* [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" @ 2022-08-22 6:30 Peter Müller 2022-08-22 8:00 ` Bernhard Bitsch 2022-08-22 20:08 ` Peter Müller 0 siblings, 2 replies; 7+ messages in thread From: Peter Müller @ 2022-08-22 6:30 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1265 bytes --] Fixes: #12917 Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/core/170/update.sh | 3 +++ lfs/ipblocklist-sources | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..c7dc09946 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,9 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist +# Ensure permissions for /var/ipfire/ipblocklist are set properly +chown -Rv nobody:nobody /var/ipfire/ipblocklist + # Rebuild fcrontab from scratch /usr/bin/fcrontab -z diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..87bd95cca 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -47,7 +47,7 @@ b2 : $(TARGET) : @$(PREBUILD) - mkdir -p /var/ipfire/ipblocklist - install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist + install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist + install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist @$(POSTBUILD) -- 2.35.3 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" 2022-08-22 6:30 [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" Peter Müller @ 2022-08-22 8:00 ` Bernhard Bitsch 2022-08-22 20:08 ` Peter Müller 1 sibling, 0 replies; 7+ messages in thread From: Bernhard Bitsch @ 2022-08-22 8:00 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1438 bytes --] Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org> Am 22.08.2022 um 08:30 schrieb Peter Müller: > Fixes: #12917 > Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> > --- > config/rootfiles/core/170/update.sh | 3 +++ > lfs/ipblocklist-sources | 4 ++-- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh > index b6b66f3f1..c7dc09946 100644 > --- a/config/rootfiles/core/170/update.sh > +++ b/config/rootfiles/core/170/update.sh > @@ -164,6 +164,9 @@ ldconfig > mkdir -pv /var/lib/ipblocklist > chown nobody:nobody /var/lib/ipblocklist > > +# Ensure permissions for /var/ipfire/ipblocklist are set properly > +chown -Rv nobody:nobody /var/ipfire/ipblocklist > + > # Rebuild fcrontab from scratch > /usr/bin/fcrontab -z > > diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources > index 30b9e94a4..87bd95cca 100644 > --- a/lfs/ipblocklist-sources > +++ b/lfs/ipblocklist-sources > @@ -47,7 +47,7 @@ b2 : > > $(TARGET) : > @$(PREBUILD) > - mkdir -p /var/ipfire/ipblocklist > - install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist > + install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist > + install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist > > @$(POSTBUILD) ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" 2022-08-22 6:30 [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" Peter Müller 2022-08-22 8:00 ` Bernhard Bitsch @ 2022-08-22 20:08 ` Peter Müller 2022-08-22 20:11 ` [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody" Peter Müller 2022-08-22 21:03 ` [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" Rob Brewer 1 sibling, 2 replies; 7+ messages in thread From: Peter Müller @ 2022-08-22 20:08 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1841 bytes --] Hello list, today, Stefan reached out to me via phone and explained that /var/ipfire/ipblocklist/ should not be chown'ed to "nobody", since this would mean write access to the "sources" file, a thing neither needed nor desirable. Instead, he recommended touching a "modified" file in the same folder and granting "nobody" write access to it. While testing, I noticed the same thing is necessary for a "settings" file. I will submit a second version of the patch in due course. Best, Peter Müller > Fixes: #12917 > Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> > --- > config/rootfiles/core/170/update.sh | 3 +++ > lfs/ipblocklist-sources | 4 ++-- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh > index b6b66f3f1..c7dc09946 100644 > --- a/config/rootfiles/core/170/update.sh > +++ b/config/rootfiles/core/170/update.sh > @@ -164,6 +164,9 @@ ldconfig > mkdir -pv /var/lib/ipblocklist > chown nobody:nobody /var/lib/ipblocklist > > +# Ensure permissions for /var/ipfire/ipblocklist are set properly > +chown -Rv nobody:nobody /var/ipfire/ipblocklist > + > # Rebuild fcrontab from scratch > /usr/bin/fcrontab -z > > diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources > index 30b9e94a4..87bd95cca 