Merge pull request #137 from mondada/master

NetSUS 5.0.1 Update

CHANGELOG.md

@@ -1,5 +1,19 @@
 # NetSUS Changelog
 
+## 5.0.1
+* Fixed a bug with SUS URL validation, when using SSL
+* Fixed an issue with LDAP proxy install in some RHEL-based installations
+* Fixed a bug with NetBoot shares not being browsable on macOS 10.14
+* Updated to the latest version of Reposado
+* Updated appliance build scripts for latest Operating Systems
+* Fixed a security issue, relating to a LFI vulnerability from the Logs page
+* Added macOS 10.15 SUS catalog options
+* Added the ability to select the NetBoot engine (pybsdp/DHCP)
+* Added (experimental) support for RHEL 8
+* Defaults to Active Directory login, if it is configured
+* Appliance Operating System is now Ubuntu 16.04.6
+* Will preserve a Kinobi installation if detected during the Installation
+
 ## 5.0
 
 * Updated user interface to align with Jamf Pro UI

CreateNetSUSInstaller.sh

@@ -29,11 +29,11 @@ cp -R NetBoot/netbootInstall.sh temp/installer/install-netboot.sh
 cp -R NetBoot/etc/init.d/pybsdp temp/installer/resources/pybsdp.ubuntu
 cp -R NetBoot/etc/rc.d/init.d/pybsdp temp/installer/resources/pybsdp.rhel
 cp -R NetBoot/usr/local/lib temp/installer/resources/lib
-# cp -R NetBoot/usr/local/sbin temp/installer/resources/dhcp
-# rm -f NetBoot/usr/local/sbin temp/installer/resources/dhcp/pybsdp
+cp -R NetBoot/usr/local/sbin temp/installer/resources/dhcp
+rm -f temp/installer/resources/dhcp/pybsdp
 cp -R NetBoot/usr/local/sbin/pybsdp temp/installer/resources/pybsdp
-# cp -R NetBoot/var/appliance/conf/dhcpd.conf temp/installer/resources/dhcpd.conf
-# cp -R NetBoot/var/appliance/configurefornetboot temp/installer/resources/configurefornetboot
+cp -R NetBoot/var/appliance/conf/dhcpd.conf temp/installer/resources/dhcpd.conf
+cp -R NetBoot/var/appliance/configurefornetboot temp/installer/resources/configurefornetboot
 cp -R NetBoot/var/appliance/libdb4-4.8.30-21.fc26.x86_64.rpm temp/installer/resources/libdb4-4.8.30-21.fc26.x86_64.rpm
 cp -R NetBoot/var/appliance/nbi_settings.py temp/installer/resources/nbi_settings.py
 cp -R NetBoot/var/appliance/netatalk-2.2.0-2.el6.x86_64.rpm temp/installer/resources/netatalk-2.2.0-2.el6.x86_64.rpm

NetBoot/netbootInstall.sh

@@ -33,6 +33,7 @@ if [[ $(which apt-get 2>&-) != "" ]]; then
 	apt_install netatalk
 	apt_install nfs-kernel-server
 	apt_install python-configparser
+	apt_install libxml-xpath-perl
 elif [[ $(which yum 2>&-) != "" ]]; then
 	yum_install avahi
 	yum_install samba
@@ -58,6 +59,7 @@ elif [[ $(which yum 2>&-) != "" ]]; then
 	fi
 	yum_install nfs-utils
 	yum_install vim-common
+	yum_install perl-XML-XPath
 	chkconfig messagebus on >> $logFile 2>&1
 	chkconfig avahi-daemon on >> $logFile 2>&1
 	chkconfig rpcbind on >> $logFile 2>&1
@@ -252,18 +254,18 @@ fi
 cp ./resources/nbi_settings.py /var/appliance/ >> $logFile
 
 # Install and configure dhcp
-# killall dhcpd >> $logFile 2>&1
-# if [ ! -d "/var/appliance/conf" ]; then
-#	mkdir -p /var/appliance/conf
-# fi
-# cp ./resources/dhcpd.conf /var/appliance/conf/ >> $logFile
-# cp ./resources/configurefornetboot /var/appliance/ >> $logFile
+killall dhcpd >> $logFile 2>&1
+if [ ! -d "/var/appliance/conf" ]; then
+mkdir -p /var/appliance/conf
+fi
+cp ./resources/dhcpd.conf /var/appliance/conf/ >> $logFile
+cp ./resources/configurefornetboot /var/appliance/ >> $logFile
 
-# if [ ! -d "/var/db"  ]; then
-#    mkdir /var/db
-# fi
-# touch /var/db/dhcpd.leases
-# cp ./resources/dhcp/* /usr/local/sbin/ >> $logFile
+if [ ! -d "/var/db"  ]; then
+   mkdir /var/db
+fi
+touch /var/db/dhcpd.leases
+cp ./resources/dhcp/* /usr/local/sbin/ >> $logFile
 
 # Update netatalk configuration
 if [ -f "/etc/default/netatalk" ]; then

NetBoot/usr/local/sbin/DHCP_LICENSE

@@ -0,0 +1,20 @@
+# Copyright (c) 2004-2012 by Internet Systems Consortium, Inc. ("ISC")
+# Copyright (c) 1995-2003 by Internet Software Consortium
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+#   Internet Systems Consortium, Inc.
+#   950 Charter Street
+#   Redwood City, CA 94063
+#   <info@isc.org>
+#   https://www.isc.org/

NetBoot/usr/local/sbin/dhcp-4.2.4-P1_dhcp.c.patch

@@ -0,0 +1,72 @@
+--- /Users/eric.krause/Desktop/dhcp/dhcp-4.2.4-P1/server/dhcp.c	2012-07-13 01:18:05.000000000 -0500
++++ /Users/eric.krause/Desktop/dhcp/dhcp-4.2.4-P1 patched/server/dhcp.c	2012-08-01 13:41:56.000000000 -0500
+@@ -624,10 +624,9 @@
+ 	   RENEWING client, so we can punt on this issue. */
+
+ 	if (!packet -> shared_network ||
+-	    (packet -> raw -> ciaddr.s_addr &&
++        (packet -> raw -> ciaddr.s_addr &&
+ 	     packet -> raw -> giaddr.s_addr) ||
+ 	    (have_requested_addr && !packet -> raw -> ciaddr.s_addr)) {
+-		
+ 		/* If we don't know where it came from but we do know
+ 		   where it claims to have come from, it didn't come
+ 		   from there. */
+@@ -1024,7 +1023,7 @@
+ 			return;
+ 		}
+ 	}
+-
++#if 0
+ 	/* We don't respond to DHCPINFORM packets if we're not authoritative.
+ 	   It would be nice if a per-host value could override this, but
+ 	   there's overhead involved in checking this, so let's see how people
+@@ -1049,7 +1048,7 @@
+ 		subnet_dereference (&subnet, MDL);
+ 		return;
+ 	}
+-
++#endif
+ 	option_state_allocate (&options, MDL);
+ 	memset (&outgoing, 0, sizeof outgoing);
+ 	memset (&raw, 0, sizeof raw);
+@@ -1301,7 +1300,16 @@
+ 	} else {
+ 		gip.len = 0;
+ 		memcpy(&to.sin_addr, cip.iabuf, 4);
+-		to.sin_port = remote_port;
++        log_info ("JAMF-DHCP change");
++	if (ntohs(packet->client_port) != 68 && ntohs(packet->client_port) != 67) {
++	log_info ("System Prefs Port");
++	log_info ("%d", ntohs(packet->client_port));
++	to.sin_port = packet->client_port;
++	} else {
++	log_info ("N Key or encapsulated");
++	log_info ("%d", ntohs(remote_port));
++	to.sin_port = remote_port;
++	}
+ 	}
+
+ 	/* Report what we're sending. */
+@@ -1466,7 +1474,6 @@
+ 			to.sin_port = local_port;
+ 		else
+ 			to.sin_port = remote_port; /* for testing. */
+-
+ 		if (fallback_interface) {
+ 			result = send_packet(fallback_interface, packet, &raw,
+ 					     outgoing.packet_length, from, &to,
+@@ -1482,7 +1489,7 @@
+ 		}
+ 	} else {
+ 		to.sin_addr = limited_broadcast;
+-		to.sin_port = remote_port;
++                to.sin_port = remote_port;
+ 	}
+
+ 	errno = 0;
+@@ -4506,3 +4513,4 @@
+ 			options->universe_count = agent_universe.index + 1;
+ 	}
+ }
++

