Re: [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody"

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2755 bytes --]

Hello Michael,

thanks for your reply and apologies for my belated response.

Stefan pointed out to me that if we would create these files in ipblocklist itself,
they would have became part of the component's rootfile (which was also not updated
in the patch). This would have caused user settings for ipblocklist to be overwritten,
if ipblocklist is updated in a future Core Update.

configroot is the better place, since we must never ship this, and this is where
all the other settings files are created already. Also, file permissions are already
taken care of there.

Version 3 should _finally_ solve the issue. Please let me know if it doesn't.

All the best,
Peter Müller

> Hello,
> 
> I was told that this patch isn’t solving the problem it is supposed to solve.
> 
> However, I do not see why. Could someone explain to my little brain why?
> 
> -Michael
> 
>> On 22 Aug 2022, at 21:11, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> The second version of this patch avoids being generous with file
>> permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources
>> must not be writable to "nobody".
>>
>> Therefore, the needed files ("settings" and "modify") are prepared
>> during the Core Upgrade and LFS file, and equipped with appropriate
>> permissions.
>>
>> Fixes: #12917
>> Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/rootfiles/core/170/update.sh | 4 ++++
>> lfs/ipblocklist-sources             | 2 ++
>> 2 files changed, 6 insertions(+)
>>
>> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
>> index b6b66f3f1..9d16f4a32 100644
>> --- a/config/rootfiles/core/170/update.sh
>> +++ b/config/rootfiles/core/170/update.sh
>> @@ -164,6 +164,10 @@ ldconfig
>> mkdir -pv /var/lib/ipblocklist
>> chown nobody:nobody /var/lib/ipblocklist
>>
>> +# Create necessary files for IPBlocklist and set their ownership accordingly (#12917)
>> +touch /var/ipfire/ipblocklist/{settings,modified}
>> +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified}
>> +
>> # Rebuild fcrontab from scratch
>> /usr/bin/fcrontab -z
>>
>> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources
>> index 30b9e94a4..d0ce30350 100644
>> --- a/lfs/ipblocklist-sources
>> +++ b/lfs/ipblocklist-sources
>> @@ -49,5 +49,7 @@ $(TARGET) :
>> 	@$(PREBUILD)
>> 	mkdir -p /var/ipfire/ipblocklist
>> 	install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
>> +	touch /var/ipfire/ipblocklist/{settings,modified}
>> +	chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified}
>>
>> 	@$(POSTBUILD)
>> -- 
>> 2.35.3
>