100644 > --- a/lfs/ipblocklist-sources > +++ b/lfs/ipblocklist-sources > @@ -47,7 +47,7 @@ b2 : > > $(TARGET) : > @$(PREBUILD) > - mkdir -p /var/ipfire/ipblocklist > - install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist > + install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist > + install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist > > @$(POSTBUILD) ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody" 2022-08-22 20:08 ` Peter Müller @ 2022-08-22 20:11 ` Peter Müller 2022-08-25 15:49 ` Michael Tremer 2022-08-22 21:03 ` [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" Rob Brewer 1 sibling, 1 reply; 7+ messages in thread From: Peter Müller @ 2022-08-22 20:11 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1656 bytes --] The second version of this patch avoids being generous with file permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources must not be writable to "nobody". Therefore, the needed files ("settings" and "modify") are prepared during the Core Upgrade and LFS file, and equipped with appropriate permissions. Fixes: #12917 Cc: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/core/170/update.sh | 4 ++++ lfs/ipblocklist-sources | 2 ++ 2 files changed, 6 insertions(+) diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..9d16f4a32 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,10 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist +# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) +touch /var/ipfire/ipblocklist/{settings,modified} +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} + # Rebuild fcrontab from scratch /usr/bin/fcrontab -z diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..d0ce30350 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -49,5 +49,7 @@ $(TARGET) : @$(PREBUILD) mkdir -p /var/ipfire/ipblocklist install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist + touch /var/ipfire/ipblocklist/{settings,modified} + chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} @$(POSTBUILD) -- 2.35.3 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody" 2022-08-22 20:11 ` [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody" Peter Müller @ 2022-08-25 15:49 ` Michael Tremer 2022-09-01 20:34 ` Peter Müller 0 siblings, 1 reply; 7+ messages in thread From: Michael Tremer @ 2022-08-25 15:49 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1998 bytes --] Hello, I was told that this patch isn’t solving the problem it is supposed to solve. However, I do not see why. Could someone explain to my little brain why? -Michael > On 22 Aug 2022, at 21:11, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > The second version of this patch avoids being generous with file > permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources > must not be writable to "nobody". > > Therefore, the needed files ("settings" and "modify") are prepared > during the Core Upgrade and LFS file, and equipped with appropriate > permissions. > > Fixes: #12917 > Cc: Stefan Schantl <stefan.schantl(a)ipfire.org> > Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> > --- > config/rootfiles/core/170/update.sh | 4 ++++ > lfs/ipblocklist-sources | 2 ++ > 2 files changed, 6 insertions(+) > > diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh > index b6b66f3f1..9d16f4a32 100644 > --- a/config/rootfiles/core/170/update.sh > +++ b/config/rootfiles/core/170/update.sh > @@ -164,6 +164,10 @@ ldconfig > mkdir -pv /var/lib/ipblocklist > chown nobody:nobody /var/lib/ipblocklist > > +# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) > +touch /var/ipfire/ipblocklist/{settings,modified} > +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} > + > # Rebuild fcrontab from scratch > /usr/bin/fcrontab -z > > diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources > index 30b9e94a4..d0ce30350 100644 > --- a/lfs/ipblocklist-sources > +++ b/lfs/ipblocklist-sources > @@ -49,5 +49,7 @@ $(TARGET) : > @$(PREBUILD) > mkdir -p /var/ipfire/ipblocklist > install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist > + touch /var/ipfire/ipblocklist/{settings,modified} > + chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} > > @$(POSTBUILD) > -- > 2.35.3 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody" 2022-08-25 15:49 ` Michael Tremer @ 2022-09-01 20:34 ` Peter Müller 0 siblings, 0 replies; 7+ messages in thread From: Peter Müller @ 2022-09-01 20:34 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2755 bytes --] Hello