* Sun Jan 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-24.sme

- ippp and wan requires daemontools bins [SME: 12566]

.gitignore

@@ -3,3 +3,4 @@
 *spec-20*
 *.tar.xz
 *.bak
+*gz

root/etc/e-smith/db/accounts/defaults/Primary/SSLRequireSSL

@@ -0,0 +1 @@
+enabled

root/etc/e-smith/db/accounts/defaults/primary/type

@@ -1 +0,0 @@
-system

root/etc/e-smith/db/accounts/migrate/10primary

@@ -0,0 +1,10 @@
+{
+    # Delete any pre-existing primary=system record (all lower case)
+    my $p = $DB->get('primary');
+    return unless defined $p;
+
+    my $type = $p->prop('type');
+    return unless defined $type;
+
+    $p->delete if $type eq 'system';
+}

root/etc/e-smith/events/actions/group-create-unix

@@ -137,7 +137,9 @@ foreach my $member (@groupMembers)
     # new group to the list. Finally sort, join and run the usermod
     # function to update the group list for this member.
 
-    my $cmd = "/usr/bin/id -G -n '$member'";
+    #my $cmd = "/usr/bin/id -G -n '$member'";
+    # this will not fail in case of apache aliase before www in passwd
+    my $cmd = "/usr/bin/groups '$member' 2>/dev/null | cut -d' ' -f3- ";
     my $groups = `$cmd 2>/dev/null`; 
     if ($? != 0)
     {

root/etc/e-smith/events/actions/group-modify-unix

@@ -131,22 +131,22 @@ foreach my $group (@groups)
 	# Get the supplementary group list for the member we are adding or
 	# deleting.
 	#my $cmd = "/usr/bin/id -G -n '$member'";
-  # this will not fail in case of apache before www in passwd
-  my $cmd = "/usr/bin/groups '$member'"; 
+	# this will not fail in case of apache before www in passwd
+	my $cmd = "/usr/bin/groups '$member' 2>/dev/null | cut -d' ' -f3- "; 
 	my $groups = `$cmd 2>/dev/null`; 
 	if ($? != 0)
 	{
 	    die "Failed to get supplementary group list for $member.\n";
 	}
-  $groups =~ s/^.*:\s+//;
+	$groups =~ s/^.*:\s+//;
 	chomp ($groups);
 
 	my @groupList = split (/\s+/, $groups);
 	@groupList = grep (!/^$member$/, @groupList);
 	# Apache is an alias for www
 	@groupList = map { $_ =~ s/^apache$/www/g; $_ } @groupList;
-  # www needs to be in shared
-  push(@groupList,'shared') if ( ($member eq 'www') and (! grep{$_ eq 'shared'} @groupList));
+	# www needs to be in shared
+	push(@groupList,'shared') if ( ($member eq 'www') and (! grep{$_ eq 'shared'} @groupList));
 