NetBoot/var/appliance/configurefornetboot

@@ -7,7 +7,7 @@
 # 
 # This program is distributed "as is" by JAMF Software, LLC.  For more information or support for the appliance, please utilize the following resources:
 # 
-# 	https://jamfnation.jamfsoftware.com/
+#	https://jamfnation.jamfsoftware.com/
 # 
 # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 # 
@@ -20,7 +20,16 @@
 # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 
-ip=`ip addr show to 0.0.0.0/0 scope global | awk '/[[:space:]]inet / { print gensub("/.*","","g",$2) }'`
+if [ "$(xpath 2>&1 | grep options)" != '' ]; then
+	iface=`xpath -e "//netbootiface/text()" /var/appliance/conf/appliance.conf.xml 2>/dev/null`
+else
+	iface=`xpath /var/appliance/conf/appliance.conf.xml "//netbootiface/text()" 2>/dev/null`
+fi
+if [ "${iface}" != '' ]; then
+	ip=`ip addr show ${iface} | grep -w inet | awk '{print $2}' | cut -d / -f 1`
+else
+	ip=`ip addr show to 0.0.0.0/0 scope global | awk '/[[:space:]]inet / { print gensub("/.*","","g",$2) }'`
+fi
 ipdec=`awk -v dec=${ip} 'BEGIN{n=split(dec,d,".");for(i=1;i<=n;i++) printf ":%02X",d[i];print ""}'`
 imageid=`grep 'FF:FF:07:04' /etc/dhcpd.conf | sed 's/.*FF:FF:07:04://g' | cut -c1-11`
 curafp=`grep "01:01:02:08:04:.*.:80" /etc/dhcpd.conf | sed 's/option vendor-encapsulated-options 01:01:02:08:04:.*.:80:.*:61:66:70:75:73:65:72:3A://g' | awk -F40 '{print $1}' | tr -d ' ' | sed 's/\(.*\)./\1/'`

README.md

@@ -2,10 +2,10 @@
 # NetSUS Downloads
 
 Installer:
-[https://github.com/jamf/NetSUS/releases/download/5.0/NetSUSLPInstaller_5.0.run](https://github.com/jamf/NetSUS/releases/download/5.0/NetSUSLPInstaller_5.0.run)
+[https://github.com/jamf/NetSUS/releases/download/5.0.1/NetSUSLPInstaller_5.0.1.run](https://github.com/jamf/NetSUS/releases/download/5.0.1/NetSUSLPInstaller_5.0.1.run)
 
 OVA:
-[https://github.com/jamf/NetSUS/releases/download/5.0/NetSUSLP_5.0.ova](https://github.com/jamf/NetSUS/releases/download/5.0/NetSUSLP_5.0.ova)
+[https://github.com/jamf/NetSUS/releases/download/5.0.1/NetSUSLP_5.0.1.ova](https://github.com/jamf/NetSUS/releases/download/5.0.1/NetSUSLP_5.0.1.ova)
 
