This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via 81fba4196118d18441c6f495694e5527dc89c11e (commit) via 51128aa36df6c84f296b7fa8785341e31d700e95 (commit) via cd1f7722dccb681884e8595e23b4c3cfaba5d0fd (commit) via f2ccb35fa4b233da3e25b43c7464b2a202a9a1fc (commit) via 50ba8b2e80459444c1973d0f904c3349741f765e (commit) via d035499c08ca8404127d49c710176f83a2da032b (commit) via 4dfde0c08817e740eff09e8ffb59a2a419794204 (commit) via 07bf7d14d66dac4192f9e5c8f3021e326bf6f82e (commit) via 9cb1dc19e8d3c108687fe06592f826d4b658949d (commit) via 60259fe135072d48c4ea34ad70f0640fd31bdc96 (commit) via 859100c5c0708ff9aed1da2802afb18540482a65 (commit) via ef929318f6c45e2e3d0964c564ebcaf8f9df5a4e (commit) via e47f7a600edbfbcf318f4a06ce54341f4fa6febc (commit) via 6769d909306d7bdc43d64598872126fcf1b217f6 (commit) via c8874ee0128f4b6ddf0328aff0956f2b5b372e46 (commit) via e621c85c71d274b47302f468eb3bb31e0b13d590 (commit) via becfea1d380951c261529f6a2cb66dc17856a34d (commit) via b59bb1201aefc2803cb9e655937f2c88e8d73667 (commit) via 09a2001d49c185e8b803c9aa2d6887da31e7eb6d (commit) via e4c3bcc7eed6e25feec39e94f96b83f61b2834ae (commit) via 92c6c8d11db5cb228d4e47e79b1f8753b623cc34 (commit) via fdfea3d39b075dd8f6ebfa9b3dd50cccd50b527c (commit) via 83e5f672564a2fc91bb9e9492d227eaff70d8ba9 (commit) via 7bb9bbb7327497c9599abf50d7732ca4602fa429 (commit) from bb0e8def7768e75132d13672bc520b3eea7ca67c (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 81fba4196118d18441c6f495694e5527dc89c11e Author: Adolf Belka adolf.belka@ipfire.org Date: Mon May 17 14:29:44 2021 +0200

elfutils: Update to 0.184

- Update from 0.183 to 0.184 - Update rootfiles - Changelog 2021-05-10 Mark Wielaard mark@klomp.org * configure.ac (AC_INIT): Set version to 0.184. * NEWS: Add libdw, translation and debuginfod-client entries. 2021-03-30 Frank Ch. Eigler fche@redhat.com * configure.ac: Look for pthread_setname_np. 2021-02-17 Timm Bäder tbaeder@redhat.com * configure.ac: Add -Wno-packed-not-aligned check. 2021-02-17 Timm Bäder tbaeder@redhat.com * configure.ac: Add -Wtrampolines check.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 51128aa36df6c84f296b7fa8785341e31d700e95 Author: Adolf Belka adolf.belka@ipfire.org Date: Mon May 17 14:30:32 2021 +0200

gdb: Update to 10.2

- Update from 10.1 to 10.2 - Update rootfiles - Changelog GDB 10.2 brings the following fixes and enhancements over GDB 10.1: * PR remote/26614 (AddressSanitizer: heap-use-after-free of extended_remote_target in remote_async_inferior_event_handler) * PR gdb/26828 (SIGSEGV in follow_die_offset dwarf2/read.c:22950) * PR gdb/26861 (internal-error: void target_mourn_inferior(ptid_t): Assertion `ptid == inferior_ptid' failed. OS: Mac OSX Catalina; Compiler: GCC; Language: C) * PR gdb/26876 (gdb error: internal-error: Unknown CFA rule when debugging the linux kernel with qemu) * PR breakpoints/26881 (infrun.c:6384: internal-error: void process_event_stop_test(execution_control_state*): Assertion `ecs->event_thread->control.exception_resume_breakpoint != NULL' failed) * PR gdb/26901 (Array subscript fails with flexible array member without size) * PR tui/26973 (gdb crashes when not including the status window in a new layout) * PR python/26974 (Wrong Value.format_string docu for static members argument) * PR breakpoints/27009 ([s390] GDB branches randomly for BC instruction while displaced stepping) * PR tdep/27015 (ARC: "eret" value is collected from the wrong data in register cache) * PR backtrace/27147 ([GNU/Linux, sparc64] GDB is unable to print full stack trace (got "previous frame inner to this frame" errors)) * PR rust/27194 (put rust demangler on 10.x branch) * PR threads/27239 (gdb/cp-support.c:1619:(.text+0x5502): relocation truncated to fit: R_X86_64_PC32 against undefined symbol `TLS init function for thread_local_segv_handler') * PR breakpoints/27330 (nextoverthrow.exp FAILs on arm-none-eabi) * PR symtab/27333 ([dwarf-5] abort on unhandled DW_TAG_type_unit in process_psymtab_comp_unit) * PR fortran/27341 ([dwarf-5] FAIL: gdb.fortran/function-calls.exp: p derived_types_and_module_calls::pass_cart_nd(c_nd)) * PR tdep/27369 (ARC: Stepping over atomic instruction sequences loops infinitely) * PR build/27385 (Cannot compile arc.c with gcc-4.8 (error: no matching function for call to 'std::pair...')) * PR gdb/27435 (Attach on solaris segfaults GDB) * PR build/27535 (amd64-linux-siginfo.c fails to compile after updating to glibc-2.33 headers) * PR build/27536 (aarch64-linux-hw-point.c fails to compile after updating to glibc-2.33) * PR symtab/27541 (gdb crashes on "file -readnow") * PR gdb/27750 (local variables have wrong address and values on sparc64) * PR varobj/27757 (-var-list-children coredump)

