Mcrypt Viking Funeral

encryption

#1

Attempted NC14 Installation

System Info

  1. CentOS7
  2. Apache 2.4.34
  3. MariaDB 10.3
  4. PHP 7.2.10

User

Bit of a linux n00b and complete n00b with CentOS and NC. Forgive me for any dumb comments please. :smiley:

Situation

Attempted to install following a couple of tutorials neither of which worked for me.

I am researching a simple install of NC14 following the Server Admin Manual and online tuts. I would like to get an install that is;

  1. Complete
  2. Up-to-date
  3. Simple install
  4. Simple maintenance

Problems

  1. PHP support for 7.0 and 7.1 ending or ended.
  2. Mcrypt is deprecated in 7.2
  3. Multiple repo’s required

Background

I would like to have a complete install, even if some of the requirements aren’t used at the start, they may be in the future. Once things are set up I don’t want to have to muddy the waters by adding/removing pieces. I’m not that skilled to fix things if they break.

I have noted another thread regarding mcrypt. I don’t feel any the wiser for having read it. There appears to be a solution in there but this seems more of a hack than a fix and fails points 2 and 3 of my simple install rules.

My first attempt used multiple repos, CODEIT for Apache, MariaDB’s own repo, IUS for PHP and NUC for ffmpeg. I have, well lets call them reservations, about some of these repos and some others that I haven’t mentioned but could use.

On further inspection of the IUS repo it seems possible to remove CODEIT and MariaDB and get IUS version of Apache and MariaDB. Their versions at the moment aren’t the very latest but are not far off. I’m prepared to be at the cutting edge rather than the bleeding edge by trading off for simplicity, stability and ease of maintenance.

Looking further into the mcrypt issue, I note that mcrypt is replaced by sodium. I have no idea what the implications of that are. Will NC be incorporating sodium in lieu of mcrypt? At some point I assume that will have to happen.

I can’t see a way around ffmpeg without using another repo for that one package.

Proposed Solution?

I have raised an issue with the IUS team on GitHub with proposals to solve my problems.

  1. Add NC14 and the missing packages or,
  2. Just add the missing packages.

Unless I’m missing something that makes life easier.

That just leaves the sodium/mcrypt situation. I’m not an expert but sooner or later sodium will need to be incorporated surely?

It occurred to me that a single voice may not have much weight with IUS. I posted this in the hope that the NC community might see the benefit of a one stop shop for installs and lend their weight.

IUS have responded. They still have an open request for NC12! They won’t do ffmpeg as it isn’t in the base or epel.

More importantly they suggest using PHP 7.1 for mcrypt and referred me to Remi’s blog about it. On top of the obvious concerns this has for security 7.1 only has a couple of months before support ends.

I can live with an additional repository for one package as I can’t see a way around it. But the outdated encryption issue is of far greater concern. Can anyone give a definitive response on the way forward please?


Php-mcrypt deprecated
#2

Feeling a wall of silence from NC? :wink:
There is a post buried outhere from an NC engineer about the mycrypt being redundant but still part of the current build. What that means for those trying to make an install now (my situation is similar to yours above) means is not clear. Since NC fails to update their admin docs (that are already pretty flaky - i.e., lead to a sub-optimal install) I guess they expect each admin to spend days trawling community boards trying to figure out a solution. NCs argument that “one size of docs” doesn’t fit all is giving up on providing a clear basic path to a sound install. This issue amplifies unhelpfully noise in the support community as the less qualified “bug” the qualified on simple issues.


#3

@glaringgibbon Maybe my post will help a bit? Not saying it is the best ever, or that it is perfect, but I have been using these steps now for more than 2 months (even put them in a single bash script, with the exception of SELinux which I disable) and have seen the same result with more than 50 installs. As I said, may not address all of your concerns, and may not be perfect, but it works for me.

NC14 on CentOS 7.5 with PHP 7.2


#4

@James_O_Stanworth

Feeling a wall of silence from NC?

You may very well think that. I couldn’t possibly comment. :thinking:

TBF, I wonder if this is really the place that we will get definitive answers. If you haven’t read it yet, I suggest you check my issue at IUS. Despite closing it off Carl has been very helpful.

He linked this thread amongst others and suggested I subscribe. You might want to as well. And anyone else lurking. The more the merrier, particularly if you have recently sharpened your pitchfork. :joy:

What that means for those trying to make an install now (my situation is similar to yours above) means is not clear.

I too am now confused as to how NC is “secure” if encryption is an optional extra. My reading of the links provided is that NC looks for mcrypt and uses it if found. If not, they fall back to “their own implementation of mcrypt internally”. If you follow all of the links to some of the crypto specialists this is very bad practice.

And I still don’t have an answer for my original question.

That just leaves the sodium/mcrypt situation. I’m not an expert but sooner or later sodium will need to be incorporated surely?