Michael, thanks for your reply and apologies for my belated response. Stefan pointed out to me that if we would create these files in ipblocklist itself, they would have became part of the component's rootfile (which was also not updated in the patch). This would have caused user settings for ipblocklist to be overwritten, if ipblocklist is updated in a future Core Update. configroot is the better place, since we must never ship this, and this is where all the other settings files are created already. Also, file permissions are already taken care of there. Version 3 should _finally_ solve the issue. Please let me know if it doesn't. All the best, Peter Müller > Hello, > > I was told that this patch isn’t solving the problem it is supposed to solve. > > However, I do not see why. Could someone explain to my little brain why? > > -Michael > >> On 22 Aug 2022, at 21:11, Peter Müller <peter.mueller(a)ipfire.org> wrote: >> >> The second version of this patch avoids being generous with file >> permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources >> must not be writable to "nobody". >> >> Therefore, the needed files ("settings" and "modify") are prepared >> during the Core Upgrade and LFS file, and equipped with appropriate >> permissions. >> >> Fixes: #12917 >> Cc: Stefan Schantl <stefan.schantl(a)ipfire.org> >> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >> --- >> config/rootfiles/core/170/update.sh | 4 ++++ >> lfs/ipblocklist-sources | 2 ++ >> 2 files changed, 6 insertions(+) >> >> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >> index b6b66f3f1..9d16f4a32 100644 >> --- a/config/rootfiles/core/170/update.sh >> +++ b/config/rootfiles/core/170/update.sh >> @@ -164,6 +164,10 @@ ldconfig >> mkdir -pv /var/lib/ipblocklist >> chown nobody:nobody /var/lib/ipblocklist >> >> +# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) >> +touch /var/ipfire/ipblocklist/{settings,modified} >> +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} >> + >> # Rebuild fcrontab from scratch >> /usr/bin/fcrontab -z >> >> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources >> index 30b9e94a4..d0ce30350 100644 >> --- a/lfs/ipblocklist-sources >> +++ b/lfs/ipblocklist-sources >> @@ -49,5 +49,7 @@ $(TARGET) : >> @$(PREBUILD) >> mkdir -p /var/ipfire/ipblocklist >> install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist >> + touch /var/ipfire/ipblocklist/{settings,modified} >> + chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} >> >> @$(POSTBUILD) >> -- >> 2.35.3 > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" 2022-08-22 20:08 ` Peter Müller 2022-08-22 20:11 ` [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody" Peter Müller @ 2022-08-22 21:03 ` Rob Brewer 1 sibling, 0 replies; 7+ messages in thread From: Rob Brewer @ 2022-08-22 21:03 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1120 bytes --] On Mon, 22 Aug 2022 20:08:00 +0000, Peter Müller wrote: > Hello list, > > today, Stefan reached out to me via phone and explained that > /var/ipfire/ipblocklist/ should not be chown'ed to "nobody", since this > would mean write access to the "sources" > file, a thing neither needed nor desirable. > > Instead, he recommended touching a "modified" file in the same folder > and granting "nobody" write access to it. While testing, I noticed the > same thing is necessary for a "settings" file. > > I will submit a second version of the patch in due course. > > Best, > Peter Müller > > If it helps I think Tim's original Ipblacklist had these permissions: drwxr-xr-x 2 nobody nobody 4096 Feb 6 2022 ipblacklist ls -l /var/ipfire/ipblacklist/ -rw-r--r-- 1 root root 441 Aug 22 21:24 checked -rw-r--r-- 1 root root 190 Aug 22 21:24 modified -rw-r--r-- 1 nobody nobody 305 Aug 3 10:29 settings -rw-r--r-- 1 root root 11443 Aug 3 09:28 sources -rw-r--r-- 1 root root 0 Feb 2 2022 status So nobody.nobody would seem to be correct for the directory and is working OK here. Rob ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-09-01 20:34 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-08-22 6:30 [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" Peter Müller 2022-08-22 8:00 ` Bernhard Bitsch 2022-08-22 20:08 ` Peter Müller 2022-08-22 20:11 ` [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody" Peter Müller 2022-08-25 15:49 ` Michael Tremer 2022-09-01 20:34 ` Peter Müller 2022-08-22 21:03 ` [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" Rob Brewer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox