Re: [PATCH] IPFire 2.15 - Do not overwite firewall settings

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1823 bytes --]

Hi Stefan,

On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
> Dear Mailinglist followers,
> 
> I've doing some Pre-Beta tests of Core Update 76 on my testing system.

Great. We still need some help with this. It is currently a bit too
quiet and I don't think that this is only a good sign :)

> It has been a basic IPFire 2.13 Core 75 system with the New Firewall 
> installed for testing purposes. After manually installing core 76 all 
> existing firewall rules where gone because the will get overwritten in 
> the update process.
> 
> This is a big problem on environments where the New Firewall is used 
> productive or in case of an update from Beta 1 to another Beta or final 
> Release.

I agree that this is a problem and that this must be fixed before
release. Probably best before the first beta release.

> I've successfully prepared and tested a patchset which will prevent the 
> updater to overwrite the affected firewall config files.
> 
> The commit can be found here:
> 
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc18f604b39305a84d238d13988b9a78
> 
> Please take a look on it and put the changes upstream so we can prevent 
> other users from this issue.

Unfortunately, I cannot merge this. There is a huge problem with the
chown calls at the end. Those will change the permissions of the scripts
that will later be called with root permissions. If the user nobody can
edit these scripts, nobody will basically be able to run commands as
root.

How can this be fixed? It is probably best to create a temporary backup
with all the firewall configuration files and restore that backup when
the update is done. This is probably not the best solution, but I cannot
come up with something better at the moment.

-Michael