Dear Mailinglist followers,
I've doing some Pre-Beta tests of Core Update 76 on my testing system.
It has been a basic IPFire 2.13 Core 75 system with the New Firewall installed for testing purposes. After manually installing core 76 all existing firewall rules where gone because the will get overwritten in the update process.
This is a big problem on environments where the New Firewall is used productive or in case of an update from Beta 1 to another Beta or final Release.
I've successfully prepared and tested a patchset which will prevent the updater to overwrite the affected firewall config files.
The commit can be found here:
http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc1...
Please take a look on it and put the changes upstream so we can prevent other users from this issue.
Thanks in advance,
-Stefan
Hi Stefan,
On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
Dear Mailinglist followers,
I've doing some Pre-Beta tests of Core Update 76 on my testing system.
Great. We still need some help with this. It is currently a bit too quiet and I don't think that this is only a good sign :)
It has been a basic IPFire 2.13 Core 75 system with the New Firewall installed for testing purposes. After manually installing core 76 all existing firewall rules where gone because the will get overwritten in the update process.
This is a big problem on environments where the New Firewall is used productive or in case of an update from Beta 1 to another Beta or final Release.
I agree that this is a problem and that this must be fixed before release. Probably best before the first beta release.
I've successfully prepared and tested a patchset which will prevent the updater to overwrite the affected firewall config files.
The commit can be found here:
http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc1...
Please take a look on it and put the changes upstream so we can prevent other users from this issue.
Unfortunately, I cannot merge this. There is a huge problem with the chown calls at the end. Those will change the permissions of the scripts that will later be called with root permissions. If the user nobody can edit these scripts, nobody will basically be able to run commands as root.
How can this be fixed? It is probably best to create a temporary backup with all the firewall configuration files and restore that backup when the update is done. This is probably not the best solution, but I cannot come up with something better at the moment.
-Michael
On 2014-01-27 23:07, Michael Tremer wrote:
Hi Stefan,
On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
Dear Mailinglist followers,
I've doing some Pre-Beta tests of Core Update 76 on my testing system.
Great. We still need some help with this. It is currently a bit too quiet and I don't think that this is only a good sign :)
It has been a basic IPFire 2.13 Core 75 system with the New Firewall installed for testing purposes. After manually installing core 76 all existing firewall rules where gone because the will get overwritten in the update process.
This is a big problem on environments where the New Firewall is used productive or in case of an update from Beta 1 to another Beta or final Release.
I agree that this is a problem and that this must be fixed before release. Probably best before the first beta release.
I've successfully prepared and tested a patchset which will prevent the updater to overwrite the affected firewall config files.
The commit can be found here:
http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc1...
Please take a look on it and put the changes upstream so we can prevent other users from this issue.
Unfortunately, I cannot merge this. There is a huge problem with the chown calls at the end. Those will change the permissions of the scripts that will later be called with root permissions. If the user nobody can edit these scripts, nobody will basically be able to run commands as root.
How can this be fixed? It is probably best to create a temporary backup with all the firewall configuration files and restore that backup when the update is done. This is probably not the best solution, but I cannot come up with something better at the moment.
I think an aditional chown that set the bin folder inside back to root should also be ok. chown -R root:root /var/ipfire/firewall/bin
-Michael
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
I guess it would be probably best to move the scripts out of /var/ipfire to something like /usr/lib/firewall.
I will do this and then merge the patch that Stefan suggested, because running chown in the end won't be a problem any more.
Although Arne's suggestion fixes the problem I am a bit afraid that we will overlook this at some later time.
-Michael
On Tue, 2014-01-28 at 09:35 +0100, Arne Fitzenreiter wrote:
On 2014-01-27 23:07, Michael Tremer wrote:
Hi Stefan,
On Sat, 2014-01-25 at 23:05 +0100, Stefan Schantl wrote:
Dear Mailinglist followers,
I've doing some Pre-Beta tests of Core Update 76 on my testing system.
Great. We still need some help with this. It is currently a bit too quiet and I don't think that this is only a good sign :)
It has been a basic IPFire 2.13 Core 75 system with the New Firewall installed for testing purposes. After manually installing core 76 all existing firewall rules where gone because the will get overwritten in the update process.
This is a big problem on environments where the New Firewall is used productive or in case of an update from Beta 1 to another Beta or final Release.
I agree that this is a problem and that this must be fixed before release. Probably best before the first beta release.
I've successfully prepared and tested a patchset which will prevent the updater to overwrite the affected firewall config files.
The commit can be found here:
http://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=5bdefccbbc1...
Please take a look on it and put the changes upstream so we can prevent other users from this issue.
Unfortunately, I cannot merge this. There is a huge problem with the chown calls at the end. Those will change the permissions of the scripts that will later be called with root permissions. If the user nobody can edit these scripts, nobody will basically be able to run commands as root.
How can this be fixed? It is probably best to create a temporary backup with all the firewall configuration files and restore that backup when the update is done. This is probably not the best solution, but I cannot come up with something better at the moment.
I think an aditional chown that set the bin folder inside back to root should also be ok. chown -R root:root /var/ipfire/firewall/bin
-Michael
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
-
Arne Fitzenreiter -
Michael Tremer -
Stefan Schantl