public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
* [PATCH] IPFire 2.15 - Do not overwite firewall settings
@ 2014-01-25 22:05 Stefan Schantl
  2014-01-27 22:07 ` Michael Tremer
  0 siblings, 1 reply; 4+ messages in thread
From: Stefan Schantl @ 2014-01-25 22:05 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 914 bytes --]

Dear Mailinglist followers,

I've doing some Pre-Beta tests of Core Update 76 on my testing system.

It has been a basic IPFire 2.13 Core 75 system with the New Firewall 
installed for testing purposes. After manually installing core 76 all 
existing firewall rules where gone because the will get overwritten in 
the update process.

This is a big problem on environments where the New Firewall is used 
productive or in case of an update from Beta 1 to another Beta or final 
Release.

I've successfully prepared and tested a patchset which will prevent the 
updater to overwrite the affected firewall config files.

The commit can be found here:

http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc18f604b39305a84d238d13988b9a78

Please take a look on it and put the changes upstream so we can prevent 
other users from this issue.

Thanks in advance,

-Stefan

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] IPFire 2.15 - Do not overwite firewall settings
  2014-01-25 22:05 [PATCH] IPFire 2.15 - Do not overwite firewall settings Stefan Schantl
@ 2014-01-27 22:07 ` Michael Tremer
  2014-01-28  8:35   ` Arne Fitzenreiter
  0 siblings, 1 reply; 4+ messages in thread
From: Michael Tremer @ 2014-01-27 22:07 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1823 bytes --]

Hi Stefan,

On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
> Dear Mailinglist followers,
> 
> I've doing some Pre-Beta tests of Core Update 76 on my testing system.

Great. We still need some help with this. It is currently a bit too
quiet and I don't think that this is only a good sign :)

> It has been a basic IPFire 2.13 Core 75 system with the New Firewall 
> installed for testing purposes. After manually installing core 76 all 
> existing firewall rules where gone because the will get overwritten in 
> the update process.
> 
> This is a big problem on environments where the New Firewall is used 
> productive or in case of an update from Beta 1 to another Beta or final 
> Release.

I agree that this is a problem and that this must be fixed before
release. Probably best before the first beta release.

> I've successfully prepared and tested a patchset which will prevent the 
> updater to overwrite the affected firewall config files.
> 
> The commit can be found here:
> 
> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc18f604b39305a84d238d13988b9a78
> 
> Please take a look on it and put the changes upstream so we can prevent 
> other users from this issue.

Unfortunately, I cannot merge this. There is a huge problem with the
chown calls at the end. Those will change the permissions of the scripts
that will later be called with root permissions. If the user nobody can
edit these scripts, nobody will basically be able to run commands as
root.

How can this be fixed? It is probably best to create a temporary backup
with all the firewall configuration files and restore that backup when
the update is done. This is probably not the best solution, but I cannot
come up with something better at the moment.

-Michael


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] IPFire 2.15 - Do not overwite firewall settings
  2014-01-27 22:07 ` Michael Tremer
@ 2014-01-28  8:35   ` Arne Fitzenreiter
  2014-01-28 16:53     ` Michael Tremer
  0 siblings, 1 reply; 4+ messages in thread
From: Arne Fitzenreiter @ 2014-01-28  8:35 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2262 bytes --]

