This patchset fixes various errors in Core Update 157 (testing, see: https://blog.ipfire.org/post/ipfire-2-25-core-update-157-available-for-testi...) which surfaced on my testing machine.
While the forgotten application of the SSH configuration is tedious, the forgotten shipment of the backup CGI files are more serious, since this is necessary to fix #12619. This was my fault, and rebuilding the Core Update will be necessary to include this fix.
Peter Müller (6): Core Update 157: Apply changed SSH configurations Core Update 157: Ship backup package to apply changed permissions pppd: Explicitly ship pppd shared object files Core Update 157: Delete shared object files leftover from pppd 2.4.8 nagios-plugins: Set SUID bit for plugins which need it to function properly Icinga: Do not ship event handlers for Nagios
config/rootfiles/common/ppp | 24 +++++++++++----------- config/rootfiles/core/157/filelists/backup | 1 + config/rootfiles/core/157/update.sh | 7 +++++++ config/rootfiles/packages/icinga | 2 +- lfs/icinga | 2 +- lfs/nagios-plugins | 9 +++++++- 6 files changed, 30 insertions(+), 15 deletions(-) create mode 120000 config/rootfiles/core/157/filelists/backup
This is necessary to fix SSH not starting after upgrading to Core Update 157 unless it's settings are manually written via the WebUI.
Reported-by: Erik Kapfer ummeegge@ipfire.org Reported-by: Tom Rymes tom@rymes.net Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index ce7b6f5bf..a53aa0759 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -97,6 +97,9 @@ extract_files # update linker config ldconfig
+# Apply local configuration to sshd_config +/usr/local/bin/sshctrl + # Update Language cache /usr/local/bin/update-lang-cache
This is required as "backup" itself does not gets updated automatically, contrary to it's LFS file suggesting by having a "PAK_VER" number.
In order to fix #12619, it is therefore necessary to ship the backup files with Core Update 157.
Partially fixes: #12619
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/filelists/backup | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/157/filelists/backup
diff --git a/config/rootfiles/core/157/filelists/backup b/config/rootfiles/core/157/filelists/backup new file mode 120000 index 000000000..38e28a8b4 --- /dev/null +++ b/config/rootfiles/core/157/filelists/backup @@ -0,0 +1 @@ +../../../common/backup \ No newline at end of file
These are needed by pppd, but were not previously shipped as such. Instead, since their parent directory at /usr/lib/pppd/${version}/ was not commented out, we implicitly shipped the entire directory.
This patch does not change our behaviour in the end, but makes things more transparent to developers.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/common/ppp | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp index 8d0af69c4..d61fdf811 100644 --- a/config/rootfiles/common/ppp +++ b/config/rootfiles/common/ppp @@ -38,18 +38,18 @@ etc/ppp/standardloginscript #usr/include/pppd/upap.h usr/lib/pppd usr/lib/pppd/2.4.9 -#usr/lib/pppd/2.4.9/minconn.so -#usr/lib/pppd/2.4.9/openl2tp.so -#usr/lib/pppd/2.4.9/passprompt.so -#usr/lib/pppd/2.4.9/passwordfd.so -#usr/lib/pppd/2.4.9/pppoatm.so -#usr/lib/pppd/2.4.9/pppoe.so -#usr/lib/pppd/2.4.9/pppol2tp.so -#usr/lib/pppd/2.4.9/radattr.so -#usr/lib/pppd/2.4.9/radius.so -#usr/lib/pppd/2.4.9/radrealms.so -#usr/lib/pppd/2.4.9/rp-pppoe.so -#usr/lib/pppd/2.4.9/winbind.so +usr/lib/pppd/2.4.9/minconn.so +usr/lib/pppd/2.4.9/openl2tp.so +usr/lib/pppd/2.4.9/passprompt.so +usr/lib/pppd/2.4.9/passwordfd.so +usr/lib/pppd/2.4.9/pppoatm.so +usr/lib/pppd/2.4.9/pppoe.so +usr/lib/pppd/2.4.9/pppol2tp.so +usr/lib/pppd/2.4.9/radattr.so +usr/lib/pppd/2.4.9/radius.so +usr/lib/pppd/2.4.9/radrealms.so +usr/lib/pppd/2.4.9/rp-pppoe.so +usr/lib/pppd/2.4.9/winbind.so usr/sbin/chat usr/sbin/pppd usr/sbin/pppdump
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/157/update.sh | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index a53aa0759..94b10723f 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -124,6 +124,10 @@ rm -f \ /usr/lib/dma-mbox-create \ /usr/lib/openssh/ssh-keysign
+# Delete orphaned pppd 2.4.8 shared object files +rm -rf \ + /usr/lib/pppd/2.4.8/ + # Start services /etc/init.d/sshd restart /etc/init.d/apache restart
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/nagios-plugins | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lfs/nagios-plugins b/lfs/nagios-plugins index d35a94bbe..cdf1910b0 100644 --- a/lfs/nagios-plugins +++ b/lfs/nagios-plugins @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nagios-plugins -PAK_VER = 5 +PAK_VER = 6
DEPS =
@@ -92,4 +92,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Prevent Nagios plugins from being owned (and hence writeable) by "nobody" chown root:root -R /usr/lib/nagios/plugins
+ # Unfortunately, some of these plugins need the SUID bit to do their work properly + chmod +s \ + /usr/lib/nagios/plugins/check_dhcp \ + /usr/lib/nagios/plugins/check_icmp \ + /usr/lib/nagios/plugins/check_ide_smart \ + /usr/lib/nagios/plugins/check_ping + @$(POSTBUILD)
These are owned (hence being writable) by "nobody", posing a potential security risk. Since the files itself were already exluded from being shipped, their parent directory should be as well.
This patch should reduce the amount of executable files being owned by nobody to zero after upgrading to Core Update 157. Due to complexity reasons, not all applications available in Pakfire could be tested, though, so your mileage may vary.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/packages/icinga | 2 +- lfs/icinga | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/packages/icinga b/config/rootfiles/packages/icinga index f81ba9db2..000be6346 100644 --- a/config/rootfiles/packages/icinga +++ b/config/rootfiles/packages/icinga @@ -25,7 +25,7 @@ usr/bin/icinga usr/bin/icingastats #usr/lib/icinga usr/lib/icinga/p1.pl -usr/lib/nagios/plugins/eventhandlers +#usr/lib/nagios/plugins/eventhandlers #usr/lib/nagios/plugins/eventhandlers/disable_active_service_checks #usr/lib/nagios/plugins/eventhandlers/disable_notifications #usr/lib/nagios/plugins/eventhandlers/distributed-monitoring diff --git a/lfs/icinga b/lfs/icinga index 6534722ac..456f66388 100644 --- a/lfs/icinga +++ b/lfs/icinga @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = icinga -PAK_VER = 4 +PAK_VER = 5
DEPS = nagios-plugins
-
Peter Müller