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit cd1f7722dccb681884e8595e23b4c3cfaba5d0fd Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:07:52 2021 +0200

Core Update 157: Apply changed permissions to /srv/web/ipfire/cgi-bin/cachemgr.cgi

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit f2ccb35fa4b233da3e25b43c7464b2a202a9a1fc Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:07:32 2021 +0200

Squid: cachemgr.cgi does not have to be owned (hence writeable) by nobody

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 50ba8b2e80459444c1973d0f904c3349741f765e Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:07:11 2021 +0200

nagios-plugins: Prevent Nagios plugins from being owned by nobody

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit d035499c08ca8404127d49c710176f83a2da032b Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:06:50 2021 +0200

NRPE: Prevent NRPE binary from being owned by "nobody"

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 4dfde0c08817e740eff09e8ffb59a2a419794204 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:06:32 2021 +0200

Core Update 157: Remove executable bit less ugly

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 07bf7d14d66dac4192f9e5c8f3021e326bf6f82e Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:06:12 2021 +0200

Core Update 157: Apply changed permissions to /var/ipfire/ovpn/ovpn-leases.db

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 9cb1dc19e8d3c108687fe06592f826d4b658949d Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:05:49 2021 +0200

OpenVPN: ovpn-leases.db for sure does not have to be executable

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 60259fe135072d48c4ea34ad70f0640fd31bdc96 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:05:26 2021 +0200

Core Update 157: Apply changed permissions to /var/ipfire/updatexlrator/bin/

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 859100c5c0708ff9aed1da2802afb18540482a65 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:05:07 2021 +0200

Squid: Prevent binaries within /var/ipfire/updatexlrator/bin/ from being owned by nobody

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit ef929318f6c45e2e3d0964c564ebcaf8f9df5a4e Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:04:41 2021 +0200

Core Update 157: Apply changed permissions to /var/ipfire/urlfilter/bin/

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit e47f7a600edbfbcf318f4a06ce54341f4fa6febc Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:04:23 2021 +0200

SquidGuard: Prevent binaries within /var/ipfire/urlfilter/bin/ from being owned by nobody

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 6769d909306d7bdc43d64598872126fcf1b217f6 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:04:00 2021 +0200

backup: prevent /var/ipfire/backup/bin/backup.pl from being owned by nobody

This is dangerous as nobody could write arbitrary contents to this file and execute it afterwards.

Partially fixes: #12619

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit c8874ee0128f4b6ddf0328aff0956f2b5b372e46 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:03:36 2021 +0200

Core Update 157: Ship changed iputils due to /usr/bin/ping changes

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit e621c85c71d274b47302f468eb3bb31e0b13d590 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:03:13 2021 +0200

Core Update 157: /var/ipfire/fwhosts/icmp-types does not have to be executable

See commit 183ccaa5a5c95f4cb2b639360f3c1465567577e9.

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit becfea1d380951c261529f6a2cb66dc17856a34d Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:02:56 2021 +0200

Core Update 157: Delete orphaned DMA mail box creation binary as well

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit b59bb1201aefc2803cb9e655937f2c88e8d73667 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:02:36 2021 +0200

DMA: do not ship a binary for creating mail boxes

This is only needed in case of bounces generated by locally emitted messages. We neither store these, nor do we create mail boxes on a firewall. Safe to drop.

Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 09a2001d49c185e8b803c9aa2d6887da31e7eb6d Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:02:20 2021 +0200

Core Update 157: Delete ssh-keysign binary

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit e4c3bcc7eed6e25feec39e94f96b83f61b2834ae Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:01:54 2021 +0200

/usr/bin/ping does not need a SUID bit if appropriate capabilities are set

Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 92c6c8d11db5cb228d4e47e79b1f8753b623cc34 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:01:34 2021 +0200

Core Update 157: remove SUID bit from /usr/bin/gpg

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit fdfea3d39b075dd8f6ebfa9b3dd50cccd50b527c Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 17 21:00:33 2021 +0200

GnuPG does not need to have a SUID bit set

Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 83e5f672564a2fc91bb9e9492d227eaff70d8ba9 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon May 17 15:33:13 2021 +0000

unbound-dhcp-leases-bridge: Fix exception when running without debug

Fixes: https://bugzilla.ipfire.org/show_bug.cgi?id=12622 Fixes: #12622 Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 7bb9bbb7327497c9599abf50d7732ca4602fa429 Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 16 22:48:58 2021 +0200

OpenSSH: do not ship ssh-keysign anymore

To my surprise, this binary comes with suid flag set, and since we do not have SSH key signing enabled, there is no need to ship it with IPFire.

Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/rootfiles/common/dma | 2 +- config/rootfiles/common/gdb | 1 + config/rootfiles/common/openssh | 2 +- .../{oldcore/104 => core/157}/filelists/iputils | 0 config/rootfiles/core/157/update.sh | 18 ++++++++++++++++++ config/rootfiles/packages/elfutils | 6 +++--- config/unbound/unbound-dhcp-leases-bridge | 13 +++++++------ lfs/backup | 7 ++++--- lfs/elfutils | 6 +++--- lfs/gdb | 4 ++-- lfs/gnupg | 4 ++-- lfs/iputils | 7 +++++-- lfs/nagios-plugins | 8 ++++++-- lfs/nagios_nrpe | 7 +++++-- lfs/openvpn | 4 ++-- lfs/squid | 5 +++-- lfs/squidguard | 3 ++- 17 files changed, 65 insertions(+), 32 deletions(-) copy config/rootfiles/{oldcore/104 => core/157}/filelists/iputils (100%)

Difference in files: diff --git a/config/rootfiles/common/dma b/config/rootfiles/common/dma index e98e67415..79cad8ece 100644 --- a/config/rootfiles/common/dma +++ b/config/rootfiles/common/dma @@ -1,5 +1,5 @@ etc/alternatives/sendmail -usr/lib/dma-mbox-create +#usr/lib/dma-mbox-create usr/sbin/dma usr/sbin/dma-cleanup-spool usr/sbin/mailq diff --git a/config/rootfiles/common/gdb b/config/rootfiles/common/gdb index 0bb907f5e..d2be68c3e 100644 --- a/config/rootfiles/common/gdb +++ b/config/rootfiles/common/gdb @@ -5,6 +5,7 @@ #usr/include/gdb #usr/include/gdb/jit-reader.h #usr/lib/libinproctrace.so +#usr/share/gdb #usr/share/gdb/python #usr/share/gdb/python/gdb #usr/share/gdb/python/gdb/FrameDecorator.py diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh index f2f8ea6c5..c3666d914 100644 --- a/config/rootfiles/common/openssh +++ b/config/rootfiles/common/openssh @@ -19,7 +19,7 @@ usr/bin/ssh-keygen usr/bin/ssh-keyscan #usr/lib/openssh usr/lib/openssh/sftp-server -usr/lib/openssh/ssh-keysign +#usr/lib/openssh/ssh-keysign usr/lib/openssh/ssh-pkcs11-helper usr/lib/openssh/ssh-sk-helper usr/sbin/sshd diff --git a/config/rootfiles/core/157/filelists/iputils b/config/rootfiles/core/157/filelists/iputils new file mode 120000 index 000000000..361c28f71 --- /dev/null +++ b/config/rootfiles/core/157/filelists/iputils @@ -0,0 +1 @@ +../../../common/iputils \ No newline at end of file diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index 09b8d8968..ce7b6f5bf 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -103,6 +103,24 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup

+# Fix file permissions changed +chmod -s /usr/bin/gpg +chmod -x \ + /var/ipfire/fwhosts/icmp-types \ + /var/ipfire/ovpn/ovpn-leases.db + +chown -R root:root \ + /var/ipfire/updatexlrator/bin \ + /var/ipfire/urlfilter/bin + +chown root:root \ + /srv/web/ipfire/cgi-bin/cachemgr.cgi + +# Delete scrubbed files +rm -f \ + /usr/lib/dma-mbox-create \ + /usr/lib/openssh/ssh-keysign + # Start services /etc/init.d/sshd restart /etc/init.d/apache restart diff --git a/config/rootfiles/packages/elfutils b/config/rootfiles/packages/elfutils index adf4808ab..c96267c26 100644 --- a/config/rootfiles/packages/elfutils +++ b/config/rootfiles/packages/elfutils @@ -27,15 +27,15 @@ usr/bin/eu-unstrip #usr/include/gelf.h #usr/include/libelf.h #usr/include/nlist.h -usr/lib/libasm-0.183.so +usr/lib/libasm-0.184.so #usr/lib/libasm.a #usr/lib/libasm.so usr/lib/libasm.so.1 -usr/lib/libdw-0.183.so +usr/lib/libdw-0.184.so #usr/lib/libdw.a #usr/lib/libdw.so usr/lib/libdw.so.1 -usr/lib/libelf-0.183.so +usr/lib/libelf-0.184.so #usr/lib/libelf.a #usr/lib/libelf.so usr/lib/libelf.so.1 diff --git a/config/unbound/unbound-dhcp-leases-bridge b/config/unbound/unbound-dhcp-leases-bridge index 6f2b7ff35..a2df5f101 100644 --- a/config/unbound/unbound-dhcp-leases-bridge +++ b/config/unbound/unbound-dhcp-leases-bridge @@ -571,12 +571,13 @@ if __name__ == "__main__": args = parser.parse_args()

# Setup logging - if args.verbose == 1: - loglevel = logging.INFO - elif args.verbose >= 2: - loglevel = logging.DEBUG - else: - loglevel = logging.WARN + loglevel = logging.WARN + + if args.verbose: + if args.verbose == 1: + loglevel = logging.INFO + elif args.verbose >= 2: + loglevel = logging.DEBUG

setup_logging(loglevel)

diff --git a/lfs/backup b/lfs/backup index 791d87adb..9d3e05735 100644 --- a/lfs/backup +++ b/lfs/backup @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -30,7 +30,7 @@ THISAPP = backup-$(VER) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = backup -PAK_VER = 1 +PAK_VER = 2

DEPS =

@@ -56,10 +56,11 @@ dist: $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) -mkdir -p /var/ipfire/backup/bin - install -v -m 755 $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin + install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ chown nobody:nobody -R /var/ipfire/backup/ + chown root:root -R /var/ipfire/backup/bin/ -mkdir -p /var/ipfire/backup/addons -mkdir -p /var/ipfire/backup/addons/includes -mkdir -p /var/ipfire/backup/addons/backup diff --git a/lfs/elfutils b/lfs/elfutils index c2d9a3331..8c86c3b76 100644 --- a/lfs/elfutils +++ b/lfs/elfutils @@ -24,7 +24,7 @@

include Config

-VER = 0.183 +VER = 0.184

THISAPP = elfutils-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = elfutils -PAK_VER = 4 +PAK_VER = 5

DEPS =

@@ -44,7 +44,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 6f58aa1b9af1a5681b1cbf63e0da2d67 +$(DL_FILE)_MD5 = 9e5af45255ff7dc413de073da2ceff04

install : $(TARGET)

diff --git a/lfs/gdb b/lfs/gdb index 88ce5d34e..cdbebadbd 100644 --- a/lfs/gdb +++ b/lfs/gdb @@ -24,7 +24,7 @@

include Config

-VER = 10.1 +VER = 10.2

THISAPP = gdb-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 1822a7dd45e7813f4408407eec1a6af1 +$(DL_FILE)_MD5 = c044b7146903ec51c9d2337a29aee93b

install : $(TARGET)

diff --git a/lfs/gnupg b/lfs/gnupg index f94948fe9..624855686 100644 --- a/lfs/gnupg +++ b/lfs/gnupg @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -77,6 +77,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && ./configure --prefix=/usr --libexecdir=/usr/lib --disable-nls cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - chmod -v 4755 /usr/bin/gpg + chmod -v 755 /usr/bin/gpg @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/iputils b/lfs/iputils index b1e2e2216..ae692df7a 100644 --- a/lfs/iputils +++ b/lfs/iputils @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -71,9 +71,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && make ping tracepath - cd $(DIR_APP) && install -m 4755 ping /usr/bin + cd $(DIR_APP) && install -m 0755 ping /usr/bin cd $(DIR_APP) && install -m 0755 tracepath /usr/bin

