From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] IPFire 2.15 - Do not overwite firewall settings Date: Tue, 28 Jan 2014 17:53:59 +0100 Message-ID: <1390928039.17672.23.camel@rice-oxley.tremer.info> In-Reply-To: <311a4ff86ff2befef14d6e00e4e8cb97@mail01.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0824944413397112504==" List-Id: --===============0824944413397112504== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable I guess it would be probably best to move the scripts out of /var/ipfire to something like /usr/lib/firewall. I will do this and then merge the patch that Stefan suggested, because running chown in the end won't be a problem any more. Although Arne's suggestion fixes the problem I am a bit afraid that we will overlook this at some later time. -Michael On Tue, 2014-01-28 at 09:35 +0100, Arne Fitzenreiter wrote: > On 2014-01-27 23:07, Michael Tremer wrote: > > Hi Stefan, > >=20 > > On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote: > >> Dear Mailinglist followers, > >>=20 > >> I've doing some Pre-Beta tests of Core Update 76 on my testing system. > >=20 > > Great. We still need some help with this. It is currently a bit too > > quiet and I don't think that this is only a good sign :) > >=20 > >> It has been a basic IPFire 2.13 Core 75 system with the New Firewall > >> installed for testing purposes. After manually installing core 76 all > >> existing firewall rules where gone because the will get overwritten in > >> the update process. > >>=20 > >> This is a big problem on environments where the New Firewall is used > >> productive or in case of an update from Beta 1 to another Beta or=20 > >> final > >> Release. > >=20 > > I agree that this is a problem and that this must be fixed before > > release. Probably best before the first beta release. > >=20 > >> I've successfully prepared and tested a patchset which will prevent=20 > >> the > >> updater to overwrite the affected firewall config files. > >>=20 > >> The commit can be found here: > >>=20 > >> http://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dcommit;h=3D5= bdefccbbc18f604b39305a84d238d13988b9a78 > >>=20 > >> Please take a look on it and put the changes upstream so we can=20 > >> prevent > >> other users from this issue. > >=20 > > Unfortunately, I cannot merge this. There is a huge problem with the > > chown calls at the end. Those will change the permissions of the=20 > > scripts > > that will later be called with root permissions. If the user nobody can > > edit these scripts, nobody will basically be able to run commands as > > root. > >=20 > > How can this be fixed? It is probably best to create a temporary backup > > with all the firewall configuration files and restore that backup when > > the update is done. This is probably not the best solution, but I=20 > > cannot > > come up with something better at the moment. > >=20 > I think an aditional chown that set the bin folder inside back to root=20 > should also be ok. > chown -R root:root /var/ipfire/firewall/bin >=20 > > -Michael > >=20 > > _______________________________________________ > > Development mailing list > > Development(a)lists.ipfire.org > > http://lists.ipfire.org/mailman/listinfo/development > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development --===============0824944413397112504==--