Varying-Vagrant-Vagrants / VVV

An open source Vagrant configuration for developing with WordPress
https://varyingvagrantvagrants.org
MIT License
4.54k stars 847 forks source link

Please use secured PPA provisioning #2631

Closed tlartaud closed 2 years ago

tlartaud commented 2 years ago

Hi there,

VVV is fetching from http://ppa.launchpad.net which is insecure and should fetch from this domain instead: https://ppa.launchpadcontent.net/

I've contacted launchpad to ask them for SSL support for the domain and this is what they answered:

We can't add HTTPS support to ppa.launchpad.net due to session cookie security issues on launchpad.net, but a while back we added ppa.launchpadcontent.net which serves the same content and has HTTPS support. Please use that instead, and/or advise authors of scripts that use ppa.launchpad.net to switch to the new domain. https://blog.launchpad.net/ppa/new-domain-names-for-ppas

Would really appreciate a simple update there :)

Regards.

welcome[bot] commented 2 years ago

Thanks for opening your first issue here! Be sure to follow the issue template and include your OS/Vagrant/VVV versions! Don't forget you can get support in the VVV slack at https://varyingvagrantvagrants.org/docs/en-US/slack/

VVV
VVV Slack Workspace
Join the VVV Slack Workspace
Mte90 commented 2 years ago

What version are you using? Because we already did it https://github.com/Varying-Vagrant-Vagrants/VVV/issues/2586

tomjn commented 2 years ago

This was resolved in https://github.com/Varying-Vagrant-Vagrants/VVV/pull/2607 are you on the develop branch?

tomjn commented 2 years ago

Closing as 3.10.1 is released and the request has already been fulfilled.

tlartaud commented 2 years ago

@tomjn @Mte90

This shouldn't get closed. You can make sure it is working by adding firewall HTTP 80 restrictions.

There are still insecure requests made to http://ppa.launchpad.net/git-core/ppa/ubuntu. Also to http://in.archive.ubuntu.com/ubuntu