+ # Allow execution of /usr/bin/ping by other users than "root" + setcap cap_net_raw+ep /usr/bin/ping + # Some scripts expect ping in /bin/ping. ln -svf ../usr/bin/ping /bin/ping

diff --git a/lfs/nagios-plugins b/lfs/nagios-plugins index ad081d5f6..d35a94bbe 100644 --- a/lfs/nagios-plugins +++ b/lfs/nagios-plugins @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nagios-plugins -PAK_VER = 4 +PAK_VER = 5

DEPS =

@@ -88,4 +88,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP) + + # Prevent Nagios plugins from being owned (and hence writeable) by "nobody" + chown root:root -R /usr/lib/nagios/plugins + @$(POSTBUILD) diff --git a/lfs/nagios_nrpe b/lfs/nagios_nrpe index a8b4b3676..260bcc810 100644 --- a/lfs/nagios_nrpe +++ b/lfs/nagios_nrpe @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nagios_nrpe -PAK_VER = 8 +PAK_VER = 9

DEPS = nagios-plugins

@@ -99,5 +99,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) install -v -m 644 ${DIR_SRC}/config/backup/includes/nagios_nrpe \ /var/ipfire/backup/addons/includes/nagios_nrpe

+ # Prevent NRPE binary from being owned by "nobody" + chown root:root /usr/lib/nagios/check_nrpe + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/openvpn b/lfs/openvpn index b026d515b..81ccc52bf 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -89,7 +89,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -mkdir -vp /var/ipfire/ovpn/n2nconf -mkdir -vp /var/ipfire/ovpn/scripts touch /var/ipfire/ovpn/ovpn-leases.db - chmod 700 /var/ipfire/ovpn/ovpn-leases.db + chmod 600 /var/ipfire/ovpn/ovpn-leases.db chown -R root:root /var/ipfire/ovpn/scripts chown -R nobody:nobody /var/ipfire/ovpn chmod 700 /var/ipfire/ovpn/certs diff --git a/lfs/squid b/lfs/squid index 33cb95ba1..38675f3f3 100644 --- a/lfs/squid +++ b/lfs/squid @@ -149,7 +149,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown -R squid:squid /var/log/squid /var/log/cache /var/log/updatexlrator

cp /usr/lib/squid/cachemgr.cgi /srv/web/ipfire/cgi-bin/cachemgr.cgi - chown nobody.nobody /srv/web/ipfire/cgi-bin/cachemgr.cgi + chown root:root /srv/web/ipfire/cgi-bin/cachemgr.cgi

cp -f $(DIR_SRC)/config/updxlrator/updxlrator /usr/sbin/updxlrator cp -f $(DIR_SRC)/config/updxlrator/checkup /var/ipfire/updatexlrator/bin/checkup @@ -171,6 +171,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ln -fs /bin/false /var/ipfire/updatexlrator/autocheck/cron.weekly

chown -R nobody:nobody /var/ipfire/updatexlrator + chown -R root:root /var/ipfire/updatexlrator/bin chown nobody.squid /var/updatecache chown nobody.squid /var/updatecache/download chown nobody.squid /var/updatecache/metadata @@ -186,7 +187,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown nobody.nobody /srv/web/ipfire/html/proxy.pac ln -sf /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/html/wpad.dat

- #Copy stylesheets for the errorpages + # Copy stylesheets for the errorpages cp -f $(DIR_SRC)/config/proxy/errorpage-ipfire.css /var/ipfire/proxy/ cp -f /etc/squid/errorpage.css /var/ipfire/proxy/errorpage-squid.css

diff --git a/lfs/squidguard b/lfs/squidguard index eb13c41dd..d5eb30377 100644 --- a/lfs/squidguard +++ b/lfs/squidguard @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -113,6 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /usr/bin/perl $(DIR_CONF)/urlfilter/makeconf.pl touch /var/ipfire/urlfilter/settings chown -R nobody:nobody /var/ipfire/urlfilter + chown -R root:root /var/ipfire/urlfilter/bin chmod 755 /srv/web/ipfire/html/images/urlfilter chmod 644 /srv/web/ipfire/html/images/urlfilter/* chown -R nobody:nobody /var/urlrepo

hooks/post-receive -- IPFire 2.x development tree