From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 81fba4196118d18441c6f495694e5527dc89c11e Date: Mon, 17 May 2021 21:03:42 +0000 Message-ID: <4FkWnq258Wz2xhl@people01.haj.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3439823072964214875==" List-Id: --===============3439823072964214875== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 81fba4196118d18441c6f495694e5527dc89c11e (commit) via 51128aa36df6c84f296b7fa8785341e31d700e95 (commit) via cd1f7722dccb681884e8595e23b4c3cfaba5d0fd (commit) via f2ccb35fa4b233da3e25b43c7464b2a202a9a1fc (commit) via 50ba8b2e80459444c1973d0f904c3349741f765e (commit) via d035499c08ca8404127d49c710176f83a2da032b (commit) via 4dfde0c08817e740eff09e8ffb59a2a419794204 (commit) via 07bf7d14d66dac4192f9e5c8f3021e326bf6f82e (commit) via 9cb1dc19e8d3c108687fe06592f826d4b658949d (commit) via 60259fe135072d48c4ea34ad70f0640fd31bdc96 (commit) via 859100c5c0708ff9aed1da2802afb18540482a65 (commit) via ef929318f6c45e2e3d0964c564ebcaf8f9df5a4e (commit) via e47f7a600edbfbcf318f4a06ce54341f4fa6febc (commit) via 6769d909306d7bdc43d64598872126fcf1b217f6 (commit) via c8874ee0128f4b6ddf0328aff0956f2b5b372e46 (commit) via e621c85c71d274b47302f468eb3bb31e0b13d590 (commit) via becfea1d380951c261529f6a2cb66dc17856a34d (commit) via b59bb1201aefc2803cb9e655937f2c88e8d73667 (commit) via 09a2001d49c185e8b803c9aa2d6887da31e7eb6d (commit) via e4c3bcc7eed6e25feec39e94f96b83f61b2834ae (commit) via 92c6c8d11db5cb228d4e47e79b1f8753b623cc34 (commit) via fdfea3d39b075dd8f6ebfa9b3dd50cccd50b527c (commit) via 83e5f672564a2fc91bb9e9492d227eaff70d8ba9 (commit) via 7bb9bbb7327497c9599abf50d7732ca4602fa429 (commit) from bb0e8def7768e75132d13672bc520b3eea7ca67c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 81fba4196118d18441c6f495694e5527dc89c11e Author: Adolf Belka Date: Mon May 17 14:29:44 2021 +0200 elfutils: Update to 0.184 =20 - Update from 0.183 to 0.184 - Update rootfiles - Changelog 2021-05-10 Mark Wielaard * configure.ac (AC_INIT): Set version to 0.184. * NEWS: Add libdw, translation and debuginfod-client entries. 2021-03-30 Frank Ch. Eigler * configure.ac: Look for pthread_setname_np. 2021-02-17 Timm B=C3=A4der * configure.ac: Add -Wno-packed-not-aligned check. 2021-02-17 Timm B=C3=A4der * configure.ac: Add -Wtrampolines check. =20 Signed-off-by: Adolf Belka Reviewed-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 51128aa36df6c84f296b7fa8785341e31d700e95 Author: Adolf Belka Date: Mon May 17 14:30:32 2021 +0200 gdb: Update to 10.2 =20 - Update from 10.1 to 10.2 - Update rootfiles - Changelog GDB 10.2 brings the following fixes and enhancements over GDB 10.1: * PR remote/26614 (AddressSanitizer: heap-use-after-free of extended_= remote_target in remote_async_inferior_event_handler) * PR gdb/26828 (SIGSEGV in follow_die_offset dwarf2/read.c:22950) * PR gdb/26861 (internal-error: void target_mourn_inferior(ptid_t): A= ssertion `ptid =3D=3D inferior_ptid' failed. OS: Mac OSX Catalina; Compiler: = GCC; Language: C) * PR gdb/26876 (gdb error: internal-error: Unknown CFA rule when debu= gging the linux kernel with qemu) * PR breakpoints/26881 (infrun.c:6384: internal-error: void process_e= vent_stop_test(execution_control_state*): Assertion `ecs->event_thread->contr= ol.exception_resume_breakpoint !