Fixes: #12917 Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/170/update.sh | 3 +++ lfs/ipblocklist-sources | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..c7dc09946 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,9 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist
+# Ensure permissions for /var/ipfire/ipblocklist are set properly +chown -Rv nobody:nobody /var/ipfire/ipblocklist + # Rebuild fcrontab from scratch /usr/bin/fcrontab -z
diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..87bd95cca 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -47,7 +47,7 @@ b2 :
$(TARGET) : @$(PREBUILD) - mkdir -p /var/ipfire/ipblocklist - install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist + install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist + install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
@$(POSTBUILD)
Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org
Am 22.08.2022 um 08:30 schrieb Peter Müller:
Fixes: #12917 Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/rootfiles/core/170/update.sh | 3 +++ lfs/ipblocklist-sources | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..c7dc09946 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,9 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist
+# Ensure permissions for /var/ipfire/ipblocklist are set properly +chown -Rv nobody:nobody /var/ipfire/ipblocklist
- # Rebuild fcrontab from scratch /usr/bin/fcrontab -z
diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..87bd95cca 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -47,7 +47,7 @@ b2 :
$(TARGET) : @$(PREBUILD)
- mkdir -p /var/ipfire/ipblocklist
- install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
@$(POSTBUILD)
Hello list,
today, Stefan reached out to me via phone and explained that /var/ipfire/ipblocklist/ should not be chown'ed to "nobody", since this would mean write access to the "sources" file, a thing neither needed nor desirable.
Instead, he recommended touching a "modified" file in the same folder and granting "nobody" write access to it. While testing, I noticed the same thing is necessary for a "settings" file.
I will submit a second version of the patch in due course.
Best, Peter Müller
Fixes: #12917 Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/rootfiles/core/170/update.sh | 3 +++ lfs/ipblocklist-sources | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..c7dc09946 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,9 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist
+# Ensure permissions for /var/ipfire/ipblocklist are set properly +chown -Rv nobody:nobody /var/ipfire/ipblocklist
# Rebuild fcrontab from scratch /usr/bin/fcrontab -z
diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..87bd95cca 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -47,7 +47,7 @@ b2 :
$(TARGET) : @$(PREBUILD)
- mkdir -p /var/ipfire/ipblocklist
- install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
@$(POSTBUILD)
The second version of this patch avoids being generous with file permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources must not be writable to "nobody".
Therefore, the needed files ("settings" and "modify") are prepared during the Core Upgrade and LFS file, and equipped with appropriate permissions.
Fixes: #12917 Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/rootfiles/core/170/update.sh | 4 ++++ lfs/ipblocklist-sources | 2 ++ 2 files changed, 6 insertions(+)
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..9d16f4a32 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,10 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist
+# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) +touch /var/ipfire/ipblocklist/{settings,modified} +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} + # Rebuild fcrontab from scratch /usr/bin/fcrontab -z
diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..d0ce30350 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -49,5 +49,7 @@ $(TARGET) : @$(PREBUILD) mkdir -p /var/ipfire/ipblocklist install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist + touch /var/ipfire/ipblocklist/{settings,modified} + chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified}
@$(POSTBUILD)
Hello,
I was told that this patch isn’t solving the problem it is supposed to solve.
However, I do not see why. Could someone explain to my little brain why?
-Michael
On 22 Aug 2022, at 21:11, Peter Müller peter.mueller@ipfire.org wrote:
The second version of this patch avoids being generous with file permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources must not be writable to "nobody".
Therefore, the needed files ("settings" and "modify") are prepared during the Core Upgrade and LFS file, and equipped with appropriate permissions.
Fixes: #12917 Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/rootfiles/core/170/update.sh | 4 ++++ lfs/ipblocklist-sources | 2 ++ 2 files changed, 6 insertions(+)
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..9d16f4a32 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,10 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist
+# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) +touch /var/ipfire/ipblocklist/{settings,modified} +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified}
# Rebuild fcrontab from scratch /usr/bin/fcrontab -z
diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..d0ce30350 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -49,5 +49,7 @@ $(TARGET) : @$(PREBUILD) mkdir -p /var/ipfire/ipblocklist install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
touch /var/ipfire/ipblocklist/{settings,modified}
chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified}
@$(POSTBUILD)
-- 2.35.3
Hello Michael,
thanks for your reply and apologies for my belated response.
Stefan pointed out to me that if we would create these files in ipblocklist itself, they would have became part of the component's rootfile (which was also not updated in the patch). This would have caused user settings for ipblocklist to be overwritten, if ipblocklist is updated in a future Core Update.
configroot is the better place, since we must never ship this, and this is where all the other settings files are created already. Also, file permissions are already taken care of there.
Version 3 should _finally_ solve the issue. Please let me know if it doesn't.
All the best, Peter Müller
Hello,
I was told that this patch isn’t solving the problem it is supposed to solve.
However, I do not see why. Could someone explain to my little brain why?
-Michael
On 22 Aug 2022, at 21:11, Peter Müller peter.mueller@ipfire.org wrote:
The second version of this patch avoids being generous with file permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources must not be writable to "nobody".
Therefore, the needed files ("settings" and "modify") are prepared during the Core Upgrade and LFS file, and equipped with appropriate permissions.
Fixes: #12917 Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/rootfiles/core/170/update.sh | 4 ++++ lfs/ipblocklist-sources | 2 ++ 2 files changed, 6 insertions(+)
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..9d16f4a32 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,10 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist
+# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) +touch /var/ipfire/ipblocklist/{settings,modified} +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified}
# Rebuild fcrontab from scratch /usr/bin/fcrontab -z
diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..d0ce30350 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -49,5 +49,7 @@ $(TARGET) : @$(PREBUILD) mkdir -p /var/ipfire/ipblocklist install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
touch /var/ipfire/ipblocklist/{settings,modified}
chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified}
@$(POSTBUILD)
-- 2.35.3
On Mon, 22 Aug 2022 20:08:00 +0000, Peter Müller wrote:
Hello list,
today, Stefan reached out to me via phone and explained that /var/ipfire/ipblocklist/ should not be chown'ed to "nobody", since this would mean write access to the "sources" file, a thing neither needed nor desirable.
Instead, he recommended touching a "modified" file in the same folder and granting "nobody" write access to it. While testing, I noticed the same thing is necessary for a "settings" file.
I will submit a second version of the patch in due course.
Best, Peter Müller
If it helps I think Tim's original Ipblacklist had these permissions:
drwxr-xr-x 2 nobody nobody 4096 Feb 6 2022 ipblacklist
ls -l /var/ipfire/ipblacklist/
-rw-r--r-- 1 root root 441 Aug 22 21:24 checked -rw-r--r-- 1 root root 190 Aug 22 21:24 modified -rw-r--r-- 1 nobody nobody 305 Aug 3 10:29 settings -rw-r--r-- 1 root root 11443 Aug 3 09:28 sources -rw-r--r-- 1 root root 0 Feb 2 2022 status
So nobody.nobody would seem to be correct for the directory and is working OK here.
Rob
-
Bernhard Bitsch -
Michael Tremer -
Peter Müller -
Rob Brewer