 	if ($oldMembers{$member})
 	{

root/etc/e-smith/events/actions/systemd-default

@@ -54,7 +54,9 @@ if (!symlink($old_qfn, $new_qfn)) {
 
 # we let the dedicated systemd command tryin to do what we will do later in this script
 # as up to systemd 236 it is bugged see:
-#  https://github.com/systemd/systemd/pull/7158 and https://github.com/systemd/systemd/pull/7289
+#  https://github.com/systemd/systemd/pull/7158 : systemctl: respect [Install] section in drop-ins: should be fixed in SME 12 (239)
+#  https://github.com/systemd/systemd/issues/9477 : aliases; open
+#  https://github.com/systemd/systemd/pull/9901 allow instantiated units to be enabled via presets v240
 system("/usr/bin/systemctl  preset-all");
 # in case preset-all messed up  with our default target
 system("/usr/bin/systemctl  set-default sme-server.target");
@@ -101,10 +103,11 @@ foreach my $filen (reverse sort keys %files) {
 	    my $service=$2;
 	    my $stats=$1;
 #	    print $_ ."\n"; 
-	    #ignore service that does not exists !
+	    # ignore service that does not exists !
+	    # here we are searching for service@instance.service type
 	    my $multiple = $service;
 	    ($multiple = $service ) =~ s/([a-zA-Z0-9\-_.]+@)(.*)/$1.service/ if ( $service =~ /@/ );
-	    #print "$stats $service $multiple\n";
+	    #print "$stats $service $multiple\n" if $service ne $multiple;
 	    next unless ( -e "/usr/lib/systemd/system/$service" or -e "/etc/systemd/system/$service" or -e "/usr/lib/systemd/system/$multiple");
 	    # eliminate duplicates, this way we keep only the last entry of the lowest file as we do it in reverse order of file,
 	    # but from top to bottom of file.
@@ -117,7 +120,7 @@ foreach my $filen (reverse sort keys %files) {
 		#print "want $service \n";
             }
             else {
-                my $wanted = `grep -P '^WantedBy=.*sme-server.target' /usr/lib/systemd/system/$service*  /etc/systemd/system/$service* -rsh` ;
+                my $wanted = `grep -P '^WantedBy=.*sme-server.target' /usr/lib/systemd/system/$service*  /etc/systemd/system/$service* /usr/lib/systemd/system/$multiple* /etc/systemd/system/$multiple* -rsh` ;
                 chomp $wanted;
 		$wantedBy{$service}=1 unless ( $wanted eq "");
 		#print "want $service \n" unless ( $wanted eq "") ;

root/usr/share/perl5/vendor_perl/esmith/ssl.pm

@@ -6,18 +6,26 @@ use esmith::ConfigDB;
 
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert);
+our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert SSLproto SSLprotoApache SSLprotoComa SSLprotoHyphen SSLprotoMin SSLprotoLDAP SSLprotoQpsmtpd $smeCiphers $smeSSLprotocol %existingSSLprotos);
 
 my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
 our $SystemName = $configdb->get('SystemName')->value;
 our $DomainName = $configdb->get('DomainName')->value;
 our $FQDN = "$SystemName.$DomainName";
 
-# test key size
-# test key exists
+#default cipher list 
+our $smeCiphers = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:!ADH:!SSLv2:!ADH:!aNULL:!MD5:!RC4";
+#default protocol list 
+# 2024 phase out : TLS 1.1 and 1.0 ; insuficient: SSL 3.0, 2.0 and 1.0
+our $smeSSLprotocol = "TLSv1.2 TLSv1.3";
+
+# SSLv2 and SSLv3 are not available in el8 openssl-1.1.1, while -ssl3 still in man page
+# it will throw  Option unknown option -ssl3
+our %existingSSLprotos=%{ {'SSLv3'=>1, 'TLSv1'=>1, 'TLSv1.1'=>1, 'TLSv1.2'=>1, 'TLSv1.3'=>1}};
+
 =head1 NAME
 
-esmith::php - A few tools to help with php-fpm installed versions
+esmith::ssl - A few tools to help with ssl handling
 
 =head1 SYNOPSIS
 
@@ -42,6 +50,7 @@ returns 0 if key is missing or wrong size
 returns 1 if key exists and key size is correct
 
 =cut
+
 sub key_exists_good_size {
     my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
     my %modSSL = $configdb->as_hash('modSSL');
@@ -74,8 +83,8 @@ sub key_exists_good_size {
 # check cert size Public-Key
 # openssl rsa -noout -modulus -in domain.key | openssl md5
 # openssl x509 -noout -modulus -in domain.crt | openssl md5
-
 =cut
+
 sub cert_exists_good_size {
     my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
     my %modSSL = $configdb->as_hash('modSSL');
@@ -99,6 +108,10 @@ sub cert_exists_good_size {
     return 0;
 }
 
+=head2 cert_is_cert
+check if file is really a certificate
+=cut
+
 sub cert_is_cert {
     my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
     if ( -f $crt ) 
@@ -115,6 +128,10 @@ sub cert_is_cert {
     return 0;
 }
 
