No subject


Thu Oct 13 11:38:50 EDT 2022


"""



-------------
_This_Just_In_
Subject: [rt-users] [rt-announce] RT 2.0.8_01 - CRITICAL SECURITY FIX

Earlier today, I was alerted to a security vulnerability in RT's command
line administration tool, rtadmin by Jay Kramer at Mojomole.com.


This email contained a patch:
develrt:/usr/local/build # ll
-rw-------    1 root     root         4208 Oct 31 04:55 rt-2-0-8_01-security.diff
develrt:/usr/local/build # cd rt-2-0-8
develrt:/usr/local/build/rt-2-0-8 # patch -p0 < ../rt-2-0-8_01-security.diff 
patching file Makefile
patching file bin/rt
patching file bin/rt-mailgate
patching file bin/rtadmin
patching file lib/RT/Interface/CLI.pm
patching file lib/RT/Interface/Email.pm

So I rebuilt:
develrt:/usr/local/build/rt-2-0-8 # make dropdb
develrt:/usr/local/build/rt-2-0-8 # make install




-----------------------
6)   Edit etc/config.pm 

develrt:/usr/local/rt2/etc # chmod  u+w config.pm

develrt:/usr/local/rt2/etc # diff config.pm config.pm.dist 
14c14
< $rtname="Asl Support";  
---
> $rtname="example.com";  
20c20
< $Organization = "aslab.com";
---
> $Organization = "example.com";
28c28
< $Timezone =  'US/Pacific'; 
---
> $Timezone =  'US/Eastern'; 
70c70
< $OwnerEmail = 'ashley at aslab.com';
---
> $OwnerEmail = 'root';
103c103
< $DropLongAttachments = 1;
---
> $DropLongAttachments = undef;
216c216
< $CorrespondAddress='rt-admin';
---
> $CorrespondAddress='RT::CorrespondAddress.not.set';
218c218
< $CommentAddress='rt-admin';
---
> $CommentAddress='RT::CommentAddress.not.set';



-----------------------------------------
7)   Configure the email and web gateways

--------
Postfix:

For mail server I'm using postfix from SuSE 7.2 rpms.  Their default
configuration works for me out of the box.  I'm only adding a $myorigin
param, because some sites are doing reverse lookups on email connections
and drop me because rt.aslab.com is not real host to the outside
world:

support:/etc/postfix # diff main.cf main.cf.dist 
65c65
< myhostname = rt.aslab.com
---
> myhostname = develrt.aslab.com
74,84d73
< # SENDING MAIL
< #
< # The myorigin parameter specifies the domain that locally-posted
< # mail appears to come from. The default is to append $myhostname,
< # which is fine for small sites.  If you run a domain with multiple
< # machines, you should (1) change this to $mydomain and (2) set up
< # a domain-wide alias database that aliases each user to
< # user at that.users.mailhost.
< #
< myorigin = $mydomain
< 



I made changes in /etc/aliases:

support:/etc # diff aliases aliases.dist 
12,22d11
< root:           ashley at dagda.aslab.com
< 
< 
< # RT Ticket Tracking system:
< # All queues have the same correspondance addresses
< rt:     "|/usr/local/rt2/bin/rt-mailgate --queue general --action
correspond"
< rt-comment: "|/usr/local/rt2/bin/rt-mailgate --queue general --action
comment"
< techsupport:       rt
< techsupport-comment: rt-comment
< 
< 

support:/usr/local/rt2/etc # newaliases



SuSEConfig will trash my main.cf if I don't change this:

develrt:/usr/local/rt2/etc # head /etc/rc.config.d/postfix.rc.config
#
# If you don't want to let SuSEconfig generate your
# configuration file, set this to no
#
#POSTFIX_CREATECF="yes"
POSTFIX_CREATECF="no"


This is my final rundown for main.cf:

support:/etc # postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 10
default_privs = nobody
local_destination_concurrency_limit = 2
mail_name = Postfix on SuSE Linux 7.2 (i386)
mail_owner = postfix
mail_spool_directory = /var/mail
mydestination = $myhostname, localhost.$mydomain
myhostname = rt.aslab.com
myorigin = $mydomain
program_directory = /usr/lib/postfix
queue_directory = /var/spool/postfix
relocated_maps = hash:/etc/postfix/relocated
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_sender_restrictions = hash:/etc/postfix/access
transport_maps = hash:/etc/postfix/transport
virtual_maps = hash:/etc/postfix/virtual



I had to change the permissions on /usr/local/rt2/etc/config.pm so as to
make it world readable.  Otherwise the mail-gate (running as ?) can't
read it and mail is bounced:

support:/usr/local/rt2/etc # chmod 555 config.pm






-------
apache:

Since I'm also serving up techsupport helpfiles, I'm setting up the RT
stuff on a virtual host.

develrt:/usr/local/apache/conf # diff httpd.conf httpd.conf.default 
139,140c139,140
< MinSpareServers 1
< MaxSpareServers 1
---
> MinSpareServers 5
> MaxSpareServers 10
146c146
< StartServers 1
---
> StartServers 5
250,251c250,251
< User wwwrun
< Group nogroup
---
> User nobody
> Group "#-1"
258c258
< ServerAdmin ashley at aslab.com
---
> ServerAdmin root at develrt.aslab.com
276c276
< ServerName support.aslab.com
---
> #ServerName develrt.aslab.com
283c283
< DocumentRoot "/usr/local/support"
---
> DocumentRoot "/usr/local/apache/htdocs"
308c308
< <Directory "/usr/local/support">
---
> <Directory "/usr/local/apache/htdocs">
991,1015d990
< 
< 
< #
< # RT stuff as virtual host
< #
< <VirtualHost 192.168.2.40>
<     DocumentRoot /usr/local/rt2/WebRT/html
<     ServerName rt.aslab.com
<     PerlModule Apache::DBI
<     PerlFreshRestart On
<     PerlRequire /usr/local/rt2/bin/webmux.pl
<     <Location />
<          SetHandler perl-script
<          PerlHandler RT::Mason
<     </Location>
<     <Directory "/usr/local/rt2/WebRT/html">
<         Options none
<         AllowOverride None
<         Order allow,deny
<         Allow from all
<     #    Allow from 192.168.2.0/24 199.182.25.0/24
<     #    Deny from all
<     </Directory>
< </VirtualHost>
< 



-------------------------------
Repopulate database from old RT

on old rt:
root at rt:/usr/local/apache/conf > su - postgres
postgres at rt:~ > pg_dumpall  >/tmp/db.dump
postgres at rt:~ > logout
root at rt:/usr/local/apache/conf > ls -l /tmp/db.dump
-rw-r--r--    1 postgres daemon    6323958 Oct 31 13:19 /tmp/db.dump

on new rt:
develrt:/usr/local/pgsql # scp root at rt:/tmp/db.dump .
db.dump              100% |*****************************|  6175 KB
00:03    
develrt:/usr/local/pgsql # pg_ctl -D /usr/local/pgsql/data stop
waiting for postmaster to shut down......done
postmaster successfully shut down
develrt:/usr/local/pgsql # mv data data.old
mv: cannot remove directory `data': Device or resource busy
mv: cannot remove `data': Device or resource busy

Note: /usr/local/pgsql/data is a mountpoint, that's why it can't be removed.
develrt:/usr/local/pgsql # su - postgres
postgres at develrt:~ > initdb -D /usr/local/pgsql/data
postgres at develrt:~ > pg_ctl -o "-i -p 5432" -D /usr/local/pgsql/data -l logfile start
postmaster successfully started
postgres at develrt:~ > psql -d template1 -f db.dump 
postgres at develrt:~ > logout
develrt:/usr/local/pgsql # apachectl start
/usr/local/apache/bin/apachectl start: httpd started


I also added some indexes which were recommended as performance
enhancements:
develrt:/usr/local/build/rt-2-0-8/etc # cat rt_indexes
CREATE INDEX TicketIndex ON Transactions (Ticket); 
CREATE INDEX EffectiveTicketIndex ON Transactions (EffectiveTicket);
CREATE INDEX CreatorIndexTransactions ON Transactions (Creator);
CREATE INDEX CreatorIndexAttachments ON Attachments (Creator);
CREATE INDEX ParentIndex ON Attachments (Parent);
CREATE INDEX TransactionId ON Attachments (TransactionId);
CREATE INDEX EffectiveIdIndex ON Tickets (EffectiveId);
CREATE INDEX OwnerIndex ON Tickets (Owner);
CREATE INDEX CreatorIndexTickets ON Tickets (Creator);
 
develrt:/usr/local/build/rt-2-0-8 # psql -U postgres -d rt2
Welcome to psql, the PostgreSQL interactive terminal.

rt2=# \i /usr/local/build/rt-2-0-8/etc/rt_indexes 
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE


--jI8keyz6grp/JLjh--




More information about the rt-users mailing list