Hello list,
today, Stefan reached out to me via phone and explained that /var/ipfire/ipblocklist/ should not be chown'ed to "nobody", since this would mean write access to the "sources" file, a thing neither needed nor desirable.
Instead, he recommended touching a "modified" file in the same folder and granting "nobody" write access to it. While testing, I noticed the same thing is necessary for a "settings" file.
I will submit a second version of the patch in due course.
Best, Peter Müller
Fixes: #12917 Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/rootfiles/core/170/update.sh | 3 +++ lfs/ipblocklist-sources | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..c7dc09946 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,9 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist
+# Ensure permissions for /var/ipfire/ipblocklist are set properly +chown -Rv nobody:nobody /var/ipfire/ipblocklist
# Rebuild fcrontab from scratch /usr/bin/fcrontab -z
diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..87bd95cca 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -47,7 +47,7 @@ b2 :
$(TARGET) : @$(PREBUILD)
- mkdir -p /var/ipfire/ipblocklist
- install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
@$(POSTBUILD)