[git.ipfire.org] IPFire 2.x development tree branch, next, updated. d3a520fa68d2d0198ddca827a96a4e2cbb595d8a - IPFire-SCM

4 Apr 2023

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  d3a520fa68d2d0198ddca827a96a4e2cbb595d8a (commit)
       via  7970d3937287171035336bd63ee28d0cd1c82d62 (commit)
       via  41d3d33dde1312d6e1556d3279d9c09d925b7452 (commit)
      from  a84b9ed2feb926681ad94273d8c2efc5d7b71b4f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d3a520fa68d2d0198ddca827a96a4e2cbb595d8a
Author: Peter Müller peter.mueller@ipfire.org
Date:   Tue Apr 4 20:04:11 2023 +0000
Revert "e2fsprogs: Update to version 1.47.0"
This reverts commit 1f3f26702144ef600eb7937c4ab78e4833e6636f.
Symlink will remain in place to ensure the reverted version is always
    shipped to our users, including those that have installed Core Update
    174 (testing).
Fixes: #13073
    Reported-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org
    Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 7970d3937287171035336bd63ee28d0cd1c82d62
Author: Peter Müller peter.mueller@ipfire.org
Date:   Tue Apr 4 20:02:58 2023 +0000
Core Update 174: Ship ipblocklist-related changes
https://wiki.ipfire.org/devel/telco/2023-04-03
Cc: Stefan Schantl stefan.schantl@ipfire.org
    Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 41d3d33dde1312d6e1556d3279d9c09d925b7452
Author: Stefan Schantl stefan.schantl@ipfire.org
Date:   Tue Mar 28 18:05:42 2023 +0200
update-ipblocklists: Fix loading new blocklists after update
* The script needs to run with root permissions in order to
      do the ipset operations. So remove code to drop the permissions
      on startup.
* Adjust execute calls to use the proper functions from
      general functions.
* Add some code to set the correct ownership (nobody:nobody) for
      changed files during script runtime.
Fixes #13072.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
-----------------------------------------------------------------------
Summary of changes:
 config/cfgroot/ipblocklist-functions.pl   | 27 +++++++++++++++++++++++++++
 config/rootfiles/core/174/filelists/files |  2 ++
 config/rootfiles/core/174/update.sh       |  3 +++
 lfs/e2fsprogs                             |  4 ++--
 src/scripts/update-ipblocklists           | 28 ++++++++++++----------------
 5 files changed, 46 insertions(+), 18 deletions(-)
Difference in files:

