From mboxrd@z Thu Jan 1 00:00:00 1970 From: Arne Fitzenreiter To: development@lists.ipfire.org Subject: Re: [PATCH] IPFire 2.15 - Do not overwite firewall settings Date: Tue, 28 Jan 2014 09:35:17 +0100 Message-ID: <311a4ff86ff2befef14d6e00e4e8cb97@mail01.ipfire.org> In-Reply-To: <1390860464.11229.148.camel@rice-oxley.tremer.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2468492865678283533==" List-Id: --===============2468492865678283533== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 2014-01-27 23:07, Michael Tremer wrote: > Hi Stefan, >=20 > On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote: >> Dear Mailinglist followers, >>=20 >> I've doing some Pre-Beta tests of Core Update 76 on my testing system. >=20 > Great. We still need some help with this. It is currently a bit too > quiet and I don't think that this is only a good sign :) >=20 >> It has been a basic IPFire 2.13 Core 75 system with the New Firewall >> installed for testing purposes. After manually installing core 76 all >> existing firewall rules where gone because the will get overwritten in >> the update process. >>=20 >> This is a big problem on environments where the New Firewall is used >> productive or in case of an update from Beta 1 to another Beta or=20 >> final >> Release. >=20 > I agree that this is a problem and that this must be fixed before > release. Probably best before the first beta release. >=20 >> I've successfully prepared and tested a patchset which will prevent=20 >> the >> updater to overwrite the affected firewall config files. >>=20 >> The commit can be found here: >>=20 >> http://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dcommit;h=3D5bd= efccbbc18f604b39305a84d238d13988b9a78 >>=20 >> Please take a look on it and put the changes upstream so we can=20 >> prevent >> other users from this issue. >=20 > Unfortunately, I cannot merge this. There is a huge problem with the > chown calls at the end. Those will change the permissions of the=20 > scripts > that will later be called with root permissions. If the user nobody can > edit these scripts, nobody will basically be able to run commands as > root. >=20 > How can this be fixed? It is probably best to create a temporary backup > with all the firewall configuration files and restore that backup when > the update is done. This is probably not the best solution, but I=20 > cannot > come up with something better at the moment. >=20 I think an aditional chown that set the bin folder inside back to root=20 should also be ok. chown -R root:root /var/ipfire/firewall/bin > -Michael >=20 > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development --===============2468492865678283533==--