@Starfish

Thanks for the link. I appreciate your help. However,

yum install -y httpd

Would give me the stock Apache 2.4.6 IIRC. Latest is 2.4.35.

yum install -y mariadb mariadb-server

Would give me stock Maria 5.5. Latest is 10.3.

I’m looking to get an up to date system.

According to the CentOS wiki the webtatic repo is one to look out for

From my OP,

I have, well lets call them reservations, about some of these repos and some others that I haven’t mentioned but could use.

Re your install from webtatic…

yum install -y php72w php72w-cli php72w-common php72w-curl php72w-gd php72w-mbstring php72w-mysqlnd php72w-process php72w-xml php72w-zip php72w-opcache.x86_64 php72w-pecl-apcu.x86_64 php72w-intl php72w-pecl-redis

I don’t see mcrypt or an alternative listed. It is deprecated in 7.2 so I’m going out on a limb and saying it just isn’t there. Particularly when this line near the end,

The only warning you will still see will be about accessing Nextcloud insecurely

sets off the alarm :bell: 's.

By the by, I spotted a typo you may want to amend.

Start by downloading Nextcloud 13 from their site.

Also, some of the links point to NC13 dox, that may be intentional as I’m not that familiar with all of the dox just yet.

As I said, may not address all of your concerns, and may not be perfect, but it works for me.

If I was running it on a private network for internal use only I could relax the security aspect somewhat but this is going on a VPS so it just isn’t viable IMHO. Thanks anyway.

Looking at your profile I’m wondering if you have some direct connection to NC? If so, could you point me in the direction of the person/people dealing with this aspect? Or point them to this thread? Thanks for your help.


#5

@glaringgibbon I am going to address your remarks/questions in no specific order other than what pops into my head first :slight_smile:

  1. I am in no way, shape or form officially part of NC. I am just an avid user and community member.

  2. If you want such new releases of everything, it is my humble opinion that you are better off with another OS, other than CentOS. CentOS is known for it’s “old, but stable” packages. If you need newer ones, rather go with Ubuntu or anything that ships the versions mentioned. Because reading your comments, it seems you want new, but want it easily set up, which is understandable, but from experience then CentOS is not what you are after. A quick yum info command on a Fedora 26 machine yield the following:

yum info mariadb-server
Last metadata expiration check: 2:43:07 ago on Wed 10 Oct 2018 16:26:19 SAST.
Available Packages
Name         : mariadb-server
Epoch        : 3
Version      : 10.1.33
Release      : 1.fc26
Arch         : x86_64
Size         : 24 M
Source       : mariadb-10.1.33-1.fc26.src.rpm
Repo         : updates
Summary      : The MariaDB server and related files
URL          : http://mariadb.org
License      : GPLv2 with exceptions and LGPLv2 and BSD
Description  : MariaDB is a multi-user, multi-threaded SQL database server. It is a
             : client/server implementation consisting of a server daemon (mysqld)
             : and many different client programs and libraries. This package contains
             : the MariaDB server and some accompanying files and directories.
             : MariaDB is a community developed branch of MySQL.

yum info httpd
Last metadata expiration check: 2:43:27 ago on Wed 10 Oct 2018 16:26:19 SAST.
Installed Packages
Name         : httpd
Version      : 2.4.33
Release      : 4.fc26
Arch         : x86_64
Size         : 3.9 M
Source       : httpd-2.4.33-4.fc26.src.rpm
Repo         : @System
From repo    : updates
Summary      : Apache HTTP Server
URL          : https://httpd.apache.org/
License      : ASL 2.0
Description  : The Apache HTTP Server is a powerful, efficient, and extensible
             : web server.

yum info php
Last metadata expiration check: 2:44:03 ago on Wed 10 Oct 2018 16:26:19 SAST.
Available Packages
Name         : php
Version      : 7.1.17
Release      : 1.fc26
Arch         : x86_64
Size         : 2.8 M
Source       : php-7.1.17-1.fc26.src.rpm
Repo         : updates
Summary      : PHP scripting language for creating dynamic web sites
URL          : http://www.php.net/
License      : PHP and Zend and BSD and MIT and ASL 1.0
Description  : PHP is an HTML-embedded scripting language. PHP attempts to make it
             : easy for developers to write dynamically generated web pages. PHP also
             : offers built-in database integration for several commercial and
             : non-commercial database management systems, so writing a
             : database-enabled webpage with PHP is fairly simple. The most common
             : use of PHP coding is probably as a replacement for CGI scripts.
             : 
             : The php package contains the module (often referred to as mod_php)
             : which adds support for the PHP language to Apache HTTP Server.
  

These are all more along the lines of what you want, but note this is on Fedora and I have not installed NC on Fedora yet (this gives me an idea though :slight_smile: ).

