From 9a588de754a7944e3e04dfa7124a5f46ba4d0d12 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 31 Oct 2020 14:58:26 +0100 Subject: [PATCH 1/4] Upgrade Nextcloud to version 20.0.1 (#1848) --- CHANGELOG.md | 7 ++++++ setup/nextcloud.sh | 54 +++++++++++++++++++++++++++++++++++----------- 2 files changed, 48 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c10d78e..901e6420 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,13 @@ CHANGELOG ========= +DEVELOPMENT +----------- + +Software updates: + +* Upgraded Nextcloud from 17.0.6 to 20.0.1 (with Contacts from 3.3.0 to 3.4.1 and Calendar from 2.0.3 to 2.1.2) + v0.50 (September 25, 2020) -------------------------- diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index 90485c8b..f4592941 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -14,12 +14,18 @@ apt-get purge -qq -y owncloud* # we used to use the package manager apt_install php php-fpm \ php-cli php-sqlite3 php-gd php-imap php-curl php-pear curl \ php-dev php-gd php-xml php-mbstring php-zip php-apcu php-json \ - php-intl php-imagick + php-intl php-imagick php-gmp php-bcmath InstallNextcloud() { version=$1 hash=$2 + version_contacts=$3 + hash_contacts=$4 + version_calendar=$5 + hash_calendar=$6 + version_user_external=$7 + hash_user_external=$8 echo echo "Upgrading to Nextcloud version $version" @@ -40,18 +46,18 @@ InstallNextcloud() { # their github repositories. mkdir -p /usr/local/lib/owncloud/apps - wget_verify https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz e55d0357c6785d3b1f3b5f21780cb6d41d32443a /tmp/contacts.tgz + wget_verify https://github.com/nextcloud/contacts/releases/download/v$version_contacts/contacts.tar.gz $hash_contacts /tmp/contacts.tgz tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/contacts.tgz - wget_verify https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz 9d9717b29337613b72c74e9914c69b74b346c466 /tmp/calendar.tgz + wget_verify https://github.com/nextcloud/calendar/releases/download/v$version_calendar/calendar.tar.gz $hash_calendar /tmp/calendar.tgz tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/calendar.tgz # Starting with Nextcloud 15, the app user_external is no longer included in Nextcloud core, # we will install from their github repository. - if [[ $version =~ ^1[567] ]]; then - wget_verify https://github.com/nextcloud/user_external/releases/download/v0.7.0/user_external-0.7.0.tar.gz 555a94811daaf5bdd336c5e48a78aa8567b86437 /tmp/user_external.tgz + if [ -n "$version_user_external" ]; then + wget_verify https://github.com/nextcloud/user_external/releases/download/v$version_user_external/user_external-$version_user_external.tar.gz $hash_user_external /tmp/user_external.tgz tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/user_external.tgz fi @@ -91,8 +97,14 @@ InstallNextcloud() { } # Nextcloud Version to install. Checks are done down below to step through intermediate versions. -nextcloud_ver=17.0.6 -nextcloud_hash=50b98d2c2f18510b9530e558ced9ab51eb4f11b0 +nextcloud_ver=20.0.1 +nextcloud_hash=f2b3faa570c541df73f209e873a1c2852e79eab8 +contacts_ver=3.4.1 +contacts_hash=aee680a75e95f26d9285efd3c1e25cf7f3bfd27e +calendar_ver=2.1.2 +calendar_hash=930c07863bb7a65652dec34793802c8d80502336 +user_external_ver=1.0.0 +user_external_hash=3bf2609061d7214e7f0f69dd8883e55c4ec8f50a # Current Nextcloud Version, #1623 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB @@ -141,23 +153,39 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc return 0 elif [[ ${CURRENT_NEXTCLOUD_VER} =~ ^13 ]]; then # If we are running Nextcloud 13, upgrade to Nextcloud 14 - InstallNextcloud 14.0.6 4e43a57340f04c2da306c8eea98e30040399ae5a + InstallNextcloud 14.0.6 4e43a57340f04c2da306c8eea98e30040399ae5a 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 CURRENT_NEXTCLOUD_VER="14.0.6" fi if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^14 ]]; then # During the upgrade from Nextcloud 14 to 15, user_external may cause the upgrade to fail. # We will disable it here before the upgrade and install it again after the upgrade. hide_output sudo -u www-data php /usr/local/lib/owncloud/console.php app:disable user_external - InstallNextcloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 + InstallNextcloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437 CURRENT_NEXTCLOUD_VER="15.0.8" fi if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^15 ]]; then - InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 + InstallNextcloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437 CURRENT_NEXTCLOUD_VER="16.0.6" - fi + fi + if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^16 ]]; then + InstallNextcloud 17.0.6 50b98d2c2f18510b9530e558ced9ab51eb4f11b0 3.3.0 e55d0357c6785d3b1f3b5f21780cb6d41d32443a 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 0.7.0 555a94811daaf5bdd336c5e48a78aa8567b86437 + CURRENT_NEXTCLOUD_VER="17.0.6" + fi + if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^17 ]]; then + echo "ALTER TABLE oc_flow_operations ADD COLUMN entity VARCHAR;" | sqlite3 $STORAGE_ROOT/owncloud/owncloud.db + InstallNextcloud 18.0.10 39c0021a8b8477c3f1733fddefacfa5ebf921c68 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a + CURRENT_NEXTCLOUD_VER="18.0.10" + fi + if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^18 ]]; then + InstallNextcloud 19.0.4 01e98791ba12f4860d3d4047b9803f97a1b55c60 3.4.1 aee680a75e95f26d9285efd3c1e25cf7f3bfd27e 2.0.3 9d9717b29337613b72c74e9914c69b74b346c466 1.0.0 3bf2609061d7214e7f0f69dd8883e55c4ec8f50a + CURRENT_NEXTCLOUD_VER="19.0.4" + fi fi - InstallNextcloud $nextcloud_ver $nextcloud_hash + InstallNextcloud $nextcloud_ver $nextcloud_hash $contacts_ver $contacts_hash $calendar_ver $calendar_hash $user_external_ver $user_external_hash + + # Nextcloud 20 needs to have some optional columns added + sudo -u www-data php /usr/local/lib/owncloud/occ db:add-missing-columns fi # ### Configuring Nextcloud @@ -239,7 +267,7 @@ fi # * We need to set the timezone to the system timezone to allow fail2ban to ban # users within the proper timeframe # * We need to set the logdateformat to something that will work correctly with fail2ban -# * mail_domain' needs to be set every time we run the setup. Making sure we are setting +# * mail_domain' needs to be set every time we run the setup. Making sure we are setting # the correct domain name if the domain is being change from the previous setup. # Use PHP to read the settings file, modify it, and write out the new settings array. TIMEZONE=$(cat /etc/timezone) From 48c233ebe5d3cda43cd0d6b6407e81a5cac4f214 Mon Sep 17 00:00:00 2001 From: David Duque Date: Sat, 31 Oct 2020 14:01:14 +0000 Subject: [PATCH 2/4] Update Roundcube to version 1.4.9 (#1830) --- setup/webmail.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/webmail.sh b/setup/webmail.sh index 1e7d0083..3e725027 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -28,8 +28,8 @@ apt_install \ # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track # whether we have the latest version of everything. -VERSION=1.4.8 -HASH=3a6824fd68fef2e0d24f186cfbee5c6f9d6edbe9 +VERSION=1.4.9 +HASH=df650f4d3eae9eaae2d5a5f06d68665691daf57d PERSISTENT_LOGIN_VERSION=6b3fc450cae23ccb2f393d0ef67aa319e877e435 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 CARDDAV_VERSION=3.0.3 From 545e7a52e465f5abc5ecabdc2d446d719febe7e6 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Thu, 29 Oct 2020 15:41:34 -0400 Subject: [PATCH 3/4] Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost --- api/mailinabox.yml | 10 ++++----- management/cli.py | 22 +++++++++++++++---- management/daemon.py | 40 +++++++++++++++++++++++++++-------- management/mfa.py | 1 + management/templates/mfa.html | 