[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[dtcdev] New DTC version 0.34.1 released

Dear all,

I am pleased to announced the new version of DTC: version 0.34.1. This
is a major update, with a bunch of new features. If you don't really
care about the big list of feature, read at least about sbox (and the
end of that section). Here's the details of all new features:

General changes:
- Now, all debconf templates are held in the dtc-common package. This
mean that all other packages (dtc-cyrus, dtc-core, dtc-postfix-courier,
dtc-postfix-dovecot and dtc-toaster) are really only meta-packages that
only hold dependencies. If you want to reconfigure DTC, you should now
do: dpkg-reconfigure dtc-common (and not any other package).
- It is now possible to use password hashing for all root admins and
clients. DTC uses SHA1 hashing, which is the best hashing available in
the version of MySQL currently in Debian.
- Because passwords are now hashed, the password recovery procedure has
been totally reviewed. It now sends a token that allows the password to
be reseted.

Shared hosting:
- Customers can now use cron jobs, which will use wget of a page on
their site.
- It is now possible to set round robin (IPv4 only for the moment) for
any of your subdomains.
- There is now a password blacklist, to prevent email to be setup with
passwords that are too easy (like 123456).
- A customer can now delete a domain by himself, without asking the
- Shared hosting users can now use SSL intermediate certificate (this
will use the SSLCertificateChainFile directive of Apache)

Chroot of all vhosts using the new sbox:
SBOX has been totally thought again. Now, there is 3 modes for your
shared hosting customers: mod_php (which does the same as before),
sbox_copy and sbox_aufs. If you use one of the sbox modes, then the
customer's VirtualHost will now be jailed in a chroot. This includes
also PHP scripts! Also, customers can run Python, Perl, and Ruby scripts
in a safe way. If you use the sbox_aufs mode, then the template
/var/lib/dtc/sbox_copy will be the source of an union filesystem, and
the destination will be your customer's website folder. This means that
all of your customers will be able to have a full operating system image
for their chroot, but it wont take any disk space, thanks to aufs. That
saves about 500 MB of storage per website compared to the sbox_copy mode.

The other advantage of running SBOX, is that each customer can now
customize his chroot completely, or partially (for example the php.ini,
keeping the rest as "standard"). You also may have customers running
with totally different versions of the PHP interpreter for example,
since the sbox modes are using the PHP inside the chroot (as a CGI).

We advise everyone using DTC to grant shared hosting accounts to
untrusted customers to switch to one of the sbox modes. To do this,
simply switch your customer to sbox_{copy,aufs} in the "Admin Editor",
and also set the mode in the package manager.

Once you have upgraded to the 0.34.x version of DTC, you should run the
following commands to bootstrap a chroot disk:

cd /usr/share/dtc/admin

VPS & dedicated servers:
- Customers that have more than one VPS can renew multiple services at
once (in fact, you can renew multiple dedicated server and VPS at once).
- VPS have now the full network information displayed (gateway, netmask,
- VPS have now the location of the server displayed (like "Paris,
France", for example).

Management and accounting:
- There is now a new custom products feature, which you can use to
charge for other things than hosting (for example some web design, etc.).
- There is now a search engine to search for IP or names, so you can
find a customer quickly.
- All the invoices of your customers can be scp every month or every day.
- In the renewal manager, each transaction can now be exported to QIF
format, which later can be imported in GNUCash (which we use), Microsoft
Money, Quicken, and many other accounting software. This incorporate the
full calculation of the VAT returns in a fully automated way.
- In the renewal manager, it is now possible to export (in CVS format) a
monthly report about VAT which hasn't been charged to your cusomters.
This is extremely useful if your hosting company is within the European
Union, and you need to send an ECSL report every month.

Display and cosmetic improvements:
- The maxmind fraud report is now printed a much more nicer way, showing
the ISP name and country of origin. Each fields are also printed in the
transaction view.
- Each pending list for validation (new account, new domains, renewals,
and the support tickets) are now using the CSS system.
- The renewal manager now uses the CSS system.
- Unfortunately, the grayboard skin has been removed, since there are
javascripts which have no source (they have been minimized, so they are
extremely hard to understand, which we can interpret as having no source
code at all). Also, the use of a specific version of jquery was an
issue. We hope to have this skin to come back soon.

Security fixes:
Unfortunately, there was lots of security issues that have been found
recently, and some of them (the 5 first issues below) are really
serious. For each of them you need to have a (customer) account for it
to be a problem. So people running DTC without granting accounts to
untrusted customers are still safe with the old version. However, we
advise everyone to upgrade asap, especially because of the chrootuid
issue (see below) which affects security of everyone.

- The addrlink is now checked properly (possible MySQL insertion in
- Check of the validity of a package name in the package installer
(possible MySQL insertion)
- Fixes logPushlet input checking (possible MySQL insertion)
- Mailing lists tunables options are now correcly escaped before the
files are written (possible shell insertion)
- Output is now escaped in the DNS & MX screen (possible Javascript/HTML
insertion by a malicious user)
- DTC user had permissive sudo rights to chrootuid, this is fixed using
the new dtc-chroot-wrapper.
- apache2.conf unix rights isn't world readable since it holds the
mod_log_sql password
- /var/log/dtc.log has now the correct unix rights at install time
(chmod 640)
- statistics protection isn't using htpasswd -b, which eventually could
be read from /proc

Note that there will be no update for the version 0.32.x, so you should
upgrade to 0.34.x even if you don't need the new features.

Thomas Goirand
To unsubscribe, send a mail to dtcdev-unsubscribe@xxxxxxxxxx