=3D NULL' failed) * PR gdb/26901 (Array subscript fails with flexible array member with= out size) * PR tui/26973 (gdb crashes when not including the status window in a= new layout) * PR python/26974 (Wrong Value.format_string docu for static members = argument) * PR breakpoints/27009 ([s390] GDB branches randomly for BC instructi= on while displaced stepping) * PR tdep/27015 (ARC: "eret" value is collected from the wrong data i= n register cache) * PR backtrace/27147 ([GNU/Linux, sparc64] GDB is unable to print ful= l stack trace (got "previous frame inner to this frame" errors)) * PR rust/27194 (put rust demangler on 10.x branch) * PR threads/27239 (gdb/cp-support.c:1619:(.text+0x5502): relocation = truncated to fit: R_X86_64_PC32 against undefined symbol `TLS init function f= or thread_local_segv_handler') * PR breakpoints/27330 (nextoverthrow.exp FAILs on arm-none-eabi) * PR symtab/27333 ([dwarf-5] abort on unhandled DW_TAG_type_unit in p= rocess_psymtab_comp_unit) * PR fortran/27341 ([dwarf-5] FAIL: gdb.fortran/function-calls.exp: p= derived_types_and_module_calls::pass_cart_nd(c_nd)) * PR tdep/27369 (ARC: Stepping over atomic instruction sequences loop= s infinitely) * PR build/27385 (Cannot compile arc.c with gcc-4.8 (error: no matchi= ng function for call to 'std::pair...')) * PR gdb/27435 (Attach on solaris segfaults GDB) * PR build/27535 (amd64-linux-siginfo.c fails to compile after updati= ng to glibc-2.33 headers) * PR build/27536 (aarch64-linux-hw-point.c fails to compile after upd= ating to glibc-2.33) * PR symtab/27541 (gdb crashes on "file -readnow") * PR gdb/27750 (local variables have wrong address and values on spar= c64) * PR varobj/27757 (-var-list-children coredump) =20 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit cd1f7722dccb681884e8595e23b4c3cfaba5d0fd Author: Peter M=C3=BCller Date: Mon May 17 21:07:52 2021 +0200 Core Update 157: Apply changed permissions to /srv/web/ipfire/cgi-bin/cac= hemgr.cgi =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit f2ccb35fa4b233da3e25b43c7464b2a202a9a1fc Author: Peter M=C3=BCller Date: Mon May 17 21:07:32 2021 +0200 Squid: cachemgr.cgi does not have to be owned (hence writeable) by nobody =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 50ba8b2e80459444c1973d0f904c3349741f765e Author: Peter M=C3=BCller Date: Mon May 17 21:07:11 2021 +0200 nagios-plugins: Prevent Nagios plugins from being owned by nobody =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit d035499c08ca8404127d49c710176f83a2da032b Author: Peter M=C3=BCller Date: Mon May 17 21:06:50 2021 +0200 NRPE: Prevent NRPE binary from being owned by "nobody" =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 4dfde0c08817e740eff09e8ffb59a2a419794204 Author: Peter M=C3=BCller Date: Mon May 17 21:06:32 2021 +0200 Core Update 157: Remove executable bit less ugly =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 07bf7d14d66dac4192f9e5c8f3021e326bf6f82e Author: Peter M=C3=BCller Date: Mon May 17 21:06:12 2021 +0200 Core Update 157: Apply changed permissions to /var/ipfire/ovpn/ovpn-lease= s.db =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 9cb1dc19e8d3c108687fe06592f826d4b658949d Author: Peter M=C3=BCller Date: Mon May 17 21:05:49 2021 +0200 OpenVPN: ovpn-leases.db for sure does not have to be executable =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 60259fe135072d48c4ea34ad70f0640fd31bdc96 Author: Peter M=C3=BCller Date: Mon May 17 21:05:26 2021 +0200 Core Update 157: Apply changed permissions to /var/ipfire/updatexlrator/b= in/ =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 859100c5c0708ff9aed1da2802afb18540482a65 Author: Peter M=C3=BCller Date: Mon May 17 21:05:07 2021 +0200 Squid: Prevent binaries within /var/ipfire/updatexlrator/bin/ from being = owned by nobody =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit ef929318f6c45e2e3d0964c564ebcaf8f9df5a4e Author: Peter M=C3=BCller Date: Mon May 17 21:04:41 2021 +0200 Core Update 157: Apply