diff --git a/config/cfgroot/ipblocklist-functions.pl b/config/cfgroot/ipblocklist-functions.pl
index ecabf42e8..bd026a01d 100644
--- a/config/cfgroot/ipblocklist-functions.pl
+++ b/config/cfgroot/ipblocklist-functions.pl
@@ -383,4 +383,31 @@ sub get_holdoff_rate($) {
    return $value;
 }
+#
+## sub set_ownership(file)
+##
+## Function to set the correct ownership (nobody:nobody) to a given file.
+##
+#
+sub set_ownership($) {
+	my ($file) = @_;
+
+	# User and group of the WUI.
+	my $uname = "nobody";
+	my $grname = "nobody";
+
+	# The chown function implemented in perl requies the user and group as nummeric id's.
+	my $uid = getpwnam($uname);
+	my $gid = getgrnam($grname);
+
+	# Check if the given file exists.
+	unless ($file) {
+		# Stop the script and print error message.
+		die "The given $file does not exist. Cannot change the ownership!\n";
+	}
+
+	# Change ownership of the file.
+	chown($uid, $gid, "$file");
+}
+
 1;
diff --git a/config/rootfiles/core/174/filelists/files b/config/rootfiles/core/174/filelists/files
index 8b7058f81..1854e1aa2 100644
--- a/config/rootfiles/core/174/filelists/files
+++ b/config/rootfiles/core/174/filelists/files
@@ -92,7 +92,9 @@ srv/web/ipfire/cgi-bin/proxy.cgi
 srv/web/ipfire/cgi-bin/traffic.cgi
 srv/web/ipfire/cgi-bin/updatexlrator.cgi
 usr/lib/firewall/rules.pl
+usr/local/bin/update-ipblocklists
 var/ipfire/graphs.pl
 var/ipfire/header.pl
 var/ipfire/ids-functions.pl
+var/ipfire/ipblocklist-functions.pl
 var/ipfire/network-functions.pl
diff --git a/config/rootfiles/core/174/update.sh b/config/rootfiles/core/174/update.sh
index 7acaad64e..25474a7b2 100644
--- a/config/rootfiles/core/174/update.sh
+++ b/config/rootfiles/core/174/update.sh
@@ -184,6 +184,9 @@ if [ -e "/opt/pakfire/db/installed/meta-perl-TimeDate" ] && [ -e "/opt/pakfire/d
    	/opt/pakfire/db/rootfiles/perl-TimeDate
 fi
+# Update IP blocklists to resolve fallout of #13072 as quickly as possible
+/usr/local/bin/update-location-database
+
 # This update needs a reboot...
 touch /var/run/need_reboot
diff --git a/lfs/e2fsprogs b/lfs/e2fsprogs
index 8db1c215c..4758b5401 100644
--- a/lfs/e2fsprogs
+++ b/lfs/e2fsprogs
@@ -24,7 +24,7 @@
include Config
-VER      = 1.47.0
+VER      = 1.46.5
THISAPP    = e2fsprogs-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 84f58b05a9f0e14e1a66c6e5171ff23b022f51c4e9a02d4d6d1d26c91909f3c7ec9c9f0462663a4457b4479043774502b8891f691e58a61f4ef6bf9ba33f33aa
+$(DL_FILE)_BLAKE2 = 8d8c02e891c464782a7cff518c41d793fc73366b57e17d80ffc5afd96e6144e354290e667e9710509a9dde4e5dab7e7185c5bf084c5bfd26219f05e5e92e0830
install : $(TARGET)
diff --git a/src/scripts/update-ipblocklists b/src/scripts/update-ipblocklists
index 9918cac41..a17b47999 100644
--- a/src/scripts/update-ipblocklists
+++ b/src/scripts/update-ipblocklists
@@ -32,19 +32,6 @@ require "${General::swroot}/lang.pl";
 # Hash to store the settings.
 my %settings = ();
-# The user and group name as which this script should be run.
-my $run_as = 'nobody';
-
-# Get user and group id of the user.
-my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
-
-# Check if the script currently runs as root.
-if ( $> == 0 ) {
-	# Drop privileges and switch to the specified user and group.
-	POSIX::setgid( $gid );
-	POSIX::setuid( $uid );
-}
-
 # Establish the connection to the syslog service.
 openlog('ipblocklist', 'cons', 'user');
@@ -122,6 +109,12 @@ foreach my $blocklist (@blocklists) {
    		&_log_to_syslog("<ERROR> Could not update $blocklist blocklist - Unexpected error!");
    	}
    } else {
+		# Get the filename of the blocklist.
+		my $ipset_db_file = &IPblocklist::get_ipset_db_file($blocklist);
+
+		# Set the correct ownership.
+		&IPblocklist::set_ownership($ipset_db_file);
+
    	# Log successfull update.
    	&_log_to_syslog("<INFO> Successfully updated $blocklist blocklist.");
@@ -132,22 +125,25 @@ foreach my $blocklist (@blocklists) {
# Check if a blocklist has been updated and therefore needs to be reloaded.
 if (@updated_blocklists) {
+	# Set correct ownership to the modified file.
+	&IPblocklist::set_ownership($IPblocklist::modified_file);
+
    # Loop through the array.
    foreach my $updated_blocklist (@updated_blocklists) {
    	# Get the blocklist file.
    	my $ipset_db_file = &IPblocklist::get_ipset_db_file($updated_blocklist);
# Call safe system function to reload/update the blocklist.
-		&General::system("ipset", "restore", "-f", "$ipset_db_file");
+		&General::safe_system("ipset", "restore", "-f", "$ipset_db_file");
# The set name contains a "v4" as suffix.
    	my $set_name = "$updated_blocklist" . "v4";
# Swap the sets to use the new one.
-		&General::system("ipset", "swap", "$set_name", "$updated_blocklist");
+		&General::safe_system("ipset", "swap", "$set_name", "$updated_blocklist");
# Destroy the old blocklist.
-		&General::system("ipset", "destroy", "$set_name");
+		&General::safe_system("ipset", "destroy", "$set_name");
    }
 }
hooks/post-receive
--
IPFire 2.x development tree

    