 
 # What is NetSUS?
@@ -53,7 +53,7 @@ For a getting started guide and step-by-step walkthroughs check out the **[docum
 
 #### If you are running a Kinobi Patch Server:
 
-* Kinobi 1.0 is incompatible with NetSUS 5.0. You will need to install Kinobi 1.1 after upgrading to NetSUS 5.0, available from:
-<https://github.com/mondada/kinobi/releases/download/1.1/KinobiInstaller_1.1.run>
+* Kinobi 1.0 is incompatible with NetSUS 5.0.1. You will need to install Kinobi 1.1 or later (1.2 is recommended) after upgrading to NetSUS 5.0.1, available from:
+<https://github.com/mondada/kinobi/releases/download/1.2/KinobiInstaller_1.2.run>
 
 **Only Intel-based Macs can use a NetBoot server hosted by the NetSUSLP.**

SUS/var/lib/reposado/repo_sync

@@ -296,6 +296,7 @@ def curl(url, destinationpath, onlyifnewer=False, etag=None, resume=False):
         print >> fileobj, 'dump-header -'  # dump headers to stdout
         print >> fileobj, 'speed-time = 30' # give up if too slow d/l
         print >> fileobj, 'tlsv1'          # use only TLS 1.x
+        print >> fileobj, 'http1.1'        # disable http2
         print >> fileobj, 'url = "%s"' % url
 
         # add additional options from our prefs
@@ -345,11 +346,17 @@ def curl(url, destinationpath, onlyifnewer=False, etag=None, resume=False):
                 line = line_stripped
 
                 if line.startswith('HTTP/'):
-                    header['http_result_code'] = line.split(None, 2)[1]
-                    header['http_result_description'] = line.split(None, 2)[2]
+                    header['http_result_code'] = ''
+                    header['http_result_description'] = ''
+                    try:
+                        part = line.split(None, 2)
+                        header['http_result_code'] = part[1]
+                        header['http_result_description'] = part[2]
+                    except IndexError:
+                        pass
                 elif ': ' in line:
-                    part = line.split(None, 1)
-                    fieldname = part[0].rstrip(':').lower()
+                    part = line.split(': ', 1)
+                    fieldname = part[0].lower()
                     header[fieldname] = part[1]
             else:
                 # "empty" line, but not end of output. likely end of headers
@@ -712,6 +719,16 @@ def sync(fast_scan=False, download_packages=True):
                                         'Could not replicate %s: %s',
                                         package['MetadataURL'], err)
                                     continue
+                            if 'IntegrityDataURL' in package:
+                                try:
+                                    unused_path = replicateURLtoFilesystem(
+                                        package['IntegrityDataURL'],
+                                        copy_only_if_missing=fast_scan)
+                                except ReplicationError, err:
+                                    reposadocommon.print_stderr(
+                                        'Could not replicate %s: %s',
+                                        package['IntegrityDataURL'], err)
+                                    continue
 
                     # calculate total size
                     size = 0

SUS/var/lib/reposado/reposadolib/reposadocommon.py

@@ -39,6 +39,8 @@
 Created by Greg Neagle on 2011-03-03.
 """
 
+from __future__ import absolute_import
+from __future__ import print_function
 import sys
 import os
 import imp
@@ -98,6 +100,9 @@ def pref(prefname):
             ('https://swscan.apple.com/content/catalogs/others/'
              'index-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-'
              'snowleopard-leopard.merged-1.sucatalog'),
+            ('https://swscan.apple.com/content/catalogs/others/'
+             'index-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-'
+             'snowleopard-leopard.merged-1.sucatalog'),
         ],
         'PreferredLocalizations': ['English', 'en'],
         'CurlPath': '/usr/bin/curl'
@@ -208,7 +213,7 @@ def log(msg):
     try:
         fileobj = open(LOGFILE, mode='a', buffering=1)
         try:
-            print >> fileobj, time.strftime(formatstr), msg.encode('UTF-8')
+            print(time.strftime(formatstr), msg.encode('UTF-8'), file=fileobj)
         except (OSError, IOError):
             pass
         fileobj.close()
@@ -224,7 +229,7 @@ def print_stdout(msg, *args):
     if LOGFILE:
         log(output)
     else:
-        print output
+        print(output)
         sys.stdout.flush()
 