    default:  ▷ Running the 'main' provisioner...
    default:  ▷ Running init hook
    default:  * Bash profile setup and directories.
    default:  * Reloading SSH Daemon
    default:  * checking Ubuntu version
    default:  * Copying /srv/provision/core/vvv/apt-conf-d/99hashmismatch to /etc/apt/apt.conf.d/99hashmismatch
    default:  ✔ Finished init hook in 1s
    default:  * Testing network connection to https://ppa.launchpadcontent.net with wget -q --spider --timeout=5 --tries=3 https://ppa.launchpadcontent.net
    default:  * Successful Network connection to https://ppa.launchpadcontent.net detected
    default:  * Testing network connection to https://wordpress.org with wget -q --spider --timeout=5 --tries=3 https://wordpress.org
    default:  * Successful Network connection to https://wordpress.org detected
    default:  * Testing network connection to https://github.com with wget -q --spider --timeout=5 --tries=3 https://github.com
    default:  * Successful Network connection to https://github.com detected
    default:  * Testing network connection to https://raw.githubusercontent.com with wget -q --spider --timeout=5 --tries=3 https://raw.githubusercontent.com
    default:  * Successful Network connection to https://raw.githubusercontent.com detected
    default:  * Testing network connection to https://getcomposer.org with wget -q --spider --timeout=5 --tries=3 https://getcomposer.org
    default:  * Successful Network connection to https://getcomposer.org detected
    default:  * Testing network connection to https://deb.nodesource.com with wget -q --spider --timeout=5 --tries=3 https://deb.nodesource.com
    default:  * Successful Network connection to https://deb.nodesource.com detected
    default:  * Testing network connection to https://mirror.rackspace.com with wget -q --spider --timeout=5 --tries=3 https://mirror.rackspace.com
    default:  * Successful Network connection to https://mirror.rackspace.com detected
    default:  * Network checks succeeded
    default:  * Apt package install pre-checks
    default:  ▷ Running before_packages hook
    default:  * Setting up MySQL configuration file links...
    default:  * creating mysql group
    default:  * adding the mysql user
    default:  * Copying /srv/provision/core/mariadb/config/vvv-core.cnf to /etc/mysql/conf.d/vvv-core.cnf
    default:  * Checking supplementary PHP configs
    default:  ✔ Finished before_packages hook in 1s
    default:  * Registering apt keys
    default:  ▷ Running register_apt_keys hook
    default:  * Applying the PackageCloud Git-LFS signing key...
    default: OK
    default:  * Applying the MariaDB signing key...
    default: OK
    default:  * Applying Nginx signing key...
    default: OK
    default:  ✔ Finished register_apt_keys hook in 1s
    default:  * Registering apt sources
    default:  ▷ Running register_apt_sources hook
    default:  * Applying the VVV mirror signing key...
    default: OK
    default:  * Adding ppa:git-core/ppa repository
    default: Err:1 http://ppa.launchpad.net/git-core/ppa/ubuntu focal InRelease
    default:   Could not connect to ppa.launchpad.net:80 (185.125.190.52), connection timed out
    default: Err:2 http://in.archive.ubuntu.com/ubuntu focal InRelease
    default:   Could not connect to in.archive.ubuntu.com:80 (91.189.91.38), connection timed out
    default: Err:3 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease
    default:   Unable to connect to in.archive.ubuntu.com:http:
    default: Err:4 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease
    default:   Unable to connect to in.archive.ubuntu.com:http:
    default: Err:5 http://in.archive.ubuntu.com/ubuntu focal-security InRelease
    default:   Unable to connect to in.archive.ubuntu.com:http:
    default: Reading package lists...
    default: W: Failed to fetch http://in.archive.ubuntu.com/ubuntu/dists/focal/InRelease  Could not connect to in.archive.ubuntu.com:80 (91.189.91.38), connection timed out
    default: W: Failed to fetch http://in.archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Unable to connect to in.archive.ubuntu.com:http:
    default: W: Failed to fetch http://in.archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease  Unable to connect to in.archive.ubuntu.com:http:
    default: W: Failed to fetch http://in.archive.ubuntu.com/ubuntu/dists/focal-security/InRelease  Unable to connect to in.archive.ubuntu.com:http:
    default: W: Failed to fetch http://ppa.launchpad.net/git-core/ppa/ubuntu/dists/focal/InRelease  Could not connect to ppa.launchpad.net:80 (185.125.190.52), connection timed out    
    default: W: Some index files failed to download. They have been ignored, or old ones used instead.
    default:  * git-core/ppa added
    default:  * installing MariaDB apt sources
    default:  * Applying the Ondřej PHP signing key...
    default: OK
    default:  ✔ Finished register_apt_sources hook in 35s
    default:  * Upgrading apt packages
    default:  * Updating apt keys
    default: gpg: key 3B4FE6ACC0B21F32: 3 signatures not checked due to missing keys
