I guess it would be probably best to move the scripts out of /var/ipfire
to something like /usr/lib/firewall.

I will do this and then merge the patch that Stefan suggested, because
running chown in the end won't be a problem any more.

Although Arne's suggestion fixes the problem I am a bit afraid that we
will overlook this at some later time.

-Michael

On Tue, 2014-01-28 at 09:35 +0100, Arne Fitzenreiter wrote:
> On 2014-01-27 23:07, Michael Tremer wrote:
> > Hi Stefan,
> > 
> > On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
> >> Dear Mailinglist followers,
> >> 
> >> I've doing some Pre-Beta tests of Core Update 76 on my testing system.
> > 
> > Great. We still need some help with this. It is currently a bit too
> > quiet and I don't think that this is only a good sign :)
> > 
> >> It has been a basic IPFire 2.13 Core 75 system with the New Firewall
> >> installed for testing purposes. After manually installing core 76 all
> >> existing firewall rules where gone because the will get overwritten in
> >> the update process.
> >> 
> >> This is a big problem on environments where the New Firewall is used
> >> productive or in case of an update from Beta 1 to another Beta or 
> >> final
> >> Release.
> > 
> > I agree that this is a problem and that this must be fixed before
> > release. Probably best before the first beta release.
> > 
> >> I've successfully prepared and tested a patchset which will prevent 
> >> the
> >> updater to overwrite the affected firewall config files.
> >> 
> >> The commit can be found here:
> >> 
> >> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc18f604b39305a84d238d13988b9a78
> >> 
> >> Please take a look on it and put the changes upstream so we can 
> >> prevent
> >> other users from this issue.
> > 
> > Unfortunately, I cannot merge this. There is a huge problem with the
> > chown calls at the end. Those will change the permissions of the 
> > scripts
> > that will later be called with root permissions. If the user nobody can
> > edit these scripts, nobody will basically be able to run commands as
> > root.
> > 
> > How can this be fixed? It is probably best to create a temporary backup
> > with all the firewall configuration files and restore that backup when
> > the update is done. This is probably not the best solution, but I 
> > cannot
> > come up with something better at the moment.
> > 
> I think an aditional chown that set the bin folder inside back to root 
> should also be ok.
> chown -R root:root /var/ipfire/firewall/bin
> 
> > -Michael
> > 
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development