 
@@ -236,7 +241,7 @@ def print_stderr(msg, *args):
     if LOGFILE:
         log(output)
     else:
-        print >> sys.stderr, concat_message(msg, *args)
+        print(concat_message(msg, *args), file=sys.stderr)
 
 
 def humanReadable(size_in_bytes):
@@ -259,14 +264,14 @@ def writeDataToPlist(data, filename):
     if not os.path.exists(metadata_dir):
         try:
             os.makedirs(metadata_dir)
-        except OSError, errmsg:
+        except OSError as errmsg:
             print_stderr(
                 'Could not create missing %s because %s',
                 metadata_dir, errmsg)
     try:
         plistlib.writePlist(data,
             os.path.join(metadata_dir, filename))
-    except (IOError, OSError, TypeError), errmsg:
+    except (IOError, OSError, TypeError) as errmsg:
         print_stderr(
             'Could not write %s because %s', filename, errmsg)
 
@@ -351,6 +356,9 @@ def rewriteURLsForProduct(product):
         if 'MetadataURL' in package:
             package['MetadataURL'] = rewriteOneURL(
                 package['MetadataURL'])
+        if 'IntegrityDataURL' in package:
+            package['IntegrityDataURL'] = rewriteOneURL(
+                package['IntegrityDataURL'])
         # workaround for 10.8.2 issue where client ignores local pkg
         # and prefers Apple's URL. Need to revisit as we better understand this
         # issue
@@ -416,9 +424,9 @@ def writeBranchCatalogs(localcatalogpath):
                 catalog['Products'][product_key] = \
                     downloaded_products[product_key]
             elif pref('LocalCatalogURLBase') and product_key in product_info:
-                # Product has probably been deprecated by Apple,
-                # so we're using cached product info
-                # First check to see if this product was ever in this
+                # Product might have been deprecated by Apple,
+                # so we check cached product info
+                # Check to see if this product was ever in this
                 # catalog
                 original_catalogs = product_info[product_key].get(
                     'OriginalAppleCatalogs', [])
@@ -440,17 +448,11 @@ def writeBranchCatalogs(localcatalogpath):
                             catalog['Products'][product_key] = catalog_entry
                             continue
             else:
-                if pref('LocalCatalogURLBase'):
-                    print_stderr(
-                        'WARNING: Product %s not added to branch %s of %s. '
-                        'It is not in the corresponding Apple catalogs '
-                        'and is not in the ProductInfo cache.',
-                        product_key, branch, localcatalogname)
-                else:
-                    print_stderr(
-                        'WARNING: Product %s not added to branch %s of %s. '
-                        'It is not in the corresponding Apple catalog.',
-                        product_key, branch, localcatalogname)
+                # item is not listed in the main catalog and we don't have a
+                # local cache of product info. It either was never in this
+                # catalog or has been removed by Apple. In either case, we just
+                # skip the item -- we can't add it to the catalog.
+                pass
 
         plistlib.writePlist(catalog, branchcatalogpath)
 
@@ -508,7 +510,7 @@ def readXMLfile(filename):
         print_stderr(
             'Invalid XML in %s', filename)
         return None
-    except IOError, err:
+    except IOError as err:
         print_stderr(
             'Error reading %s: %s', filename, err)
         return None
@@ -520,7 +522,7 @@ def writeXMLtoFile(node, path):
     xml_string = node.toxml('utf-8')
     try:
         fileobject = open(path, mode='w')
-        print >> fileobject, xml_string
+        print(xml_string, file=fileobject)
         fileobject.close()
     except (OSError, IOError):
         print_stderr('Couldn\'t write XML to %s' % path)