ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=, | ProtectClock=, MemoryDenyWriteExecute=, RestrictRealtime=, | RestrictSUIDSGID=, DynamicUser= or LockPersonality= are specified. Note | that even if this setting is overridden by them, systemctl show shows | the original value of this setting. Also see No New Privileges Flag[4]. Also see https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html STR (without having to go through ngcp-panel and a customer/subscriber setup): | root@spce:~# cat /etc/systemd/system/demo.service | [Unit] | Description=sendmail systemd hardening demo | | [Service] | Type=simple | User=www-data | Group=www-data | ExecStart=/usr/bin/perl /usr/bin/send_mail.pl | | # this one enough to trigger the problem | ProtectClock=true | | root@spce:~# cat /usr/bin/send_mail.pl | use strict; | use Template; | use Email::Sender::Simple qw(); | use Email::Simple; | use Email::Simple::Creator; | use Email::Sender::Transport::Sendmail qw(); | | send_email( | subject => 'exim test', | body => 'ohai', | from => 'root@localhost', | to => 'foobar@example.org', | ); | print "done\n"; | exit; | | sub send_email { | my %args = @_; | my $subject = $args{subject}; | my $body = $args{body}; | my $from = $args{from}; | my $to = $args{to}; | | my $transport = Email::Sender::Transport::Sendmail->new; | my $email = Email::Simple->create( | header => [ | To => $to, | From => $from, | Subject => $subject, | ], | body => $body, | ); | return Email::Sender::Simple->send($email, { transport => $transport } ); | } | | root@spce:~# systemctl daemon-reload && systemctl restart demo Until we switch the mail interface from sendmail(1) to SMTP or alike (reported as MT#55576), we need to reduce the systemd hardening, to not get the NoNewPrivileges=true (AKA prctl(PR_SET_NO_NEW_PRIVS,...)) behavior through any of the related hardening options. New systemd hardening state of ngcp-panel (as of systemd v247.3-7+deb11u1): | $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-panel | grep -v '✓' | NAME DESCRIPTION EXPOSURE | ✗ PrivateNetwork= Service has access to the host's network 0.5 | ✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capab… 0.3 | ✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3 | ✗ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3 | ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 | ✗ RestrictNamespaces=~CLONE_NEWUSER Service may create user namespaces 0.3 | ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3 | ✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SE… Service may change file ownership/access mo… 0.2 | ✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IP… Service may override UNIX file/IPC permissi… 0.2 | ✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2 | ✗ CapabilityBoundingSet=~CAP_SYS_MODULE Service may load kernel modules 0.2 | ✗ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has raw I/O access 0.2 | ✗ CapabilityBoundingSet=~CAP_SYS_TIME Service processes may change the system clo… 0.2 | ✗ IPAddressDeny= Service does not define an IP address allow… 0.2 | ✗ NoNewPrivileges= Service processes may acquire new privileges 0.2 | ✗ PrivateDevices= Service potentially has access to hardware … 0.2 | ✗ PrivateUsers= Service has access to other users 0.2 | ✗ ProtectClock= Service may write to the hardware clock or … 0.2 | ✗ ProtectKernelLogs= Service may read from or write to the kerne… 0.2 | ✗ ProtectKernelModules= Service may load or read kernel modules 0.2 | ✗ ProtectKernelTunables= Service may alter kernel tunables 0.2 | ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2 | ✗ RestrictSUIDSGID= Service may create SUID/SGID files 0.2 | ✗ SystemCallArchitectures= Service may execute system calls with all A… 0.2 | ✗ SystemCallFilter=~@clock Service does not filter system calls 0.2 | ✗ SystemCallFilter=~@debug Service does not filter system calls 0.2 | ✗ SystemCallFilter=~@module Service does not filter system calls 0.2 | ✗ SystemCallFilter=~@mount Service does not filter system calls 0.2 | ✗ SystemCallFilter=~@raw-io Service does not filter system calls 0.2 | ✗ SystemCallFilter=~@reboot Service does not filter system calls 0.2 | ✗ SystemCallFilter=~@swap Service does not filter system calls 0.2 | ✗ SystemCallFilter=~@privileged Service does not filter system calls 0.2 | ✗ SystemCallFilter=~@resources Service does not filter system calls 0.2 | ✗ CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem access 0.1 | ✗ CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to arbitrary … 0.1 | ✗ CapabilityBoundingSet=~CAP_MKNOD Service may create device nodes 0.1 | ✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVIC… Service has elevated networking privileges 0.1 | ✗ CapabilityBoundingSet=~CAP_SYSLOG Service has access to kernel logging 0.1 | ✗ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOUR… Service has privileges to change resource u… 0.1 | ✗ RestrictNamespaces=~CLONE_NEWCGROUP Service may create cgroup namespaces 0.1 | ✗ RestrictNamespaces=~CLONE_NEWIPC Service may create IPC namespaces 0.1 | ✗ RestrictNamespaces=~CLONE_NEWNET Service may create network namespaces 0.1 | ✗ RestrictNamespaces=~CLONE_NEWNS Service may create file system namespaces 0.1 | ✗ RestrictNamespaces=~CLONE_NEWPID Service may create process namespaces 0.1 | ✗ RestrictRealtime= Service may acquire realtime scheduling 0.1 | ✗ SystemCallFilter=~@cpu-emulation Service does not filter system calls 0.1 | ✗ SystemCallFilter=~@obsolete Service does not filter system calls 0.1 | ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 | ✗ RootDirectory=/RootImage= Service runs within the host's root directo… 0.1 | ✗ CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1 | ✗ CapabilityBoundingSet=~CAP_SYS_BOOT Service may issue reboot() 0.1 | ✗ LockPersonality= Service may change ABI personality 0.1 | ✗ MemoryDenyWriteExecute= Service may create writable executable memo… 0.1 | ✗ RestrictNamespaces=~CLONE_NEWUTS Service may create hostname namespaces 0.1 | ✗ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service may mark files immutable 0.1 | ✗ CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory into RAM 0.1 | ✗ CapabilityBoundingSet=~CAP_SYS_CHROOT Service may issue chroot() 0.1 | ✗ ProtectHostname= Service may change system host/domainname 0.1 | ✗ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service may establish wake locks 0.1 | ✗ CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1 | ✗ CapabilityBoundingSet=~CAP_SYS_PACCT Service may use acct() 0.1 | ✗ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service may issue vhangup() 0.1 | ✗ CapabilityBoundingSet=~CAP_WAKE_ALARM Service may program timers that wake up the… 0.1 | ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 | | → Overall exposure level for ngcp-panel.service: 7.9 EXPOSED 🙁 Related: MT#31936 Related: MT#55569 Thanks: Thomas Georg on spce-user ml for the bug report, and Victor Seva, Richard Fuchs + Rene Krenn for assistance in tracking this down Change-Id: Ic3be62247bbcae00c99de3b779df838c0daaaf1a (cherry picked from commit 31429319e7)	3 years ago
Sipwise Jenkins Builder	e0625386c8	Release new version 10.5.3.0+0~mr10.5.3.0	3 years ago
Sipwise Jenkins Builder	2f0184c1cd	Release new version 10.5.2.0+0~mr10.5.2.0	3 years ago
Sipwise Jenkins Builder	96dacbd148	Release new version 10.5.1.0+0~mr10.5.1.0	3 years ago