On 2014-01-27 23:07, Michael Tremer wrote:
> Hi Stefan,
> 
> On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
>> Dear Mailinglist followers,
>> 
>> I've doing some Pre-Beta tests of Core Update 76 on my testing system.
> 
> Great. We still need some help with this. It is currently a bit too
> quiet and I don't think that this is only a good sign :)
> 
>> It has been a basic IPFire 2.13 Core 75 system with the New Firewall
>> installed for testing purposes. After manually installing core 76 all
>> existing firewall rules where gone because the will get overwritten in
>> the update process.
>> 
>> This is a big problem on environments where the New Firewall is used
>> productive or in case of an update from Beta 1 to another Beta or 
>> final
>> Release.
> 
> I agree that this is a problem and that this must be fixed before
> release. Probably best before the first beta release.
> 
>> I've successfully prepared and tested a patchset which will prevent 
>> the
>> updater to overwrite the affected firewall config files.
>> 
>> The commit can be found here:
>> 
>> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc18f604b39305a84d238d13988b9a78
>> 
>> Please take a look on it and put the changes upstream so we can 
>> prevent
>> other users from this issue.
> 
> Unfortunately, I cannot merge this. There is a huge problem with the
> chown calls at the end. Those will change the permissions of the 
> scripts
> that will later be called with root permissions. If the user nobody can
> edit these scripts, nobody will basically be able to run commands as
> root.
> 
> How can this be fixed? It is probably best to create a temporary backup
> with all the firewall configuration files and restore that backup when
> the update is done. This is probably not the best solution, but I 
> cannot
> come up with something better at the moment.
> 
I think an aditional chown that set the bin folder inside back to root 
should also be ok.
chown -R root:root /var/ipfire/firewall/bin

> -Michael
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] IPFire 2.15 - Do not overwite firewall settings
  2014-01-28  8:35   ` Arne Fitzenreiter
@ 2014-01-28 16:53     ` Michael Tremer
  0 siblings, 0 replies; 4+ messages in thread
From: Michael Tremer @ 2014-01-28 16:53 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2981 bytes --]

I guess it would be probably best to move the scripts out of /var/ipfire
to something like /usr/lib/firewall.

I will do this and then merge the patch that Stefan suggested, because
running chown in the end won't be a problem any more.

Although Arne's suggestion fixes the problem I am a bit afraid that we
will overlook this at some later time.

-Michael

On Tue, 2014-01-28 at 09:35 +0100, Arne Fitzenreiter wrote:
> On 2014-01-27 23:07, Michael Tremer wrote:
> > Hi Stefan,
> > 
> > On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
> >> Dear Mailinglist followers,
> >> 
> >> I've doing some Pre-Beta tests of Core Update 76 on my testing system.
> > 
> > Great. We still need some help with this. It is currently a bit too
> > quiet and I don't think that this is only a good sign :)
> > 
> >> It has been a basic IPFire 2.13 Core 75 system with the New Firewall
> >> installed for testing purposes. After manually installing core 76 all
> >> existing firewall rules where gone because the will get overwritten in
> >> the update process.
> >> 
> >> This is a big problem on environments where the New Firewall is used
> >> productive or in case of an update from Beta 1 to another Beta or 
> >> final
> >> Release.
> > 
> > I agree that this is a problem and that this must be fixed before
> > release. Probably best before the first beta release.
> > 
> >> I've successfully prepared and tested a patchset which will prevent 
> >> the
> >> updater to overwrite the affected firewall config files.
> >> 
> >> The commit can be found here:
> >> 
> >> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc18f604b39305a84d238d13988b9a78
> >> 
> >> Please take a look on it and put the changes upstream so we can 
> >> prevent
> >> other users from this issue.
> > 
> > Unfortunately, I cannot merge this. There is a huge problem with the
> > chown calls at the end. Those will change the permissions of the 
> > scripts
> > that will later be called with root permissions. If the user nobody can
> > edit these scripts, nobody will basically be able to run commands as
> > root.
> > 
> > How can this be fixed? It is probably best to create a temporary backup
> > with all the firewall configuration files and restore that backup when
> > the update is done. This is probably not the best solution, but I 
> > cannot
> > come up with something better at the moment.
> > 
> I think an aditional chown that set the bin folder inside back to root 
> should also be ok.
> chown -R root:root /var/ipfire/firewall/bin
> 
> > -Michael
> > 
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-01-28 16:53 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-25 22:05 [PATCH] IPFire 2.15 - Do not overwite firewall settings Stefan Schantl
2014-01-27 22:07 ` Michael Tremer
2014-01-28  8:35   ` Arne Fitzenreiter
2014-01-28 16:53     ` Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox