From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] ipblocklist: Ensure /var/ipfire/ipblocklist is owned and
 writable by "nobody"
Date: Mon, 22 Aug 2022 20:08:00 +0000
Message-ID: <ddc5c786-2a77-03c6-dcdf-8ba7d349f8b1@ipfire.org>
In-Reply-To: <59c78fd9-46a7-6290-ad8e-cae28cfc2bfc@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4650636506662263987=="
List-Id: <development.lists.ipfire.org>

--===============4650636506662263987==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello list,

today, Stefan reached out to me via phone and explained that /var/ipfire/ipbl=
ocklist/
should not be chown'ed to "nobody", since this would mean write access to the=
 "sources"
file, a thing neither needed nor desirable.

Instead, he recommended touching a "modified" file in the same folder and gra=
nting
"nobody" write access to it. While testing, I noticed the same thing is neces=
sary for
a "settings" file.

I will submit a second version of the patch in due course.

Best,
Peter M=C3=BCller


> Fixes: #12917
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
>  config/rootfiles/core/170/update.sh | 3 +++
>  lfs/ipblocklist-sources             | 4 ++--
>  2 files changed, 5 insertions(+), 2 deletions(-)
>=20
> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/17=
0/update.sh
> index b6b66f3f1..c7dc09946 100644
> --- a/config/rootfiles/core/170/update.sh
> +++ b/config/rootfiles/core/170/update.sh
> @@ -164,6 +164,9 @@ ldconfig
>  mkdir -pv /var/lib/ipblocklist
>  chown nobody:nobody /var/lib/ipblocklist
> =20
> +# Ensure permissions for /var/ipfire/ipblocklist are set properly
> +chown -Rv nobody:nobody /var/ipfire/ipblocklist
> +
>  # Rebuild fcrontab from scratch
>  /usr/bin/fcrontab -z
> =20
> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources
> index 30b9e94a4..87bd95cca 100644
> --- a/lfs/ipblocklist-sources
> +++ b/lfs/ipblocklist-sources
> @@ -47,7 +47,7 @@ b2 :
> =20
>  $(TARGET) :
>  	@$(PREBUILD)
> -	mkdir -p /var/ipfire/ipblocklist
> -	install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipbl=
ocklist
> +	install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
> +	install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sour=
ces /var/ipfire/ipblocklist
> =20
>  	@$(POSTBUILD)

--===============4650636506662263987==--