Michael Prokop	35edfb92e6	TT#76552 Harden ngcp-panel service ... ngcp-panel service state BEFORE this change: | $ sudo systemd-analyze security ngcp-panel | tail -1 | → Overall exposure level for ngcp-panel.service: 9.2 UNSAFE 😨 ngcp-panel service state AFTER this change: | $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-panel | grep -v '✓' | NAME DESCRIPTION EXPOSURE | ✗ PrivateNetwork= Service has access to the host's network 0.5 | ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 | ✗ DeviceAllow= Service has a device ACL with some special … 0.1 | ✗ IPAddressDeny= Service does not define an IP address allow… 0.2 | ✗ PrivateUsers= Service has access to other users 0.2 | ✗ SystemCallFilter=~@privileged System call allow list defined for service,… 0.2 | ✗ SystemCallFilter=~@resources System call allow list defined for service,… 0.2 | ✗ RootDirectory=/RootImage= Service runs within the host's root directo… 0.1 | ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 | | → Overall exposure level for ngcp-panel.service: 1.5 OK 🙂 As of systemd v247.3-7. Change-Id: Id1218abdbe8e9ef27285b4aa4d25972b7646da11	3 years ago
Sipwise Jenkins Builder	b5b270c799	Release new version 10.5.0.0+0~mr10.5.0.0	3 years ago
Sipwise Jenkins Builder	4921c56f7a	Release new version 10.4.0.0+0~mr10.4.0.0	3 years ago
Sipwise Jenkins Builder	9d61b7b06f	Release new version 10.3.0.0+0~mr10.3.0.0	4 years ago
Guillem Jover	95e04a0db6	TT#124273 Update packaging for bullseye ... - Switch to debhelper compat level 13. - Switch to Standards-Version 4.5.1. - Update copyright years. - Wrap and sort -sat. - Rename obsolete .tmpfile fragment file to .tmpfiles. Change-Id: Ib96fd2cb63be420ebc1409f8c90eb91e0aa7c305	4 years ago
Sipwise Jenkins Builder	26eae5ee39	Release new version 10.2.0.0+0~mr10.2.0.0	4 years ago
Sipwise Jenkins Builder	ac8e69e766	Release new version 10.1.0.0+0~mr10.1.0.0	4 years ago
Alexander Lutay	4f2ba3c53f	TT#130659 Remove 'svg-edit-2.6' JS code (necessary for Opera Presto only) ... Presto Opera is no longer supported by Opera. They have been migrated to Opera Next long time ago (Chromium codebase). Change-Id: I433e77e2d5295f2d97901e4e2ce58b857fa9281d	4 years ago
Alexander Lutay	42e63e5711	TT#130659 Remove rrd-related ngcp-panel code ... Change-Id: I76880ba12037f1653c4c969e442738cc7f3eb185	4 years ago
Sipwise Jenkins Builder	5a32d8f793	Release new version 10.0.0.0+0~mr10.0.0.0	4 years ago
Sipwise Jenkins Builder	e4a11fa4d9	Release new version 9.5.0.0+0~mr9.5.0.0	4 years ago
Flaviu Mates	8bc9a3974c	TT#108162 Reseller branding primary and secondary colors ... * add color pickers and store the hex code of the colors inside the branding table in panel UI * implement /api/resellerbrandings endpoint, where all things related to reseller branding can be managed; the branding logo will still be retrieved using /api/resellerrandinglogos Change-Id: Ib7ed364811acf67ffd62252d9799a0af8b91e9bc	4 years ago
Sipwise Jenkins Builder	ef9bf99809	Release new version 9.4.0.0+0~mr9.4.0.0	4 years ago
Sipwise Jenkins Builder	e49f1584dd	Release new version 9.3.0.0+0~mr9.3.0.0	4 years ago
Sipwise Jenkins Builder	064100ff11	Release new version 9.2.0.0+0~mr9.2.0.0	5 years ago
Michael Prokop	3b9ef3d0b3	TT#99206 Depend on libcrypt-openssl-rsa-perl ... Since commit 65634d701 (`TT#84329 encrypt/decrypt password, weppassword, pin`) /usr/share/perl5/NGCP/Panel/Utils/Encryption.pm depends on the Perl module Crypt::OpenSSL::RSA (AKA libcrypt-openssl-rsa-perl). File /usr/share/perl5/NGCP/Panel/Utils/Encryption.pm is shipped with the main ngcp-panel package, which doesn't depend on libcrypt-openssl-rsa-perl. This went unnoticed, as we depend on libcrypt-openssl-rsa-perl in the ngcp-panel-tools package only (which is installed by default though), so add libcrypt-openssl-rsa-perl also as dependency of ngcp-panel package. Fixes the following issue (as reported on spce-user mailing list): | Oct 30 16:40:19 ngcp_panel_fastcgi.pl[15571]: Can't locate Crypt/OpenSSL/RSA.pm in @INC (you may need to install the Crypt::OpenSSL::RSA module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/NGCP/Panel/Utils/Encryption.pm line 4. Change-Id: I33b5eb1d3b621dece48e680fb3cd93429d1030b0	5 years ago
Sipwise Jenkins Builder	aad1c60a05	Release new version 9.1.0.0+0~mr9.1.0.0	5 years ago