    default: gpg: key 3B4FE6ACC0B21F32: "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>" not changed
    default: gpg: key D94AA3F0EFE21092: 3 signatures not checked due to missing keys
    default: gpg: key D94AA3F0EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" not changed
    default: gpg: key 871920D1991BC93C: 1 signature not checked due to a missing key
    default: gpg: key 871920D1991BC93C: "Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>" not changed
    default: gpg: Total number processed: 3
    default: gpg:              unchanged: 3
    default:  * Running apt-get update...
    default: Get:1 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal InRelease [23.9 kB]
    default: Get:2 https://nginx.org/packages/mainline/ubuntu focal InRelease [3,599 B]
    default: Get:3 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal InRelease [7,767 B]
    default: Get:4 https://nginx.org/packages/mainline/ubuntu focal/nginx Sources [35.6 kB]
    default: Get:5 https://nginx.org/packages/mainline/ubuntu focal/nginx amd64 Packages [43.7 kB]
    default: Get:6 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main Sources [33.3 kB]
    default: Get:8 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main Sources [1,856 B]
    default: Get:9 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main amd64 Packages [106 kB]
    default: Get:10 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main Translation-en [34.6 kB]
    default: Get:11 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main s390x Packages [15.1 kB]
    default: Get:7 https://packagecloud.io/github/git-lfs/ubuntu focal InRelease [24.4 kB]
    default: Get:12 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main arm64 Packages [16.7 kB]
    default: Get:13 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main amd64 Packages [17.4 kB]
    default: Get:15 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main ppc64el Packages [16.7 kB]
    default: Get:14 https://packagecloud.io/github/git-lfs/ubuntu focal/main amd64 Packages [2,921 B]
    default: Err:16 http://ppa.launchpad.net/git-core/ppa/ubuntu focal InRelease
    default:   Could not connect to ppa.launchpad.net:80 (185.125.190.52), connection timed out
    default: Err:17 http://in.archive.ubuntu.com/ubuntu focal InRelease
    default:   Could not connect to in.archive.ubuntu.com:80 (91.189.91.38), connection timed out
    default: Err:18 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease
    default:   Unable to connect to in.archive.ubuntu.com:http:
    default: Err:19 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease
    default:   Unable to connect to in.archive.ubuntu.com:http:
    default: Err:20 http://in.archive.ubuntu.com/ubuntu focal-security InRelease
    default:   Unable to connect to in.archive.ubuntu.com:http:
    default: Fetched 383 kB in 30s (12.6 kB/s)
    default: Reading package lists...
    default: W: Failed to fetch http://in.archive.ubuntu.com/ubuntu/dists/focal/InRelease  Could not connect to in.archive.ubuntu.com:80 (91.189.91.38), connection timed out
    default: W: Failed to fetch http://in.archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Unable to connect to in.archive.ubuntu.com:http:
    default: W: Failed to fetch http://in.archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease  Unable to connect to in.archive.ubuntu.com:http:
    default: W: Failed to fetch http://in.archive.ubuntu.com/ubuntu/dists/focal-security/InRelease  Unable to connect to in.archive.ubuntu.com:http:
    default: W: Failed to fetch http://ppa.launchpad.net/git-core/ppa/ubuntu/dists/focal/InRelease  Could not connect to ppa.launchpad.net:80 (185.125.190.52), connection timed out    
    default: W: Some index files failed to download. They have been ignored, or old ones used instead.
    default: Reading package lists...
    default: Building dependency tree...
    default: Reading state information...
    default: Calculating upgrade...
    default: The following packages will be upgraded:
    default:   libargon2-1 libidn2-0 libpcre2-8-0 libpcre3 libxml2 libzstd1
    default: 6 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    default: Need to get 1,568 kB of archives.
    default: After this operation, 256 kB of additional disk space will be used.
    default: Get:1 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main amd64 libpcre3 amd64 2:8.44-2+ubuntu20.04.1+deb.sury.org+1 [240 kB]
    default: Get:2 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main amd64 libidn2-0 amd64 2.3.0-1+ubuntu20.04.1+deb.sury.org+2 [68.7 kB]
    default: Get:3 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main amd64 libpcre2-8-0 amd64 10.40-1+ubuntu20.04.1+deb.sury.org+1 [208 kB]
    default: Get:4 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main amd64 libzstd1 amd64 1.4.8+dfsg-2+ubuntu20.04.1+deb.sury.org+4 [318 kB]
    default: Get:5 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main amd64 libargon2-1 amd64 0~20190702-0.1+ubuntu20.04.1+deb.sury.org+1 [19.5 kB]
