From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] ipblocklist: Both "settings" and "modify" need to be
 writable for "nobody"
Date: Thu, 25 Aug 2022 16:49:28 +0100
Message-ID: <A0A4D056-599F-4739-986B-53C0C5F40BAE@ipfire.org>
In-Reply-To: <06825b38-ec53-38c5-c8ce-12d70c1acb5b@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2448837042105603974=="
List-Id: <development.lists.ipfire.org>

--===============2448837042105603974==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

I was told that this patch isn=E2=80=99t solving the problem it is supposed t=
o solve.

However, I do not see why. Could someone explain to my little brain why?

-Michael

> On 22 Aug 2022, at 21:11, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> The second version of this patch avoids being generous with file
> permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources
> must not be writable to "nobody".
>=20
> Therefore, the needed files ("settings" and "modify") are prepared
> during the Core Upgrade and LFS file, and equipped with appropriate
> permissions.
>=20
> Fixes: #12917
> Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> config/rootfiles/core/170/update.sh | 4 ++++
> lfs/ipblocklist-sources             | 2 ++
> 2 files changed, 6 insertions(+)
>=20
> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/17=
0/update.sh
> index b6b66f3f1..9d16f4a32 100644
> --- a/config/rootfiles/core/170/update.sh
> +++ b/config/rootfiles/core/170/update.sh
> @@ -164,6 +164,10 @@ ldconfig
> mkdir -pv /var/lib/ipblocklist
> chown nobody:nobody /var/lib/ipblocklist
>=20
> +# Create necessary files for IPBlocklist and set their ownership according=
ly (#12917)
> +touch /var/ipfire/ipblocklist/{settings,modified}
> +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified}
> +
> # Rebuild fcrontab from scratch
> /usr/bin/fcrontab -z
>=20
> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources
> index 30b9e94a4..d0ce30350 100644
> --- a/lfs/ipblocklist-sources
> +++ b/lfs/ipblocklist-sources
> @@ -49,5 +49,7 @@ $(TARGET) :
> 	@$(PREBUILD)
> 	mkdir -p /var/ipfire/ipblocklist
> 	install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblo=
cklist
> +	touch /var/ipfire/ipblocklist/{settings,modified}
> +	chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified}
>=20
> 	@$(POSTBUILD)
> --=20
> 2.35.3


--===============2448837042105603974==--