This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via b69659af02d65f982a2d8fd443f02950593d28fe (commit) via c7e0d73e7cfd7be95db9d0a5f3392b8241813d5b (commit) via 3f8e70f6b34ee085cb0a5ad22792e521cd867c1c (commit) via ca1fdb69549b282c9c67b4cf385eda725ed1c366 (commit) via fc717041c4b1af09c4345650ad4b346bb33ae216 (commit) via 18f0991c353b9b96062d71a3237e5447231a467b (commit) via dcacf03e80d714bd120a877d16a862ffce47dd26 (commit) via 85b1d83b2a6fe2beb8169f3e810e915c4ad54036 (commit) via da3611b2767298e3f300b12b6ae03958a193c871 (commit) via 9106bfca42a86f9720c4e2f5d0d166832cac6454 (commit) from 6e2c8f48182c169edb177526d7f639b0631d57cc (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit b69659af02d65f982a2d8fd443f02950593d28fe Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 7 18:53:09 2022 +0000
core164: Ship backup exclude file
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c7e0d73e7cfd7be95db9d0a5f3392b8241813d5b Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 4 10:41:30 2022 +0000
backup: Make include/exclude files relative
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3f8e70f6b34ee085cb0a5ad22792e521cd867c1c Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 4 10:29:23 2022 +0000
backup: Don't restore excluded files
Sometimes, we restore a backup that has been created earlier before exclude files have been changed. To avoid overwriting those files, we will consider the exlude list upon restore.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ca1fdb69549b282c9c67b4cf385eda725ed1c366 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 4 10:27:01 2022 +0000
backup: Exclude oinkmaster.conf
This file is a system configuration file and does not contain any configruation from the user.
Since it can be overwritten in a backup and restored to an older state, this can cause problems such as #12788.
Fixes: #12788 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fc717041c4b1af09c4345650ad4b346bb33ae216 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 4 10:18:25 2022 +0000
backup: Abort when the backup could not be extracted
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 18f0991c353b9b96062d71a3237e5447231a467b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Mar 7 17:52:36 2022 +0100
ids.cgi: Only read-in ignored hosts, if the ignore file exists.
Otherwise the CGI will crash.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit dcacf03e80d714bd120a877d16a862ffce47dd26 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 5 18:53:10 2022 +0100
ids-functions.pl: Do not create an empty ignored settings file.
The file will be created by the WUI, when adding the first host.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 85b1d83b2a6fe2beb8169f3e810e915c4ad54036 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Mar 3 05:49:43 2022 +0100
update-ids-ruleset: Always drop the lock file if it has been created during runtime.
In some situations or if an error happened, the lock file could be keep on the system. In such a case the IDS page would be locked forever until user interaction or reboot of the system.
Now the script checks if it has created such a lock and release it when the script exists.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit da3611b2767298e3f300b12b6ae03958a193c871 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Mar 3 19:55:59 2022 +0100
ids-functions.pl: Do not try to chown files while extracting them.
We are almost running as an unprivileged user and therfore have not the permissions to do this.
This will save us a lot of confusion error messages.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9106bfca42a86f9720c4e2f5d0d166832cac6454 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 5 16:27:17 2022 +0100
ids-functions.pl: Merge same named rulefiles during extract.
In case a rulestarball contains several same-named rulefiles they have been overwritten each time and so only contained the content from the last extracted one.
Now the content of those files will be merged by appending the content to the first extracted one for each time.
