search

jamf / NetSUS

NetBoot and Software Update Server
https://jamfnation.jamfsoftware.com/viewProduct.html?id=180
304 stars 68 forks source link

Old PHP and Apache versions #125

Open MaksymGurkov opened 5 years ago

MaksymGurkov commented 5 years ago

Hello guys,

We are going to switch to the NetSUS from Apple server. We have set up dev environment and everything works pretty well. However, security scan shows a lot of vulnerabilities which are related to old PHP (5.4.16) and Apache (2.4.6 ) versions. The question is: Are you going to update these components? If so, what is estimation or a deadline for this?

macmule commented 5 years ago

@MaksymGurkov hi there.

Whilst this product is under the "jamf" banner, it is an Open Source one.

So timelines are hard to offer.

Obviously things can be expedited if you were to update the components & offer a PR.

duncan-mccracken commented 5 years ago

The versions of Apache and PHP are dependent on the versions available for the baseline OS, as they are where the installation source is drawn from. The combinations mentioned here seem to be from CentOS / RHEL 7, on a roll-your own install. The supplied OVA is running PHP 7, on Ubuntu.

Inclusion of a later version of PHP for RHEL / CentOS 7, using an officially supported repo and method is somewhat trickier, as the packages for this live in the 'Collections' repo. The Collections repo is not available by default in RHEL, but can be added to a subscription upon request (to Red Hat) as outlined in: https://access.redhat.com/solutions/472793

There is no official implementation of later versions of PHP on CentOS / RHEL 6.

This makes it very difficult to create an installer as the base repos to perform an installation, in the default scenario will not be available.

However, if you have the collections repo available in your RHEL subscription, you can enable the repo using this command: subscription-manager repos --enable rhel-server-rhscl-7-rpms

If you are using CentOS, the collections repo is available using this command: yum -y install centos-release-scl

The following instructions assume NetSUS 5 is already installed in its default state.

Install PHP 7 packages yum -y install rh-php70 rh-php70-php rh-php70-php-fpm rh-php70-php-ldap rh-php70-php-xml

Enable the PHP-FPM Service systemctl enable rh-php70-php-fpm.service systemctl start rh-php70-php-fpm.service

Create the PHP-FPM Config for Apache (this is all one command) cat <<EOF > /etc/httpd/conf.d/fpm.conf # PHP scripts setup ProxyPassMatch ^/(.*.php)$ fcgi://127.0.0.1:9000/var/www/html

Alias / /var/www/html/ EOF

Remove any LoadModule directives from the php.conf sed -i 's/ LoadModule/# LoadModule/' /etc/httpd/conf.modules.d/10-php.conf

Remove any php_value directives from the php.conf sed -i 's/php_value/# php_value/g' /etc/httpd/conf.d/php.conf

Restart Apache systemctl restart httpd.service

This seems to achieve what you are looking for, and on a rudimentary level, appears to work. If you wish to test this thoroughly, some feedback would be appreciated.