On 2014-01-27 23:07, Michael Tremer wrote:
> Hi Stefan,
> 
> On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
>> Dear Mailinglist followers,
>> 
>> I've doing some Pre-Beta tests of Core Update 76 on my testing system.
> 
> Great. We still need some help with this. It is currently a bit too
> quiet and I don't think that this is only a good sign :)
> 
>> It has been a basic IPFire 2.13 Core 75 system with the New Firewall
>> installed for testing purposes. After manually installing core 76 all
>> existing firewall rules where gone because the will get overwritten in
>> the update process.
>> 
>> This is a big problem on environments where the New Firewall is used
>> productive or in case of an update from Beta 1 to another Beta or 
>> final
>> Release.
> 
> I agree that this is a problem and that this must be fixed before
> release. Probably best before the first beta release.
> 
>> I've successfully prepared and tested a patchset which will prevent 
>> the
>> updater to overwrite the affected firewall config files.
>> 
>> The commit can be found here:
>> 
>> http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc18f604b39305a84d238d13988b9a78
>> 
>> Please take a look on it and put the changes upstream so we can 
>> prevent
>> other users from this issue.
> 
> Unfortunately, I cannot merge this. There is a huge problem with the
> chown calls at the end. Those will change the permissions of the 
> scripts
> that will later be called with root permissions. If the user nobody can
> edit these scripts, nobody will basically be able to run commands as
> root.
> 
> How can this be fixed? It is probably best to create a temporary backup
> with all the firewall configuration files and restore that backup when
> the update is done. This is probably not the best solution, but I 
> cannot
> come up with something better at the moment.
> 
I think an aditional chown that set the bin folder inside back to root 
should also be ok.
chown -R root:root /var/ipfire/firewall/bin

> -Michael
> 
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development