Fixes #12792.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/backup/backup.pl | 18 ++++- config/backup/exclude | 17 ++-- config/backup/include | 126 +++++++++++++++--------------- config/cfgroot/ids-functions.pl | 38 ++++++++- config/rootfiles/core/164/filelists/files | 1 + html/cgi-bin/ids.cgi | 8 +- src/installer/hw.c | 4 +- src/scripts/update-ids-ruleset | 19 ++++- 8 files changed, 145 insertions(+), 86 deletions(-)
Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 63004491c..a2337cf23 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -39,7 +39,7 @@ process_includes() { local file while read -r file; do for file in ${file}; do - if [ -e "${file}" ]; then + if [ -e "/${file}" ]; then echo "${file}" fi done @@ -58,7 +58,7 @@ make_backup() { done
# Backup using global exclude/include definitions - tar cvfz "${filename}" \ + tar cvfz "${filename}" -C / \ --exclude-from="/var/ipfire/backup/exclude" \ --exclude-from="/var/ipfire/backup/exclude.user" \ $(process_includes "/var/ipfire/backup/include") \ @@ -71,7 +71,13 @@ make_backup() { restore_backup() { local filename="${1}"
- tar xvzpf "${filename}" -C / + # Extract backup + if ! tar xvzpf "${filename}" -C / \ + --exclude-from="/var/ipfire/backup/exclude" \ + --exclude-from="/var/ipfire/backup/exclude.user"; then + echo "Could not extract backup" >&2 + return 1 + fi
# Restart syslogd, httpd and suricata in case we've just loaded old logs apachectl -k graceful @@ -202,7 +208,11 @@ restore_addon_backup() { mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf" fi
- tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C / + # Extract backup + if ! tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /; then + echo "Could not extract backup" >&2 + return 1 + fi }
main() { diff --git a/config/backup/exclude b/config/backup/exclude index 68c37de48..0131a87fd 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -1,9 +1,10 @@ -/etc/sysconfig/lm_sensors -/etc/unbound/unbound.conf +etc/sysconfig/lm_sensors +etc/unbound/unbound.conf *.tmp -/var/ipfire/ethernet/settings -/var/ipfire/firewall/bin/* -/var/ipfire/ovpn/openssl/* -/var/ipfire/proxy/calamaris/bin/* -/var/ipfire/qos/bin/qos.pl -/var/ipfire/urlfilter/blacklists/*/*.db +var/ipfire/ethernet/settings +var/ipfire/firewall/bin/* +var/ipfire/ovpn/openssl/* +var/ipfire/proxy/calamaris/bin/* +var/ipfire/qos/bin/qos.pl +var/ipfire/suricata/oinkmaster.conf +var/ipfire/urlfilter/blacklists/*/*.db diff --git a/config/backup/include b/config/backup/include index 3b96b1d62..809a49601 100644 --- a/config/backup/include +++ b/config/backup/include @@ -1,63 +1,63 @@ -/etc/conntrackd/conntrackd.conf -/etc/group -/etc/hosts* -/etc/httpd/server.crt -/etc/httpd/server.csr -/etc/httpd/server-ecdsa.crt -/etc/httpd/server-ecdsa.csr -/etc/httpd/server-ecdsa.key -/etc/httpd/server.key -/etc/ipsec.user.* -/etc/ipsec.user-post.conf -/etc/logrotate.d -/etc/passwd -/etc/shadow -/etc/ssh/sshd_config -/etc/ssh/ssh_host* -/etc/squid/squid.conf.local -/etc/squid/squid.conf.pre.local -/etc/sysconfig/* -/etc/sysconfig/firewall.local -/etc/sysconfig/rc.local -/etc/unbound -/root/.bash_history -/root/.gitconfig -/root/.ssh -/var/ipfire/auth/users -/var/ipfire/backup/addons/backup -/var/ipfire/backup/exclude.user -/var/ipfire/backup/include.user -/var/ipfire/captive/* -/var/ipfire/*/*.conf -/var/ipfire/*/config -/var/ipfire/dhcp/* -/var/ipfire/dns -/var/ipfire/dnsforward/* -/var/ipfire/*/enable -/var/ipfire/*/*enable* -/var/ipfire/ethernet/aliases -/var/ipfire/ethernet/wireless -/var/ipfire/firewall -/var/ipfire/fwhosts -/var/ipfire/main/* -/var/ipfire/ovpn -/var/ipfire/ovpn/collectd.vpn -/var/ipfire/*/*.pem -/var/ipfire/ppp -/var/ipfire/proxy -/var/ipfire/qos/* -/var/ipfire/qos/bin/qos.sh -/var/ipfire/suricata/*.conf -/var/ipfire/suricata/*.yaml -/var/ipfire/suricata/providers-settings -/var/ipfire/*/settings -/var/ipfire/time/ -/var/ipfire/urlfilter -/var/ipfire/vpn -/var/lib/suricata -/var/log/ip-acct/* -/var/log/rrd/* -/var/log/rrd/collectd -/var/log/vnstat -/var/tmp/idsrules-*.tar.gz -/var/tmp/idsrules-*.rules +etc/conntrackd/conntrackd.conf +etc/group +etc/hosts* +etc/httpd/server.crt +etc/httpd/server.csr +etc/httpd/server-ecdsa.crt +etc/httpd/server-ecdsa.csr +etc/httpd/server-ecdsa.key +etc/httpd/server.key +etc/ipsec.user.* +etc/ipsec.user-post.conf +etc/logrotate.d +etc/passwd +etc/shadow +etc/ssh/sshd_config +etc/ssh/ssh_host* +etc/squid/squid.conf.local +etc/squid/squid.conf.pre.local +etc/sysconfig/* +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/unbound +root/.bash_history +root/.gitconfig +root/.ssh +var/ipfire/auth/users +var/ipfire/backup/addons/backup +var/ipfire/backup/exclude.user +var/ipfire/backup/include.user +var/ipfire/captive/* +var/ipfire/*/*.conf +var/ipfire/*/config +var/ipfire/dhcp/* +var/ipfire/dns +var/ipfire/dnsforward/* +var/ipfire/*/enable +var/ipfire/*/*enable* +var/ipfire/ethernet/aliases +var/ipfire/ethernet/wireless +var/ipfire/firewall +var/ipfire/fwhosts +var/ipfire/main/* +var/ipfire/ovpn +var/ipfire/ovpn/collectd.vpn +var/ipfire/*/*.pem +var/ipfire/ppp +var/ipfire/proxy +var/ipfire/qos/* +var/ipfire/qos/bin/qos.sh +var/ipfire/suricata/*.conf +var/ipfire/suricata/*.yaml +var/ipfire/suricata/providers-settings +var/ipfire/*/settings +var/ipfire/time/ +var/ipfire/urlfilter +var/ipfire/vpn +var/lib/suricata +var/log/ip-acct/* +var/log/rrd/* +var/log/rrd/collectd +var/log/vnstat +var/tmp/idsrules-*.tar.gz +var/tmp/idsrules-*.rules diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 74d55def6..37dd42b03 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -153,7 +153,6 @@ sub check_and_create_filelayout() { unless (-f "$suricata_default_rulefiles_file") { &create_empty_file($suricata_default_rulefiles_file); } unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); } unless (-f "$providers_settings_file") { &create_empty_file($providers_settings_file); } - unless (-f "$ignored_file") { &create_empty_file($ignored_file); } unless (-f "$whitelist_file" ) { &create_empty_file($whitelist_file); } }
@@ -475,6 +474,9 @@ sub extractruleset ($) { # Load perl module to deal with archives. use Archive::Tar;
+ # Disable chown functionality when uncompressing files. + $Archive::Tar::CHOWN = "0"; + # Load perl module to deal with files and path. use File::Basename;
@@ -572,8 +574,38 @@ sub extractruleset ($) { next; }
- # Extract the file to the temporary directory. - $tar->extract_file("$packed_file", "$destination"); + # Check if the destination file exists. + unless(-e "$destination") { + # Extract the file to the temporary directory. + $tar->extract_file("$packed_file", "$destination"); + } else { + # Load perl module to deal with temporary files. + use File::Temp; + + # Generate temporary file name, located in the temporary rules directory and a suffix of ".tmp". + my $tmp = File::Temp->new( SUFFIX => ".tmp", DIR => "$tmp_rules_directory", UNLINK => 0 ); + my $tmpfile = $tmp->filename(); + + # Extract the file to the new temporary file name. + $tar->extract_file("$packed_file", "$tmpfile"); + + # Open the the existing file. + open(DESTFILE, ">>", "$destination") or die "Could not open $destination. $!\n"; + open(TMPFILE, "<", "$tmpfile") or die "Could not open $tmpfile. $!\n"; + + # Loop through the content of the temporary file. + while (<TMPFILE>) { + # Append the content line by line to the destination file. + print DESTFILE "$_"; + } + + # Close the file handles. + close(TMPFILE); + close(DESTFILE); + + # Remove the temporary file. + unlink("$tmpfile"); + } } } } diff --git a/config/rootfiles/core/164/filelists/files b/config/rootfiles/core/164/filelists/files index 89118ae62..86921fca4 100644 --- a/config/rootfiles/core/164/filelists/files +++ b/config/rootfiles/core/164/filelists/files @@ -15,6 +15,7 @@ srv/web/ipfire/html/include/pakfire.js usr/sbin/convert-ids-multiple-providers usr/sbin/convert-snort var/ipfire/backup/bin/backup.pl +var/ipfire/backup/exclude var/ipfire/backup/include var/ipfire/graphs.pl var/ipfire/ids-functions.pl diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 27e61e9bb..722715667 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -103,7 +103,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
# Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, %ignored); + &General::readhasharray($IDS::ignored_file, %ignored) if (-e $IDS::ignored_file);
# Check if we should edit an existing entry and got an ID. if (($cgiparams{'WHITELIST'} eq $Lang::tr{'update'}) && ($cgiparams{'ID'})) { @@ -165,7 +165,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq undef($cgiparams{'ID'});
# Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, %ignored); + &General::readhasharray($IDS::ignored_file, %ignored) if (-e $IDS::ignored_file);
# Grab the configured status of the corresponding entry. my $status = $ignored{$id}[2]; @@ -199,7 +199,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq my %ignored = ();
# Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, %ignored); + &General::readhasharray($IDS::ignored_file, %ignored) if (-e $IDS::ignored_file);
# Drop entry from the hash. delete($ignored{$cgiparams{'ID'}}); @@ -1071,7 +1071,7 @@ sub show_mainpage() { }
# Read-in ignored hosts. - &General::readhasharray("$IDS::settingsdir/ignored", %ignored); + &General::readhasharray("$IDS::ignored_file", %ignored) if (-e $IDS::ignored_file);
$checked{'ENABLE_IDS'}{'off'} = ''; $checked{'ENABLE_IDS'}{'on'} = ''; diff --git a/src/installer/hw.c b/src/installer/hw.c index 17e0bbb01..5cba2a261 100644 --- a/src/installer/hw.c +++ b/src/installer/hw.c @@ -1204,7 +1204,9 @@ char* hw_find_backup_file(const char* output, const char* search_path) { int hw_restore_backup(const char* output, const char* backup_path, const char* destination) { char command[STRING_SIZE];
- snprintf(command, sizeof(command), "/bin/tar xzpf %s -C %s", backup_path, destination); + snprintf(command, sizeof(command), "/bin/tar xzpf %s -C %s " + "--exclude-from=%s/var/ipfire/backup/exclude --exclude-from=%s/var/ipfire/backup/exclude.user", + backup_path, destination, destination, destination); int rc = mysystem(output, command);
if (rc) diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset index 10a270907..c2970d20b 100644 --- a/src/scripts/update-ids-ruleset +++ b/src/scripts/update-ids-ruleset @@ -26,6 +26,9 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/ids-functions.pl"; require "${General::swroot}/lang.pl";
+# Variable to store if the process has written a lockfile. +my $locked; + # Hash to store the configured providers. my %providers = ();
@@ -77,6 +80,9 @@ if(&IDS::checkdiskspace()) { # Lock the IDS page. &IDS::lock_ids_page();
+# The script has requested a lock, so set locket to "1". +$locked = "1"; + # Grab the configured providers. &General::readhasharray("$IDS::providers_settings_file", %providers);
@@ -114,13 +120,20 @@ foreach my $id (keys %providers) { # Set correct ownership for the rulesdir and files. &IDS::set_ownership("$IDS::rulespath");
-# Unlock the IDS page. -&IDS::unlock_ids_page(); - # Check if the IDS is running. if(&IDS::ids_is_running()) { # Call suricatactrl to perform a reload. &IDS::call_suricatactrl("reload"); }
+# Custom END declaration to release a IDS page lock +# when the script has created one. +END { + # Check if a lock has been requested. + if ($locked) { + # Unlock the IDS page. + &IDS::unlock_ids_page(); + } +} + 1;
hooks/post-receive -- IPFire 2.x development tree