+=head2 key_is_key
+check if file is really a key
+=cut
+
 sub key_is_key {
     my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
     if ( -f $key )
@@ -144,7 +161,8 @@ sub related_key_cert {
     }
     return 0;
 }
-##TODO migrate those actions from 
+
+##TODO write sub and migrate those actions from template fragments
 # check cert is related to key
 # => /etc/e-smith/templates/home/e-smith/ssl.crt 
 # check cert domain and alt
@@ -152,3 +170,126 @@ sub related_key_cert {
 # check is valid / expiry date
 # => /etc/e-smith/templates/home/e-smith/ssl.crt 
 ###################################
+
+=head2 SSLprotoApache
+output a list of allowed protocols with apache format
+e.g. -all +TLSv1.2 +TLSv1.3
+=cut
+
+sub SSLprotoApache{
+ my $protocols = " -all +".join(" +",split(" ",$smeSSLprotocol)) ." ";
+ my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+ my $httpd = $configdb->get('httpd-e-smith');
+ # SSLv2 and SSLv3 are not available in el8 openssl-1.1.1, while -ssl3 still referenced
+ # it will throw  Option unknown option -ssl3
+ #$protocols .= " +SSLv3" if ($httpd->{'SSLv3'} || 'disabled') eq 'enabled';
+ #  TODO: a loop using existingSSLprotos
+ $protocols .= " +TLSv1" if ($httpd->{'TLSv1'} || 'disabled') eq 'enabled';
+ $protocols .= " +TLSv1.1" if ($httpd->{'TLSv1.1'} || 'disabled') eq 'enabled';
+ # look closely this is to remove what has been added on first line,
+ # hence the minus sign and reverse logic.
+ $protocols .= " -TLSv1.2" unless ($httpd->{'TLSv1.2'} || 'enabled') eq 'enabled';
+ $protocols .= " -TLSv1.3" unless ($httpd->{'TLSv1.3'} || 'enabled') eq 'enabled';
+ return $protocols;
+}
+
+=head2 SSLprotoQpsmtpd
+output an expected IO::Socket::SSL string to enable 
+only the wanted TLS versions
+SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
+=cut
+
+sub SSLprotoQpsmtpd{
+ my $service= shift || 'qpsmtpd';
+ my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+ my %qpsmtpd = %{$configdb->get($service)};
+ # SSLv2 and SSLv3 are not available in el8 openssl-1.1.1, while -ssl3 still referenced
+ # it will throw  Option unknown option -ssl3
+ my $protocols = "SSLv23:!SSLv2:!SSLv3";
+ # TODO: a loop using existingSSLprotos and SSLprotoHyphen()
+ $protocols .= ':!TLSv1' unless ($qpsmtpd{'TLSv1'} || 'disabled') eq 'enabled';
+ $protocols .= ':!TLSv1_1' unless ($qpsmtpd{'TLSv1.1'} || 'disabled') eq 'enabled';
+ $protocols .= ':!TLSv1_2' unless ($qpsmtpd{'TLSv1.2'} || 'enabled') eq 'enabled';
+ $protocols .= ':!TLSv1_3' unless ($qpsmtpd{'TLSv1.3'} || 'enabled') eq 'enabled';
+ return $protocols;
+}
+
+=head2 SSLproto
+default display of list of protocol. This is how it will be displayed in 
+httpd.conf and proftpd.conf
+e.g. TLSv1.2 TLSv1.3
+=cut
+
+sub SSLproto{
+return $smeSSLprotocol;
+}
+
+=head2 SSLprotoComa
+way to display protocols in Mariadb as a string list separated by coma
+e.g. TLSv1.2,TLSv1.3
+=cut
+
+sub SSLprotoComa{
+my $string = shift || $smeSSLprotocol;
+$string =~ s/[ :]/,/g;
+return $string;
+}
+
+=head2 SSLprotoHyphen
+convert TLSv1.2 to TLSv1_2
+This is the format required by perl IO::Socket::SSL; and as the result by 
+qpsmtpd, uqpsmtpd, sqpsmtpd SME Server services
+=cut
+
+sub SSLprotoHyphen {
+my $string = shift || $smeSSLprotocol;
+$string =~ s/[ ,]/:/g;
+$string =~ s/\./_/g;
+return $string;
+}
+
+=head2 SSLprotoMin
+display only the lower protocol, as expected for dovecot
+ssl_min_protocol = TLSv1.2
+# limit : will not handle all or sslv23 as input
+=cut
+
+sub SSLprotoMin{
+  my @SSLarray =  split(" ",shift || $smeSSLprotocol);
+  my %hash ;
+  foreach my $value (@SSLarray) {
+    my $toto = $value =~ s/(.*)(\d{1})+$/$2/r;
+    # hack for TLS > SSL
+    $toto = ($value =~ /^TLS/) ? "2$toto" : "1$toto";
+    $hash{$toto}=$value ;
+  }
+  my @keys_sorted_by_value = sort { $a <=> $b } keys %hash;
+  my $lowest_value = $keys_sorted_by_value[0] ;
+  return $hash{$lowest_value};
+}
+
+=head2 SSLprotoLDAP
+convert min protocol suported to LDAP format
+TLSProtocolMin          3.3
+To require TLS 1.x or higher, set this option to 3.(x+1), e.g., TLSProtocolMin 3.2          would require TLS 1.1.
+from $smeSSLprotocol = "TLSv1.2 TLSv1.3";
+=cut
+
+sub SSLprotoLDAP{
+  # convert to array 
+  my @SSLarray =  split(" ",shift || $smeSSLprotocol);
+  return "3.0" if  (grep /^SSLv3$/, @SSLarray);
+  # TLSv1
+  return "3.1" if (grep /^TLSv1$/ , @SSLarray);
+  # keep only digit after .
+  @SSLarray = grep{ $_ =~ s/(.*)(\d{1})+$/$2/ } @SSLarray;
+  # order
+  @SSLarray = sort @SSLarray;
+  # get lower
+  my $num = $SSLarray[0];
+  # sum 3.1 + 0.$x
+  $num = "0.".$num;
+  # return
+  $num = $num +3.1;
+  return $num;
+}

