From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [RFC PATCH] backup: Set owner of /var/ipfire/backup/{in, ex}clude to "root" Date: Sat, 17 Sep 2022 10:17:07 +0000 Message-ID: <5563a19f-545d-c6c3-2634-c49e426276c1@ipfire.org> In-Reply-To: <3E4A3080-E33E-4EB9-B431-746D8D3C78FA@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8169192811638748429==" List-Id: --===============8169192811638748429== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. Indeed, glad you caught that. Before I submit a second version: Shouldn't the {in,ex}clude.user files also = be owned by root? I was unable to find any instance in the source code where these are= modified by an unprivileged user. On that note, is it intended/desired that many subfolders of /var/ipfire/ are= owned by "nobody"? While I of course see the need for "nobody" to write _files_, do= not quite get why the parent folders (such as /var/ipfire/auth/, /var/ipfire/ca/, etc. = pp.) have to be owned by that user as well. Thanks, and best regards, Peter M=C3=BCller > Hello Peter, >=20 > I agree that the files should be owned by root. However, your patch doesn= =E2=80=99t fix that. >=20 >> On 15 Sep 2022, at 21:15, Peter M=C3=BCller w= rote: >> >> Since these files are static, there is no legitimate reason why they >> should be owned (hence writable) by "nobody". >> >> Signed-off-by: Peter M=C3=BCller >> --- >> lfs/backup | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> diff --git a/lfs/backup b/lfs/backup >> index 6f686bf22..adbf16e65 100644 >> --- a/lfs/backup >> +++ b/lfs/backup >> @@ -1,7 +1,7 @@ >> ##########################################################################= ##### >> # = # >> # IPFire.org - A linux based firewall = # >> -# Copyright (C) 2007-2021 IPFire Team = # >> +# Copyright (C) 2007-2022 IPFire Team = # >> # = # >> # This program is free software: you can redistribute it and/or modify = # >> # it under the terms of the GNU General Public License as published by = # >> @@ -61,8 +61,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> -mkdir -p /var/ipfire/backup/bin >> install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/= backup/bin >> - install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ >> - install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ >> + install -v -m 644 -o root $(DIR_SRC)/config/backup/include /var/ipfire/b= ackup/ >> + install -v -m 644 -o root $(DIR_SRC)/config/backup/exclude /var/ipfire/b= ackup/ >=20 > They have been created as root before. That is the default. >=20 >> chown nobody:nobody -R /var/ipfire/backup/ >=20 > And here is where they will be changed. Still. >=20 >> chown root:root -R /var/ipfire/backup/bin/ >> -mkdir -p /var/ipfire/backup/addons >> --=20 >> 2.35.3 >=20 > -Michael --===============8169192811638748429==--