    default: Get:6 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main amd64 libxml2 amd64 2.9.14+dfsg-0+ubuntu20.04.1+deb.sury.org+1 [714 kB]
    default: Fetched 1,568 kB in 3s (511 kB/s)
(Reading database ... 41035 files and directories currently installed.)
    default: Preparing to unpack .../libpcre3_2%3a8.44-2+ubuntu20.04.1+deb.sury.org+1_amd64.deb ...
    default: Unpacking libpcre3:amd64 (2:8.44-2+ubuntu20.04.1+deb.sury.org+1) over (2:8.39-12ubuntu0.1) ...
    default: Setting up libpcre3:amd64 (2:8.44-2+ubuntu20.04.1+deb.sury.org+1) ...
(Reading database ... 41035 files and directories currently installed.)
    default: Preparing to unpack .../libidn2-0_2.3.0-1+ubuntu20.04.1+deb.sury.org+2_amd64.deb ...
    default: Unpacking libidn2-0:amd64 (2.3.0-1+ubuntu20.04.1+deb.sury.org+2) over (2.2.0-2) ...
    default: Setting up libidn2-0:amd64 (2.3.0-1+ubuntu20.04.1+deb.sury.org+2) ...
(Reading database ... 41058 files and directories currently installed.)
    default: Preparing to unpack .../libpcre2-8-0_10.40-1+ubuntu20.04.1+deb.sury.org+1_amd64.deb ...
    default: Unpacking libpcre2-8-0:amd64 (10.40-1+ubuntu20.04.1+deb.sury.org+1) over (10.34-7) ...
    default: Setting up libpcre2-8-0:amd64 (10.40-1+ubuntu20.04.1+deb.sury.org+1) ...
(Reading database ... 41058 files and directories currently installed.)
    default: Preparing to unpack .../libzstd1_1.4.8+dfsg-2+ubuntu20.04.1+deb.sury.org+4_amd64.deb ...
    default: Unpacking libzstd1:amd64 (1.4.8+dfsg-2+ubuntu20.04.1+deb.sury.org+4) over (1.4.4+dfsg-3ubuntu0.1) ...
    default: Setting up libzstd1:amd64 (1.4.8+dfsg-2+ubuntu20.04.1+deb.sury.org+4) ...
(Reading database ... 41058 files and directories currently installed.)
    default: Preparing to unpack .../libargon2-1_0~20190702-0.1+ubuntu20.04.1+deb.sury.org+1_amd64.deb ...
    default: Unpacking libargon2-1:amd64 (0~20190702-0.1+ubuntu20.04.1+deb.sury.org+1) over (0~20171227-0.2) ...
    default: Preparing to unpack .../libxml2_2.9.14+dfsg-0+ubuntu20.04.1+deb.sury.org+1_amd64.deb ...
    default: Unpacking libxml2:amd64 (2.9.14+dfsg-0+ubuntu20.04.1+deb.sury.org+1) over (2.9.10+dfsg-5ubuntu0.20.04.3) ...
    default: Setting up libargon2-1:amd64 (0~20190702-0.1+ubuntu20.04.1+deb.sury.org+1) ...
    default: Setting up libxml2:amd64 (2.9.14+dfsg-0+ubuntu20.04.1+deb.sury.org+1) ...
    default: Processing triggers for man-db (2.9.1-1) ...
    default: Processing triggers for libc-bin (2.31-0ubuntu9.9) ...
    default:  * Registering apt packages to install
    default:  ▷ Running register_apt_packages hook
    default:  ✔ Finished register_apt_packages hook in 0s
    default:  * Main packages check and install.
    default:  * Checking for apt packages to remove.
    default:  * No apt packages to remove
    default:  * Checking for apt packages to install.
    default:  * Cleaning up dpkg lock file
    default:  * Updating apt keys
    default: gpg: key 3B4FE6ACC0B21F32: 3 signatures not checked due to missing keys
    default: gpg: key 3B4FE6ACC0B21F32: "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>" not changed
    default: gpg: key D94AA3F0EFE21092: 3 signatures not checked due to missing keys
    default: gpg: key D94AA3F0EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" not changed
    default: gpg: key 871920D1991BC93C: 1 signature not checked due to a missing key
    default: gpg: key 871920D1991BC93C: "Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>" not changed
    default: gpg: Total number processed: 3
    default: gpg:              unchanged: 3
    default:  * Running apt-get update...
    default: Get:1 https://nginx.org/packages/mainline/ubuntu focal InRelease [3,599 B]
    default: Get:2 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal InRelease [23.9 kB]
    default: Get:3 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal InRelease [7,767 B]
    default: Get:4 https://nginx.org/packages/mainline/ubuntu focal/nginx Sources [35.6 kB]
    default: Get:5 https://nginx.org/packages/mainline/ubuntu focal/nginx amd64 Packages [43.7 kB]
    default: Get:6 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main Sources [33.3 kB]
    default: Get:8 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main Sources [1,856 B]
    default: Get:9 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main amd64 Packages [106 kB]
    default: Get:10 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main arm64 Packages [16.7 kB]
    default: Get:7 https://packagecloud.io/github/git-lfs/ubuntu focal InRelease [24.4 kB]
    default: Get:11 https://ppa.launchpadcontent.net/ondrej/php/ubuntu focal/main Translation-en [34.6 kB]
    default: Get:12 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main amd64 Packages [17.4 kB]
    default: Get:13 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main s390x Packages [15.1 kB]
    default: Get:15 https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu focal/main ppc64el Packages [16.7 kB]
    default: Get:14 https://packagecloud.io/github/git-lfs/ubuntu focal/main amd64 Packages [2,921 B]