root/var/service/ippp/log/run

@@ -1,6 +1,6 @@
 #! /bin/sh
 
 exec                                    \
-    /usr/local/bin/setuidgid smelog     \
-    /usr/local/bin/multilog t s5000000  \
+    /usr/bin/setuidgid smelog     \
+    /usr/bin/multilog t s5000000  \
     /var/log/ippp

root/var/service/wan/log/run

@@ -1,7 +1,7 @@
 #! /bin/sh
 
 exec                                    \
-    /usr/local/bin/setuidgid smelog     \
-    /usr/local/bin/multilog t s5000000  \
+    /usr/bin/setuidgid smelog     \
+    /usr/bin/multilog t s5000000  \
     /var/log/wan
 

smeserver-base.spec

@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
 %define name smeserver-base
 Name: %{name}
 %define version 11.0.0
-%define release 18
+%define release 24
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -49,6 +49,10 @@ Requires: bash-completion
 Requires: smeserver-runit >= 2.6.0-7
 Requires: smeserver-php >= 3.0.0-22
 Requires: smeserver-yum >= 2.6.0-43 
+# daemontools bins in use 
+Requires: /usr/bin/softlimit 
+Requires: /usr/bin/setuidgid
+Requires: /usr/bin/multilog
 Obsoletes: nss_ldap < 254
 Obsoletes: cpu
 Obsoletes: rlinetd, e-smith-mod_ssl
@@ -184,6 +188,24 @@ fi
 
 
 %changelog
+* Sun Jan 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-24.sme
+- ippp and wan requires daemontools bins [SME: 12566]
+
+* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-23.sme
+- handle all ssl ciphers and protocol in one place esmith::ssl [SME: 12827]
+  this will allow to sync all service default protocol and ciphers
+  in one place.
+
+* Fri Jan 03 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-21.sme
+- improve support of  systemd service with instance service@instance.service [SME: 12859]
+
+* Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-20.sme
+- Primary default to SSL required and redirect [SME: 12858]
+- cleanup remove primary=system [SME: 8268]
+
+* Tue Dec 31 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-19.sme
+- fix www removed from shared on group creation [SME: 12848]
+
 * Mon Dec 23 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-18.sme
 - add vlan support on External Interface [SME: 12677]
 - fix typo [SME: 12763]