2 +- tools/mail.py | 3 +++ 6 files changed, 59 insertions(+), 19 deletions(-) create mode 100755 tools/mail.py diff --git a/api/mailinabox.yml b/api/mailinabox.yml index 15a048f9..a9a2c124 100644 --- a/api/mailinabox.yml +++ b/api/mailinabox.yml @@ -1666,16 +1666,16 @@ paths: schema: type: string /mfa/status: - get: + post: tags: - MFA - summary: Retrieve MFA status + summary: Retrieve MFA status for you or another user description: Retrieves which type of MFA is used and configuration operationId: mfaStatus x-codeSamples: - lang: curl source: | - curl -X GET "https://{host}/admin/mfa/status" \ + curl -X POST "https://{host}/admin/mfa/status" \ -u ":" responses: 200: @@ -1733,8 +1733,8 @@ paths: post: tags: - MFA - summary: Disable multi-factor authentication - description: Disables multi-factor authentication for the currently logged-in admin user. Either disables all multi-factor authentication methods or the method corresponding to the optional property `mfa_id` + summary: Disable multi-factor authentication for you or another user + description: Disables multi-factor authentication for the currently logged-in admin user or another user if a 'user' parameter is submitted. Either disables all multi-factor authentication methods or the method corresponding to the optional property `mfa_id`. operationId: mfaTotpDisable requestBody: required: false diff --git a/management/cli.py b/management/cli.py index f264fa70..1b91b003 100755 --- a/management/cli.py +++ b/management/cli.py @@ -6,7 +6,7 @@ # root API key. This file is readable only by root, so this # tool can only be used as root. -import sys, getpass, urllib.request, urllib.error, json, re +import sys, getpass, urllib.request, urllib.error, json, re, csv def mgmt(cmd, data=None, is_json=False): # The base URL for the management daemon. (Listens on IPv4 only.) @@ -60,14 +60,16 @@ def setup_key_auth(mgmt_uri): if len(sys.argv) < 2: print("""Usage: - {cli} user (lists users) + {cli} user (lists users) {cli} user add user@domain.com [password] {cli} user password user@domain.com [password] {cli} user remove user@domain.com {cli} user make-admin user@domain.com {cli} user remove-admin user@domain.com - {cli} user admins (lists admins) - {cli} alias (lists aliases) + {cli} user admins (lists admins) + {cli} user mfa show user@domain.com (shows MFA devices for user, if any) + {cli} user mfa disable user@domain.com [id] (disables MFA for user) + {cli} alias (lists aliases) {cli} alias add incoming.name@domain.com sent.to@other.domain.com {cli} alias add incoming.name@domain.com 'sent.to@other.domain.com, multiple.people@other.domain.com' {cli} alias remove incoming.name@domain.com @@ -121,6 +123,18 @@ elif sys.argv[1] == "user" and sys.argv[2] == "admins": if "admin" in user['privileges']: print(user['email']) +elif sys.argv[1] == "user" and len(sys.argv) == 5 and sys.argv[2:4] == ["mfa", "show"]: + # Show MFA status for a user. + status = mgmt("/mfa/status", { "user": sys.argv[4] }, is_json=True) + W = csv.writer(sys.stdout) + W.writerow(["id", "type", "label"]) + for mfa in status["enabled_mfa"]: + W.writerow([mfa["id"], mfa["type"], mfa["label"]]) + +elif sys.argv[1] == "user" and len(sys.argv) in (5, 6) and sys.argv[2:4] == ["mfa", "disable"]: + # Disable MFA (all or a particular device) for a user. + print(mgmt("/mfa/disable", { "user": sys.argv[4], "mfa-id": sys.argv[5] if len(sys.argv) == 6 else None })) + elif sys.argv[1] == "alias" and len(sys.argv) == 2: print(mgmt("/mail/aliases")) diff --git a/management/daemon.py b/management/daemon.py index 04b109f7..ffc6d5d5 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -5,7 +5,7 @@ from functools import wraps from flask import Flask, request, render_template, abort, Response, send_from_directory, make_response -import auth, utils, mfa +import auth, utils from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, remove_mail_user from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias @@ -399,15 +399,27 @@ def ssl_provision_certs(): # multi-factor auth -@app.route('/mfa/status', methods=['GET']) +@app.route('/mfa/status', methods=['POST']) @authorized_personnel_only def mfa_get_status(): - return json_response({ - "enabled_mfa": get_public_mfa_state(request.user_email, env), - "new_mfa": { - "totp": provision_totp(request.user_email, env) + # Anyone accessing this route is an admin, and we permit them to + # see the MFA status for any user if they submit a 'user' form + # field. But we don't include provisioning info since a user can + # only provision for themselves. + email = request.form.get('user', request.user_email) # user field if given, otherwise the user making the request + try: + resp = { + "enabled_mfa": get_public_mfa_state(email, env) } - }) + if email == request.user_email: + resp.update({ + "new_mfa": { + "totp": provision_totp(email, env) + } + }) + except ValueError as e: + return (str(e), 400) + return json_response(resp) @app.route('/mfa/totp/enable', methods=['POST']) @authorized_personnel_only @@ -427,8 +439,18 @@ def totp_post_enable(): @app.route('/mfa/disable', methods=['POST']) @authorized_personnel_only def totp_post_disable(): - disable_mfa(request.user_email, request.form.get('mfa-id'), env) - return "OK" + # Anyone accessing this route is an admin, and we permit them to + # disable the MFA status for any user if they submit a 'user' form + # field. + email = request.form.get('user', request.user_email) # user field if given, otherwise the user making the request + try: + result = disable_mfa(email, request.form.get('mfa-id') or None, env) # convert empty string to None + except ValueError as e: + return (str(e), 400) + if result: # success + return "OK" + else: # error + return ("Invalid user or MFA id.", 400) # WEB diff --git a/management/mfa.py b/management/mfa.py index 6af2288e..32eb5183 100644 --- a/management/mfa.py +++ b/management/mfa.py @@ -63,6 +63,7 @@ def disable_mfa(email, mfa_id, env): # Disable a particular MFA mode for a user. c.execute('DELETE FROM mfa WHERE user_id=? AND id=?', (get_user_id(email, c), mfa_id)) conn.commit() + return c.rowcount > 0 def validate_totp_secret(secret): if type(secret) != str or secret.strip() == "": diff --git a/management/templates/mfa.html b/management/templates/mfa.html index 8e2737c1..f45b263f 100644 --- a/management/templates/mfa.html +++ b/management/templates/mfa.html @@ -186,7 +186,7 @@ and ensure every administrator account for this control panel does the same. Date: Sat, 31 Oct 2020 10:36:40 -0400 Subject: [PATCH 4/4] CHANGELOG updates --- CHANGELOG.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 901e6420..4591737d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,12 +1,22 @@ CHANGELOG ========= -DEVELOPMENT ------------ +IN DEVELOPMENT +-------------- Software updates: * Upgraded Nextcloud from 17.0.6 to 20.0.1 (with Contacts from 3.3.0 to 3.4.1 and Calendar from 2.0.3 to 2.1.2) +* Upgraded Roundcube to version 1.4.9. + +Mail: + +* The MTA-STA max_age value was increased to the normal one week. + +Control Panel: + +* Two-factor authentication can now be enabled for logins to the control panel. However, keep in mind that many online services (including domain name registrars, cloud server providers, and TLS certificate providers) may allow an attacker to take over your account or issue a fraudulent TLS certificate with only access to your email address, and this new two-factor authentication does not protect access to your inbox. It therefore remains very important that user accounts with administrative email addresses have strong passwords. +* TLS certificate expiry dates are now shown in ISO8601 format for clarity. v0.50 (September 25, 2020) --------------------------