Best regards.

Index of /git-core/ppa/ubuntu
Index of /ubuntu
tomjn commented 2 years ago

hmm, we can change more places if you can point them out in code, the git ppa is certainly useful to know. Adding firewall restrictions could cause issues for users who add their own extensions, as well as in other places.

VVV isn't a production ready environment or a staging environment, it's a local only environment. We already disable public networking so it can't be accessed via the network.

tomjn commented 2 years ago

@tlartaud

I took a look at the git source you mentioned:

  if [ "${OSID}" == "Ubuntu" ]; then
    if ! vvv_src_list_has "git-core/ppa"; then
      # Add ppa repo.
      vvv_info " * Adding ppa:git-core/ppa repository"
      add-apt-repository -y ppa:git-core/ppa
      vvv_success " * git-core/ppa added"
    else
      vvv_info " * git-core/ppa already present, skipping"
    fi
  fi

There are no references to http://ppa.launchpad.net in the VVV codebase, and it's also worth noting that some of the errors you're getting are for other sources. HTTPS is not the only security measure that prevents MITM attacks here either.

Launchpad
Launchpad
tomjn commented 2 years ago

The only place we have http sources at the moment are in the Nodesource provisioner that was disabled and is due for removal. Many of the firewall induced errors you're seeing are from Ubuntu itself

tlartaud commented 2 years ago

HTTPS is not the only security measure that prevents MITM attacks here either

100% agree xD I suffer from this for months, I completely confirm ^^ HTTP requests are all blocked on my computer but i'm still getting MITM attacked 📦

Many of the firewall induced errors you're seeing are from Ubuntu itself

that's what I thought :( I checked the code too and didn't find any http request from VVV. I probably need to point that somewhere else.

Thank you for the fast replies.

tomjn commented 2 years ago

it strikes me as odd that adding a ppa would use a http, do you know if there's a way to add it and force the new launchpad HTTPS urls without resorting to manual additions?

Also a longterm compatibility goal is proper debian support so that we have more flexibility with providers and platform support, so we need to keep that in mind.

100% agree xD I suffer from this for months, I completely confirm ^^ HTTP requests are all blocked on my computer but i'm still getting MITM attacked 📦

I'm not 100% sure on its maintenance but the vagrant-cachier plugin may be useful to you to grab packages on a known safe connection then cache them later. Are you working over a university/government line? I know some ISP's proxy to cache packages and that's caused issues for some users in India ( connectivity validation and corruption issues )

tomjn commented 2 years ago

Also what steps are you taking to adjust VVV's firewall rules? I'd be curious to see