No subject
Thu Oct 13 11:38:50 EDT 2022
"""
-------------
_This_Just_In_
Subject: [rt-users] [rt-announce] RT 2.0.8_01 - CRITICAL SECURITY FIX
Earlier today, I was alerted to a security vulnerability in RT's command
line administration tool, rtadmin by Jay Kramer at Mojomole.com.
This email contained a patch:
develrt:/usr/local/build # ll
-rw------- 1 root root 4208 Oct 31 04:55 rt-2-0-8_01-security.diff
develrt:/usr/local/build # cd rt-2-0-8
develrt:/usr/local/build/rt-2-0-8 # patch -p0 < ../rt-2-0-8_01-security.diff
patching file Makefile
patching file bin/rt
patching file bin/rt-mailgate
patching file bin/rtadmin
patching file lib/RT/Interface/CLI.pm
patching file lib/RT/Interface/Email.pm
So I rebuilt:
develrt:/usr/local/build/rt-2-0-8 # make dropdb
develrt:/usr/local/build/rt-2-0-8 # make install
-----------------------
6) Edit etc/config.pm
develrt:/usr/local/rt2/etc # chmod u+w config.pm
develrt:/usr/local/rt2/etc # diff config.pm config.pm.dist
14c14
< $rtname="Asl Support";
---
> $rtname="example.com";
20c20
< $Organization = "aslab.com";
---
> $Organization = "example.com";
28c28
< $Timezone = 'US/Pacific';
---
> $Timezone = 'US/Eastern';
70c70
< $OwnerEmail = 'ashley at aslab.com';
---
> $OwnerEmail = 'root';
103c103
< $DropLongAttachments = 1;
---
> $DropLongAttachments = undef;
216c216
< $CorrespondAddress='rt-admin';
---
> $CorrespondAddress='RT::CorrespondAddress.not.set';
218c218
< $CommentAddress='rt-admin';
---
> $CommentAddress='RT::CommentAddress.not.set';
-----------------------------------------
7) Configure the email and web gateways
--------
Postfix:
For mail server I'm using postfix from SuSE 7.2 rpms. Their default
configuration works for me out of the box. I'm only adding a $myorigin
param, because some sites are doing reverse lookups on email connections
and drop me because rt.aslab.com is not real host to the outside
world:
support:/etc/postfix # diff main.cf main.cf.dist
65c65
< myhostname = rt.aslab.com
---
> myhostname = develrt.aslab.com
74,84d73
< # SENDING MAIL
< #
< # The myorigin parameter specifies the domain that locally-posted
< # mail appears to come from. The default is to append $myhostname,
< # which is fine for small sites. If you run a domain with multiple
< # machines, you should (1) change this to $mydomain and (2) set up
< # a domain-wide alias database that aliases each user to
< # user at that.users.mailhost.
< #
< myorigin = $mydomain
<
I made changes in /etc/aliases:
support:/etc # diff aliases aliases.dist
12,22d11
< root: ashley at dagda.aslab.com
<
<
< # RT Ticket Tracking system:
< # All queues have the same correspondance addresses
< rt: "|/usr/local/rt2/bin/rt-mailgate --queue general --action
correspond"
< rt-comment: "|/usr/local/rt2/bin/rt-mailgate --queue general --action
comment"
< techsupport: rt
< techsupport-comment: rt-comment
<
<
support:/usr/local/rt2/etc # newaliases
SuSEConfig will trash my main.cf if I don't change this:
develrt:/usr/local/rt2/etc # head /etc/rc.config.d/postfix.rc.config
#
# If you don't want to let SuSEconfig generate your
# configuration file, set this to no
#
#POSTFIX_CREATECF="yes"
POSTFIX_CREATECF="no"
This is my final rundown for main.cf:
support:/etc # postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 10
default_privs = nobody
local_destination_concurrency_limit = 2
mail_name = Postfix on SuSE Linux 7.2 (i386)
mail_owner = postfix
mail_spool_directory = /var/mail
mydestination = $myhostname, localhost.$mydomain
myhostname = rt.aslab.com
myorigin = $mydomain
program_directory = /usr/lib/postfix
queue_directory = /var/spool/postfix
relocated_maps = hash:/etc/postfix/relocated
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_sender_restrictions = hash:/etc/postfix/access
transport_maps = hash:/etc/postfix/transport
virtual_maps = hash:/etc/postfix/virtual
I had to change the permissions on /usr/local/rt2/etc/config.pm so as to
make it world readable. Otherwise the mail-gate (running as ?) can't
read it and mail is bounced:
support:/usr/local/rt2/etc # chmod 555 config.pm
-------
apache:
Since I'm also serving up techsupport helpfiles, I'm setting up the RT
stuff on a virtual host.
