From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody" Date: Thu, 01 Sep 2022 20:34:47 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8010107640887822790==" List-Id: --===============8010107640887822790== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply and apologies for my belated response. Stefan pointed out to me that if we would create these files in ipblocklist i= tself, they would have became part of the component's rootfile (which was also not u= pdated in the patch). This would have caused user settings for ipblocklist to be ove= rwritten, if ipblocklist is updated in a future Core Update. configroot is the better place, since we must never ship this, and this is wh= ere all the other settings files are created already. Also, file permissions are = already taken care of there. Version 3 should _finally_ solve the issue. Please let me know if it doesn't. All the best, Peter M=C3=BCller > Hello, >=20 > I was told that this patch isn=E2=80=99t solving the problem it is supposed= to solve. >=20 > However, I do not see why. Could someone explain to my little brain why? >=20 > -Michael >=20 >> On 22 Aug 2022, at 21:11, Peter M=C3=BCller w= rote: >> >> The second version of this patch avoids being generous with file >> permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources >> must not be writable to "nobody". >> >> Therefore, the needed files ("settings" and "modify") are prepared >> during the Core Upgrade and LFS file, and equipped with appropriate >> permissions. >> >> Fixes: #12917 >> Cc: Stefan Schantl >> Signed-off-by: Peter M=C3=BCller >> --- >> config/rootfiles/core/170/update.sh | 4 ++++ >> lfs/ipblocklist-sources | 2 ++ >> 2 files changed, 6 insertions(+) >> >> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/1= 70/update.sh >> index b6b66f3f1..9d16f4a32 100644 >> --- a/config/rootfiles/core/170/update.sh >> +++ b/config/rootfiles/core/170/update.sh >> @@ -164,6 +164,10 @@ ldconfig >> mkdir -pv /var/lib/ipblocklist >> chown nobody:nobody /var/lib/ipblocklist >> >> +# Create necessary files for IPBlocklist and set their ownership accordin= gly (#12917) >> +touch /var/ipfire/ipblocklist/{settings,modified} >> +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} >> + >> # Rebuild fcrontab from scratch >> /usr/bin/fcrontab -z >> >> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources >> index 30b9e94a4..d0ce30350 100644 >> --- a/lfs/ipblocklist-sources >> +++ b/lfs/ipblocklist-sources >> @@ -49,5 +49,7 @@ $(TARGET) : >> @$(PREBUILD) >> mkdir -p /var/ipfire/ipblocklist >> install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipbl= ocklist >> + touch /var/ipfire/ipblocklist/{settings,modified} >> + chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} >> >> @$(POSTBUILD) >> --=20 >> 2.35.3 >=20 --===============8010107640887822790==--