Disregarding NC, if you want newest (or as you call them ‘up to date’) systems, it is my experience on CentOS that you will have to build it yourself from source. And seeing as you want an easier way, this will not work. You will need to choose: old, stable and easy vs up-to-date, built-from-source-hard.

  1. I will look into the typos, thanks. I could have sworn I updated that blog post just this morning, so maybe I somehow screwed up the links and it pointed to the previous post.

As you will see as well in the last paragraph, I clearly stated that this is not HTTPS, and that a HTTPS with certs etc. will follow when I have the time to test it and write it up. Many sysadmins know how to secure apache with letsencrypt etc, so I saw it as something not pertaining to NC which they would be able to do themselves. IMHO the alarm bells are a bit unnecessary, seeing as securing apache would secure the NC installation in a matter of speaking. It was just outside the scope of the tutorial, and does not refer to any insecurities in the product itself.

Please do not see this response as any form of attack on your viewpoints or concerns. I merely state my experience and reasoning. I am not trying to be arrogant or give the impression that “I know everything” because I don’t, I am an idiot. But I hope this has given you some food for thought at least.

All the best.


#6

Regarding mcrypt in Nextcloud, please discuss this with the developersin the dedicated issue on github:


#7

Hi @tflidd,

I commented on the thread earlier, just waiting for a response.

Thanks.


#8

@Starfish

I am in no way, shape or form officially part of NC. I am just an avid user and community member.

My mistake, I was hoping you had the ear of a NC developer who could help. :grinning:

Given my options on the images available I already think the OS is fine. Besides,



When I run

yum info (maria|httpd|php)

I get this



Installed Packages
Name        : MariaDB-server
Arch        : x86_64
Version     : 10.3.10
Release     : 1.el7.centos
Size        : 515 M
Repo        : installed
From repo   : mariadb
Summary     : MariaDB: a very fast and robust SQL database server
URL         : http://mariadb.org
License     : GPLv2
Description : 
            : 
            : It is GPL v2 licensed, which means you can use the it free of
            : charge under the conditions of the GNU General Public License
            : Version 2 (http://www.gnu.org/licenses/).
            : 
            : MariaDB documentation can be found at https://mariadb.com/kb
            : MariaDB bug reports should be submitted through
            : https://jira.mariadb.org


Name        : httpd
Arch        : x86_64
Version     : 2.4.35
Release     : 1.codeit.el7
Size        : 4.2 M
Repo        : installed
From repo   : CodeIT
Summary     : Apache HTTP Server
URL         : https://httpd.apache.org/
License     : ASL 2.0
Description : The Apache HTTP Server is a powerful, efficient, and extensible
            : web server.


Available Packages
Name        : php
Arch        : x86_64
Version     : 5.4.16
Release     : 45.el7
Size        : 1.4 M
Repo        : base/7/x86_64
Summary     : PHP scripting language for creating dynamic web sites
URL         : http://www.php.net/
License     : PHP and Zend and BSD
Description : PHP is an HTML-embedded scripting language. PHP attempts to make
            : it easy for developers to write dynamically generated web pages.
            : PHP also offers built-in database integration for several
            : commercial and non-commercial database management systems, so
            : writing a database-enabled webpage with PHP is fairly simple. The
            : most common use of PHP coding is probably as a replacement for CGI
            : scripts.
            : 
            : The php package contains the module (often referred to as mod_php)
            : which adds support for the PHP language to Apache HTTP Server.



(edit: clarity, completeness)


All of the PHP modules listed here, and more besides, are available in version 7.2 at the IUS repo except php-mcrypt and ffmpeg. There’s just these two rough edges.

  1. ffmpeg and the php extension handle av but IUS only do servers.
  • Sourced from nux.

  • I can live with the exception of one package, it shouldn’t cause too much of a problem.

  1. php-mcrypt is an extension for encryption which php doesn’t do well by itself.


I think CentOS can be pimped up a fair bit without going overboard and I have yet to get around to building from source, I don’t have the fu yet. I don’t sys admin for a living.

The IUS repo gets 5 stars from me. They have recent versions of Apache, and maria/mysql/postgres and PHP 7+. There are other shiny things too, like python 3.6.5.

As you will see as well in the last paragraph, I clearly stated that this is not HTTPS

IMHO the alarm bells are a bit unnecessary,

Sorry big man, I’d just assumed as I’m looking at this from the mcrypt point of view, that’s what the error was.

Please do not see this response as any form of attack on your viewpoints or concerns.

I am not trying to be arrogant or give the impression that “I know everything”

Didn’t enter my mind. :grinning: I’m just glad someone else commented tbf, this post isn’t getting much love.

I am an idiot.

You’re still a great ape, I’m only a lesser ape. I think you have the advantage.

Cheers mate!


#9

I think you are on the right track here. Posting/commenting in Github will be the place where the devs look on a daily basis I think. If you setup your own CentOS like that, then all should be well, within the boundaries you have mentioned.

Cheers man!