Sipwise Jenkins Builder	ba2a80fc81	Release new version 9.0.0.0+0~mr9.0.0.0	5 years ago
Sipwise Jenkins Builder	30f4303f1f	Release new version 8.6.0.0+0~mr8.6.0.0	5 years ago
Rene Krenn	175d8b2df6	TT#84328 write .pem files directly ... write generated RSA keys directly to -/etc/ngcp-config/shared-files/ngcp-panel/rsa_public_key.pem -/etc/ngcp-config/shared-files/ngcp-panel/rsa_private_key.pem -chmod 600 -chown root:root if the .pem files already exist, a counter in the filenames is incremented, ie. rsa_public_key_1.pem rsa_private_key_1.pem Change-Id: I439c189e7405f0eb3ab1b0178cda437ac2ab6ced	5 years ago
Rene Krenn	041ed1c151	TT#84328 generate RSA keypair ... Change-Id: Ifbf015c97152860f283ddeefe9d1f69c8b3521a7	5 years ago
Sipwise Jenkins Builder	c1e12a2961	Release new version 8.5.0.0+0~mr8.5.0.0	5 years ago
Sipwise Jenkins Builder	b991f2d71d	Release new version 8.4.0.0+0~mr8.4.0.0	5 years ago
Victor Tsvetov	77b3834bae	TT#74160 Make package ngcp-api-testframework ... Make new 'ngcp-api-testframework' package with module: NGCP::API::TestFramework Move the module source from t/api/rest2/lib/ to lib/ Change paths accordingly in module files. Change-Id: I7a4b08ecac1059533628771ea4faf2eb10dba41f	5 years ago
Rene Krenn	f66435c837	TT#75114 javascript support for prov templates ... Change-Id: I6f173ba6dd814f9be84bc3f077e8595e56d993c5	5 years ago
Guillem Jover	467084705d	TT#71950 Fix typos ... Warned-by: codespell Change-Id: If7e52bf2fbf013586e802e5ebb77a272599d9c38	5 years ago
Rene Krenn	bfd2b4b5b1	TT#73364 batch provisioning ... implementation of config.yml-based "provisioning templates" for creating a subscriber setup with one click or batch-wise (.csv upload), currently comprising of: - contact - contract - contract prefs - subscriber - subscriber prefs - trusted sources - registrations Change-Id: I0c3c1ef93bbe0ca926bbe906a35346bef5094fac	5 years ago
Sipwise Jenkins Builder	eb4ca54eb4	Release new version 8.3.0.0+0~mr8.3.0.0	5 years ago
Sipwise Jenkins Builder	7007cffc63	Release new version 8.2.0.0+0~mr8.2.0.0	6 years ago
Guillem Jover	993f9ce7bb	TT#69900 Unbundle Catalyst::Plugin::Session::Store::Redis modules ... This is a separate upstream distribution which we should not be bundling. Change-Id: I8fab1de494e885063214957ef1ff35a82702f586	6 years ago
Guillem Jover	922d035a8e	TT#51701 Switch from deprecated /var/run to /run ... Change-Id: Ib7302bf3a4e2ec9005293d2bbd79849c2173b04a	6 years ago
Guillem Jover	9bc77dcb95	TT#69150 Switch to use IO::Prompt::Tiny ... We use this module which is more lightweight and has less issues. Change-Id: I93f0f2d15ee4cc208254eb6ad6cd6c8454d922fa	6 years ago
Sipwise Jenkins Builder	5f528b1a90	Release new version 8.1.0.0+0~mr8.1.0.0	6 years ago
Guillem Jover	3672cba1bf	TT#68012 Only install the appropriate modules for the relevant package ... This package is only supposed to contain the Catalyst::Plugin::Session::Store::Redis perl module, nothing more. Change-Id: Ibf000801a2a971391a5aba4283991154fc108bb8	6 years ago
Sipwise Jenkins Builder	5565418b93	Release new version 8.0.0.0+0~mr8.0.0.0	6 years ago
Guillem Jover	9a10b9d31a	TT#63301 Fix package sections ... Change-Id: I7dd7332b69335acf182f79f7493882de51920f67	6 years ago
Guillem Jover	06e40dd4bd	TT#61954 Set debhelper compat level in Build-Depends instead of debian/compat ... Change-Id: Idbabcf532144f69f4fec052c250ab4d9a0df5371	6 years ago
Guillem Jover	bbef3972ab	TT#60750 Do not install deprecated command aliases ... Change-Id: I376f73cf16cb70460bad5b42785a0a833a409811	6 years ago
Guillem Jover	f77e463f94	TT#61954 Update copyright years ... Change-Id: Ic45f3268f48f1be80962da9afb1b4017e7b9525d	6 years ago
Guillem Jover	929bfbf446	TT#61101 Remove obsolete alternative dependencies ... These have long been gone, time to cleanup. Change-Id: I42f7e392507b06365c8c4e60bc045defd4f92df4	6 years ago
Sipwise Jenkins Builder	cdb22d5661	Release new version 7.5.0.0+0~mr7.5.0.0	6 years ago