changed permissions to /var/ipfire/urlfilter/bin/ =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit e47f7a600edbfbcf318f4a06ce54341f4fa6febc Author: Peter M=C3=BCller Date: Mon May 17 21:04:23 2021 +0200 SquidGuard: Prevent binaries within /var/ipfire/urlfilter/bin/ from being= owned by nobody =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 6769d909306d7bdc43d64598872126fcf1b217f6 Author: Peter M=C3=BCller Date: Mon May 17 21:04:00 2021 +0200 backup: prevent /var/ipfire/backup/bin/backup.pl from being owned by nobo= dy =20 This is dangerous as nobody could write arbitrary contents to this file and execute it afterwards. =20 Partially fixes: #12619 =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit c8874ee0128f4b6ddf0328aff0956f2b5b372e46 Author: Peter M=C3=BCller Date: Mon May 17 21:03:36 2021 +0200 Core Update 157: Ship changed iputils due to /usr/bin/ping changes =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit e621c85c71d274b47302f468eb3bb31e0b13d590 Author: Peter M=C3=BCller Date: Mon May 17 21:03:13 2021 +0200 Core Update 157: /var/ipfire/fwhosts/icmp-types does not have to be execu= table =20 See commit 183ccaa5a5c95f4cb2b639360f3c1465567577e9. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit becfea1d380951c261529f6a2cb66dc17856a34d Author: Peter M=C3=BCller Date: Mon May 17 21:02:56 2021 +0200 Core Update 157: Delete orphaned DMA mail box creation binary as well =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit b59bb1201aefc2803cb9e655937f2c88e8d73667 Author: Peter M=C3=BCller Date: Mon May 17 21:02:36 2021 +0200 DMA: do not ship a binary for creating mail boxes =20 This is only needed in case of bounces generated by locally emitted messages. We neither store these, nor do we create mail boxes on a firewall. Safe to drop. =20 Cc: Michael Tremer Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 09a2001d49c185e8b803c9aa2d6887da31e7eb6d Author: Peter M=C3=BCller Date: Mon May 17 21:02:20 2021 +0200 Core Update 157: Delete ssh-keysign binary =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit e4c3bcc7eed6e25feec39e94f96b83f61b2834ae Author: Peter M=C3=BCller Date: Mon May 17 21:01:54 2021 +0200 /usr/bin/ping does not need a SUID bit if appropriate capabilities are set =20 Cc: Michael Tremer Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 92c6c8d11db5cb228d4e47e79b1f8753b623cc34 Author: Peter M=C3=BCller Date: Mon May 17 21:01:34 2021 +0200 Core Update 157: remove SUID bit from /usr/bin/gpg =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit fdfea3d39b075dd8f6ebfa9b3dd50cccd50b527c Author: Peter M=C3=BCller Date: Mon May 17 21:00:33 2021 +0200 GnuPG does not need to have a SUID bit set =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 83e5f672564a2fc91bb9e9492d227eaff70d8ba9 Author: Michael Tremer Date: Mon May 17 15:33:13 2021 +0000 unbound-dhcp-leases-bridge: Fix exception when running without debug =20 Fixes: https://bugzilla.ipfire.org/show_bug.cgi?id=3D12622 Fixes: #12622 Signed-off-by: Michael Tremer commit 7bb9bbb7327497c9599abf50d7732ca4602fa429 Author: Peter M=C3=BCller Date: Sun May 16 22:48:58 2021 +0200 OpenSSH: do not ship ssh-keysign anymore =20 To my surprise, this binary comes with suid flag set, and since we do not have SSH key signing enabled, there is no need to ship it with IPFire. =20 Signed-off-by: Peter M=C3=BCller Reviewed-by: Adolf Belka Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/common/dma | 2 +- config/rootfiles/common/gdb | 1 + config/rootfiles/common/openssh | 2 +- .../{oldcore/104 =3D> core/157}/filelists/iputils | 0 config/rootfiles/core/157/update.sh | 18 ++++++++++++++++= ++ config/rootfiles/packages/elfutils | 6 +++--- config/unbound/unbound-dhcp-leases-bridge | 13 +++++++------ lfs/backup | 7 ++++--- lfs/elfutils | 6 +++--- lfs/gdb | 4 ++-- lfs/gnupg | 4 ++-- lfs/iputils | 7 +++++-- lfs/nagios-plugins | 8 ++++++-- lfs/nagios_nrpe | 7 +++++-- lfs/openvpn | 4 ++-- lfs/squid | 5 +++-- lfs/squidguard | 3 ++- 17 files changed, 65 insertions(+), 32 deletions(-) copy config/rootfiles/{oldcore/104 =3D> core/157}/filelists/iputils (100%) Difference in files: diff --git a/config/rootfiles/common/dma b/config/rootfiles/common/dma index e98e67415..79cad8ece 100644 --- a/config/rootfiles/common/dma +++ b/config/rootfiles/common/dma @@ -1,5 +1,5 @@ etc/alternatives/sendmail -usr/lib/dma-mbox-create +#usr/lib/dma-mbox-create usr/sbin/dma usr/sbin/dma-cleanup-spool usr/sbin/mailq diff --git a/config/rootfiles/common/gdb b/config/rootfiles/common/gdb index 0bb907f5e..d2be68c3e 100644 --- a/config/rootfiles/common/gdb +++ b/config/rootfiles/common/gdb @@ -5,6 +5,7 @@ #usr/include/gdb #usr/include/gdb/jit-reader.h #usr/lib/libinproctrace.so +#usr/share/gdb #usr/share/gdb/python #usr/share/gdb/python/gdb #usr/share/gdb/python/gdb/FrameDecorator.py diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh index f2f8ea6c5..c3666d914 100644 --- a/config/rootfiles/common/openssh +++ b/config/rootfiles/common/openssh @@ -19,7 +19,7 @@ usr/bin/ssh-keygen usr/bin/ssh-keyscan #usr/lib/openssh usr/lib/openssh/sftp-server -usr/lib/openssh/ssh-keysign +#usr/lib/openssh/ssh-keysign usr/lib/openssh/ssh-pkcs11-helper usr/lib/openssh/ssh-sk-helper usr/sbin/sshd diff --git a/config/rootfiles/core/157/filelists/iputils b/config/rootfiles/c= ore/157/filelists/iputils new file mode 120000 index 000000000..361c28f71 --- /dev/null +++ b/config/rootfiles/core/157/filelists/iputils @@ -0,0 +1 @@ +../../../common/iputils \ No newline at end of file diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/= update.sh index 09b8d8968..ce7b6f5bf 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -103,6 +103,24 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup =20 +# Fix file permissions changed +chmod -s /usr/bin/gpg +chmod -x \ + /var/ipfire/fwhosts/icmp-types \ + /var/ipfire/ovpn/ovpn-leases.db + +chown -R root:root \ + /var/ipfire/updatexlrator/bin \ + /var/ipfire/urlfilter/bin + +chown root:root \ + /srv/web/ipfire/cgi-bin/cachemgr.cgi + +# Delete scrubbed files +rm -f \ + /usr/lib/dma-mbox-create \ + /usr/lib/openssh/ssh-keysign + # Start services /etc/init.d/sshd restart /etc/init.d/apache restart diff --git a/config/rootfiles/packages/elfutils b/config/rootfiles/packages/e= lfutils index adf4808ab..c96267c26 100644 --- a/config/rootfiles/packages/elfutils +++ b/config/rootfiles/packages/elfutils @@ -27,15 +27,15 @@ usr/bin/eu-unstrip #usr/include/gelf.h #usr/include/libelf.h #usr/include/nlist.h -usr/lib/libasm-0.183.so +usr/lib/libasm-0.184.so #usr/lib/libasm.a #usr/lib/libasm.so usr/lib/libasm.so.1 -usr/lib/libdw-0.183.so +usr/lib/libdw-0.184.so #usr/lib/libdw.a #usr/lib/libdw.so usr/lib/libdw.so.1 -usr/lib/libelf-0.183.so +usr/lib/libelf-0.184.so #usr/lib/libelf.a #usr/lib/libelf.so usr/lib/libelf.so.1 diff --git a/config/unbound/unbound-dhcp-leases-bridge b/config/unbound/unbou= nd-dhcp-leases-bridge index 6f2b7ff35..a2df5f101 100644 --- a/config/unbound/unbound-dhcp-leases-bridge +++ b/config/unbound/unbound-dhcp-leases-bridge @@ -571,12 +571,13 @@ if __name__ =3D=3D "__main__": args =3D parser.parse_args() =20 # Setup logging - if args.verbose =3D=3D 1: - loglevel =3D logging.INFO - elif args.verbose >=3D 2: - loglevel =3D logging.DEBUG - else: - loglevel =3D logging.WARN + loglevel =3D logging.WARN + + if args.verbose: + if args.verbose =3D=3D 1: + loglevel =3D logging.INFO + elif args.verbose >=3D 2: + loglevel =3D logging.DEBUG =20 setup_logging(loglevel) =20 diff --git a/lfs/backup b/lfs/backup index 791d87adb..9d3e05735 100644 --- a/lfs/backup +++ b/lfs/backup @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2018 IPFire Team = # +# Copyright (C) 2007-2021 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -30,7 +30,7 @@ THISAPP =3D backup-$(VER) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D backup -PAK_VER =3D 1 +PAK_VER =3D 2 =20 DEPS =3D =20 @@ -56,10 +56,11 @@ dist: $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) -mkdir -p /var/ipfire/backup/bin - install -v -m 755 $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin + install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/ba= ckup/bin install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ chown nobody:nobody -R /var/ipfire/backup/ + chown root:root -R /var/ipfire/backup/bin/ -mkdir -p /var/ipfire/backup/addons -mkdir -p /var/ipfire/backup/addons/includes -mkdir -p /var/ipfire/backup/addons/backup diff --git a/lfs/elfutils b/lfs/elfutils index c2d9a3331..8c86c3b76 100644 --- a/lfs/elfutils +++ b/lfs/elfutils @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 0.183 +VER =3D 0.184 =20 THISAPP =3D elfutils-$(VER) DL_FILE =3D $(THISAPP).tar.bz2 @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D elfutils -PAK_VER =3D 4 +PAK_VER =3D 5 =20 DEPS =3D =20 @@ -44,7 +44,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 6f58aa1b9af1a5681b1cbf63e0da2d67 +$(DL_FILE)_MD5 =3D 9e5af45255ff7dc413de073da2ceff04 =20 install : $(TARGET) =20 diff --git a/lfs/gdb b/lfs/gdb index 88ce5d34e..cdbebadbd 100644 --- a/lfs/gdb +++ b/lfs/gdb @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 10.1 +VER =3D 10.2 =20 THISAPP =3D gdb-$(VER) DL_FILE =3D $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 1822a7dd45e7813f4408407eec1a6af1 +$(DL_FILE)_MD5 =3D c044b7146903ec51c9d2337a29aee93b =20 install : $(TARGET) =20 diff --git a/lfs/gnupg b/lfs/gnupg index f94948fe9..624855686 100644 --- a/lfs/gnupg +++ b/lfs/gnupg @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2018 IPFire Team = # +# Copyright (C) 2007-2021 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -77,6 +77,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && ./configure --prefix=3D/usr --libexecdir=3D/usr/lib --disa= ble-nls cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - chmod -v 4755 /usr/bin/gpg + chmod -v 755 /usr/bin/gpg @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/iputils b/lfs/iputils index b1e2e2216..ae692df7a 100644 --- a/lfs/iputils +++ b/lfs/iputils @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2018 IPFire Team = # +# Copyright (C) 2007-2021 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -71,9 +71,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && make ping tracepath - cd $(DIR_APP) && install -m 4755 ping /usr/bin + cd $(DIR_APP) && install -m 0755 ping /usr/bin cd $(DIR_APP) && install -m 0755 tracepath /usr/bin =20 + # Allow execution of /usr/bin/ping by other users than "root" + setcap cap_net_raw+ep /usr/bin/ping + # Some scripts expect ping in /bin/ping. ln -svf ../usr/bin/ping /bin/ping =20 diff --git a/lfs/nagios-plugins b/lfs/nagios-plugins index ad081d5f6..d35a94bbe 100644 --- a/lfs/nagios-plugins +++ b/lfs/nagios-plugins @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2018 IPFire Team = # +# Copyright (C) 2007-2021 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D nagios-plugins -PAK_VER =3D 4 +PAK_VER =3D 5 =20 DEPS =3D =20 @@ -88,4 +88,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP) + + # Prevent Nagios plugins from being owned (and hence writeable) by "nobody" + chown root:root -R /usr/lib/nagios/plugins + @$(POSTBUILD) diff --git a/lfs/nagios_nrpe b/lfs/nagios_nrpe index a8b4b3676..260bcc810 100644 --- a/lfs/nagios_nrpe +++ b/lfs/nagios_nrpe @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2018 IPFire Team = # +# Copyright (C) 2007-2021 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D nagios_nrpe -PAK_VER =3D 8 +PAK_VER =3D 9 =20 DEPS =3D nagios-plugins =20 @@ -99,5 +99,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) install -v -m 644 ${DIR_SRC}/config/backup/includes/nagios_nrpe \ /var/ipfire/backup/addons/includes/nagios_nrpe =20 + # Prevent NRPE binary from being owned by "nobody" + chown root:root /usr/lib/nagios/check_nrpe + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/openvpn b/lfs/openvpn index b026d515b..81ccc52bf 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2020 IPFire Team = # +# Copyright (C) 2007-2021 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -89,7 +89,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -mkdir -vp /var/ipfire/ovpn/n2nconf -mkdir -vp /var/ipfire/ovpn/scripts touch /var/ipfire/ovpn/ovpn-leases.db - chmod 700 /var/ipfire/ovpn/ovpn-leases.db + chmod 600 /var/ipfire/ovpn/ovpn-leases.db chown -R root:root /var/ipfire/ovpn/scripts chown -R nobody:nobody /var/ipfire/ovpn chmod 700 /var/ipfire/ovpn/certs diff --git a/lfs/squid b/lfs/squid index 33cb95ba1..38675f3f3 100644 --- a/lfs/squid +++ b/lfs/squid @@ -149,7 +149,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown -R squid:squid /var/log/squid /var/log/cache /var/log/updatexlrator =20 cp /usr/lib/squid/cachemgr.cgi /srv/web/ipfire/cgi-bin/cachemgr.cgi - chown nobody.nobody /srv/web/ipfire/cgi-bin/cachemgr.cgi + chown root:root /srv/web/ipfire/cgi-bin/cachemgr.cgi =20 cp -f $(DIR_SRC)/config/updxlrator/updxlrator /usr/sbin/updxlrator cp -f $(DIR_SRC)/config/updxlrator/checkup /var/ipfire/updatexlrator/bin/ch= eckup @@ -171,6 +171,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) ln -fs /bin/false /var/ipfire/updatexlrator/autocheck/cron.weekly =20 chown -R nobody:nobody /var/ipfire/updatexlrator + chown -R root:root /var/ipfire/updatexlrator/bin chown nobody.squid /var/updatecache chown nobody.squid /var/updatecache/download chown nobody.squid /var/updatecache/metadata @@ -186,7 +187,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown nobody.nobody /srv/web/ipfire/html/proxy.pac ln -sf /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/html/wpad.dat =20 - #Copy stylesheets for the errorpages + # Copy stylesheets for the errorpages cp -f $(DIR_SRC)/config/proxy/errorpage-ipfire.css /var/ipfire/proxy/ cp -f /etc/squid/errorpage.css /var/ipfire/proxy/errorpage-squid.css =20 diff --git a/lfs/squidguard b/lfs/squidguard index eb13c41dd..d5eb30377 100644 --- a/lfs/squidguard +++ b/lfs/squidguard @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2018 IPFire Team = # +# Copyright (C) 2007-2021 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -113,6 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /usr/bin/perl $(DIR_CONF)/urlfilter/makeconf.pl touch /var/ipfire/urlfilter/settings chown -R nobody:nobody /var/ipfire/urlfilter + chown -R root:root /var/ipfire/urlfilter/bin chmod 755 /srv/web/ipfire/html/images/urlfilter chmod 644 /srv/web/ipfire/html/images/urlfilter/* chown -R nobody:nobody /var/urlrepo hooks/post-receive -- IPFire 2.x development tree --===============3439823072964214875==--