From: Arne Fitzenreiter <Arne.Fitzenreiter@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] IPFire 2.15 - Do not overwite firewall settings
Date: Tue, 28 Jan 2014 09:35:17 +0100 [thread overview]
Message-ID: <311a4ff86ff2befef14d6e00e4e8cb97@mail01.ipfire.org> (raw)
In-Reply-To: <1390860464.11229.148.camel@rice-oxley.tremer.info>
[-- Attachment #1: Type: text/plain, Size: 2262 bytes --]
On 2014-01-27 23:07, Michael Tremer wrote:
> Hi Stefan,
>
> On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
>> Dear Mailinglist followers,
>>
>> I've doing some Pre-Beta tests of Core Update 76 on my testing system.
>
> Great. We still need some help with this. It is currently a bit too
> quiet and I don't think that this is only a good sign :)
>
>> It has been a basic IPFire 2.13 Core 75 system with the New Firewall
>> installed for testing purposes. After manually installing core 76 all
>> existing firewall rules where gone because the will get overwritten in
>> the update process.
>>
>> This is a big problem on environments where the New Firewall is used
>> productive or in case of an update from Beta 1 to another Beta or
>> final
>> Release.
>
> I agree that this is a problem and that this must be fixed before
> release. Probably best before the first beta release.
>
>> I've successfully prepared and tested a patchset which will prevent
>> the
>> updater to overwrite the affected firewall config files.
>>
>> The commit can be found here:
>>
>> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc18f604b39305a84d238d13988b9a78
>>
>> Please take a look on it and put the changes upstream so we can
>> prevent
>> other users from this issue.
>
> Unfortunately, I cannot merge this. There is a huge problem with the
> chown calls at the end. Those will change the permissions of the
> scripts
> that will later be called with root permissions. If the user nobody can
> edit these scripts, nobody will basically be able to run commands as
> root.
>
> How can this be fixed? It is probably best to create a temporary backup
> with all the firewall configuration files and restore that backup when
> the update is done. This is probably not the best solution, but I
> cannot
> come up with something better at the moment.
>
I think an aditional chown that set the bin folder inside back to root
should also be ok.
chown -R root:root /var/ipfire/firewall/bin
> -Michael
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
next prev parent reply other threads:[~2014-01-28 8:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-25 22:05 Stefan Schantl
2014-01-27 22:07 ` Michael Tremer
2014-01-28 8:35 ` Arne Fitzenreiter [this message]
2014-01-28 16:53 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=311a4ff86ff2befef14d6e00e4e8cb97@mail01.ipfire.org \
--to=arne.fitzenreiter@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox