------------------------------------------------------------ E-SMITH SERVER AND GATEWAY 4.1.2 Release notes - March 30, 2001 ------------------------------------------------------------ e-smith, inc. is pleased to announce the availability of the e-smith server and gateway version 4.1.2. e-smith version 4.1.2 is a security update to the 4.1.1 package and also contains several new features and corrections. These security updates have been released as a result of an ongoing review of the e-smith configuration. This release is based on RedHat 7.0 and includes all applicable security updates. The documentation, bug and FAQ listings have been updated. e-smith, inc. advises all users of e-smith 4.1.1 and earlier versions to upgrade to e-smith 4.1.2 SECURITY ENHANCEMENTS 1. Packet filtering (ipchains) rules have been updated to provide further optional controls, including the ability to block unprivileged TCP/UDP ports using configuration database parameters. External connections to mysql and squid are blocked by packet filters (note: these programs were already configured in previous versions to reject requests from external addresses). 2. The standard e-smith public services (HTTP, SMTP and AUTH) can now be restricted to allow access only from the local network. These advanced configuration settings are not currently available through the manager. 3. The logging of network packets denied by filtering rules is now disabled by default but can be enabled with a configuration database setting. In versions 4.1 and 4.1.1, logging was enabled by default. In some cases this generated significant logging activity and could cause system performance degradation. 4. The i-bay configuration screens have a new choice to 'Enable dynamic content' which will enable the use of CGI, PHP and SSI content. This replaces the 'Execution of CGI scripts' in previous versions. This option is disabled by default for each i-bay. Please consult our Security Whitepaper to understand the security implications of allowing dynamic content before enabling this setting. (http://www.e-smith.org/docs/papers/) 5. The configuration of the PPTP (VPN) server has been modified to restrict authentication to valid current user accounts only. Additional password checks have also been incorporated into the login processing. 6. The latest security updates from Red Hat for ntp, openssh, vim, and mutt have been included. 7. The IMAP daemon has been rebuilt to remove drivers for some unused mailbox formats. These drivers had buffer overflow problems enabling exploits which allow valid authenticated users to circumvent some access restrictions. 8. The configuration for ProFTPD has been restricted to defeat attempts to exploit a known denial of service attack. 9. The default setting of hard drive performance optimization has been changed from "enabled" to "disabled", in response to a number of reports from users of file system corruption and failure to boot. E-MAIL SETTINGS 1. Some system administrators preferred not to receive email from the fetchmail daemon, which reported the successful fetching of email messages (in multi-drop mode only). These messages crypticly contained just a series of periods (i.e. '.....'). These have been eliminated by setting fetchmail's default verbosity level to '--silent'. Fetchmail errors will still be delivered to the admin user. 2. The console email program pine has been configured to access personal mailboxes using the IMAP protocol. This will allow command line access to mailboxes without custom configuration. Note: this feature is not normally accessible to users. 3. The packet filters are now correctly modified when external POP/IMAP is enabled. Note: e-smith , inc strongly advises against the use of public POP and IMAP. The use of SSL based webmail or a VPN connection provides secure remote access to email. 4. Machines on other internal networks, as listed in the "Local Networks" panel, are permitted to send mail via the SMTP server. IP MASQUERADING 1. The PPTP masquerade module is now loaded by default. This allows PPTP clients using an e-smith server as a gateway to access remote PPTP VPN servers (for example, another e-smith server) using PPTP client software. This feature was not offered in previous versions as the PPTP masquerade module included with the RedHat 7 kernel was faulty. This version includes a replacement module which functions correctly. 2. The IPSec masquerade module is now loaded by default. This feature was not offered in previous versions as the IPSec masquerade module included with the RedHat 7 kernel was faulty. This version includes a replacement module which functions correctly. This module has not undergone extensive testing by e-smith at this stage, but does not conflict with the existing modules and so is loaded as a service to those who may need to use it. 3. Masquerading modules can now be selectively loaded via settings in the configuration database. These advanced configuration settings are not currently available through the manager. SMB/WINDOWS FILE SHARING 1. The default character set and code page for Samba have been changed to ISO-Latin-1 which caters to Western European languages. These settings can also be customized through the configuration database. 2. The NetBIOS OS level used by Samba has been increased to ensure that the e-smith server will win a browser election if it has been configured to become the Domain Master. 3. SMB networking "Opportunistic locks" have been disabled. These locks allow client machines to aggressively cache data and can cause data inconsistencies if the files are modified by other applications. BACKUP AND RESTORE 1. The group and shared alias files are regenerated after a restore. 2. The tape header format has been changed to support a wider range of IDE tape drives 3. The tape is automatically rewound after a restore. 4. The timezone is now reconfigured after a restore 5. The --linear option to lilo was added to the kickstart file included on the floppy disk created by the reinstallation floppy function. MISCELLANEOUS ENHANCEMENTS 1. A concurrency problem in the processing of configuration databases, which could have resulted in the loss of database entries, has been fixed. 2. Any comments (prefixed by "#") found in a configuration database are now ignored. 3. The expand-template program, which is provided to allow ad-hoc expansion of templated configuration files, has been enhanced to retain ownership and permissions of output files. 4. A configuration error affecting access to an externally hosted website has been corrected. For example, with the domain name set to frog.pond, and the "www" name modified in the "Hostnames and Addresses" panel to point to an external web server, the site http://www.frog.pond could be accessed, but the site http://frog.pond would still resolve to the local server. 5. Documentation of all e-smith perl modules is included. This can be viewed from the command line by typing: perldoc -U esmith::{module name} For example, to read the documentation for the cgi.pm perl module, you would type: perldoc -U esmith::cgi 6. The kernel module configuration database /etc/modules.conf is now adjusted for e-smith requirements using the template mechanism, with multiple template fragments, rather than by a perl program. This will allow additions and modifications to be performed using standard, documented templates, rather than by making modifications to a program. 7. A kernel module search path is set up so that e-smith specific kernel modules are loaded from a separate directory tree in preference to standard kernel modules (if they exist in that tree). This mechanism allows additional or replacement kernel modules to be installed without overwriting the standard set of kernel modules. 8 The e-smith manager now allows no more than 28 groups to be added. This limit arises because the current Linux kernel restricts the number of groups per user to 32, and current e-smith design requires the user "admin" to be a member of each user-defined group, as well as a number of hidden system groups. Future versions of the product may remove or increase this limit to the number of groups. 9. The "Back" button on the "Select ethernet card assignment" screen of the console now goes to the correct screen. 10. The file /var/log/diald/accounting.log is now created automatically to log dialup attempts and connect times. 11. The appletalk, ppp, ip_masq_h323 and ip_masq_icq modules have been rebuilt to provide reliable support for SMP kernels. 12. Some manager pages were updated to correctly display default values.