develrt:/usr/local/apache/conf # diff httpd.conf httpd.conf.default
139,140c139,140
< MinSpareServers 1
< MaxSpareServers 1
---
> MinSpareServers 5
> MaxSpareServers 10
146c146
< StartServers 1
---
> StartServers 5
250,251c250,251
< User wwwrun
< Group nogroup
---
> User nobody
> Group "#-1"
258c258
< ServerAdmin ashley at aslab.com
---
> ServerAdmin root at develrt.aslab.com
276c276
< ServerName support.aslab.com
---
> #ServerName develrt.aslab.com
283c283
< DocumentRoot "/usr/local/support"
---
> DocumentRoot "/usr/local/apache/htdocs"
308c308
< <Directory "/usr/local/support">
---
> <Directory "/usr/local/apache/htdocs">
991,1015d990
<
<
< #
< # RT stuff as virtual host
< #
< <VirtualHost 192.168.2.40>
< DocumentRoot /usr/local/rt2/WebRT/html
< ServerName rt.aslab.com
< PerlModule Apache::DBI
< PerlFreshRestart On
< PerlRequire /usr/local/rt2/bin/webmux.pl
< <Location />
< SetHandler perl-script
< PerlHandler RT::Mason
< </Location>
< <Directory "/usr/local/rt2/WebRT/html">
< Options none
< AllowOverride None
< Order allow,deny
< Allow from all
< # Allow from 192.168.2.0/24 199.182.25.0/24
< # Deny from all
< </Directory>
< </VirtualHost>
<
-------------------------------
Repopulate database from old RT
on old rt:
root at rt:/usr/local/apache/conf > su - postgres
postgres at rt:~ > pg_dumpall >/tmp/db.dump
postgres at rt:~ > logout
root at rt:/usr/local/apache/conf > ls -l /tmp/db.dump
-rw-r--r-- 1 postgres daemon 6323958 Oct 31 13:19 /tmp/db.dump
on new rt:
develrt:/usr/local/pgsql # scp root at rt:/tmp/db.dump .
db.dump 100% |*****************************| 6175 KB
00:03
develrt:/usr/local/pgsql # pg_ctl -D /usr/local/pgsql/data stop
waiting for postmaster to shut down......done
postmaster successfully shut down
develrt:/usr/local/pgsql # mv data data.old
mv: cannot remove directory `data': Device or resource busy
mv: cannot remove `data': Device or resource busy
Note: /usr/local/pgsql/data is a mountpoint, that's why it can't be removed.
develrt:/usr/local/pgsql # su - postgres
postgres at develrt:~ > initdb -D /usr/local/pgsql/data
postgres at develrt:~ > pg_ctl -o "-i -p 5432" -D /usr/local/pgsql/data -l logfile start
postmaster successfully started
postgres at develrt:~ > psql -d template1 -f db.dump
postgres at develrt:~ > logout
develrt:/usr/local/pgsql # apachectl start
/usr/local/apache/bin/apachectl start: httpd started
I also added some indexes which were recommended as performance
enhancements:
develrt:/usr/local/build/rt-2-0-8/etc # cat rt_indexes
CREATE INDEX TicketIndex ON Transactions (Ticket);
CREATE INDEX EffectiveTicketIndex ON Transactions (EffectiveTicket);
CREATE INDEX CreatorIndexTransactions ON Transactions (Creator);
CREATE INDEX CreatorIndexAttachments ON Attachments (Creator);
CREATE INDEX ParentIndex ON Attachments (Parent);
CREATE INDEX TransactionId ON Attachments (TransactionId);
CREATE INDEX EffectiveIdIndex ON Tickets (EffectiveId);
CREATE INDEX OwnerIndex ON Tickets (Owner);
CREATE INDEX CreatorIndexTickets ON Tickets (Creator);
develrt:/usr/local/build/rt-2-0-8 # psql -U postgres -d rt2
Welcome to psql, the PostgreSQL interactive terminal.
rt2=# \i /usr/local/build/rt-2-0-8/etc/rt_indexes
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
--jI8keyz6grp/JLjh--
More information about the rt-users
mailing list