[git.ipfire.org] IPFire 2.x development tree branch, next, updated. d3a520fa68d2d0198ddca827a96a4e2cbb595d8a

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. d3a520fa68d2d0198ddca827a96a4e2cbb595d8a

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 8101 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  d3a520fa68d2d0198ddca827a96a4e2cbb595d8a (commit)
       via  7970d3937287171035336bd63ee28d0cd1c82d62 (commit)
       via  41d3d33dde1312d6e1556d3279d9c09d925b7452 (commit)
      from  a84b9ed2feb926681ad94273d8c2efc5d7b71b4f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d3a520fa68d2d0198ddca827a96a4e2cbb595d8a
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date:   Tue Apr 4 20:04:11 2023 +0000

    Revert "e2fsprogs: Update to version 1.47.0"
    
    This reverts commit 1f3f26702144ef600eb7937c4ab78e4833e6636f.
    
    Symlink will remain in place to ensure the reverted version is always
    shipped to our users, including those that have installed Core Update
    174 (testing).
    
    Fixes: #13073
    Reported-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
    Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>

commit 7970d3937287171035336bd63ee28d0cd1c82d62
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date:   Tue Apr 4 20:02:58 2023 +0000

    Core Update 174: Ship ipblocklist-related changes
    
    https://wiki.ipfire.org/devel/telco/2023-04-03
    
    Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>

commit 41d3d33dde1312d6e1556d3279d9c09d925b7452
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date:   Tue Mar 28 18:05:42 2023 +0200

    update-ipblocklists: Fix loading new blocklists after update
    
    * The script needs to run with root permissions in order to
      do the ipset operations. So remove code to drop the permissions
      on startup.
    
    * Adjust execute calls to use the proper functions from
      general functions.
    
    * Add some code to set the correct ownership (nobody:nobody) for
      changed files during script runtime.
    
    Fixes #13072.
    
    Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/cfgroot/ipblocklist-functions.pl   | 27 +++++++++++++++++++++++++++
 config/rootfiles/core/174/filelists/files |  2 ++
 config/rootfiles/core/174/update.sh       |  3 +++
 lfs/e2fsprogs                             |  4 ++--
 src/scripts/update-ipblocklists           | 28 ++++++++++++----------------
 5 files changed, 46 insertions(+), 18 deletions(-)

Difference in files:
diff --git a/config/cfgroot/ipblocklist-functions.pl b/config/cfgroot/ipblocklist-functions.pl
index ecabf42e8..bd026a01d 100644
--- a/config/cfgroot/ipblocklist-functions.pl
+++ b/config/cfgroot/ipblocklist-functions.pl
@@ -383,4 +383,31 @@ sub get_holdoff_rate($) {
 	return $value;
 }
 
+#
+## sub set_ownership(file)
+##
+## Function to set the correct ownership (nobody:nobody) to a given file.
+##
+#
+sub set_ownership($) {
+	my ($file) = @_;
+
+	# User and group of the WUI.
+	my $uname = "nobody";
+	my $grname = "nobody";
+
+	# The chown function implemented in perl requies the user and group as nummeric id's.
+	my $uid = getpwnam($uname);
+	my $gid = getgrnam($grname);
+
+	# Check if the given file exists.
+	unless ($file) {
+		# Stop the script and print error message.
+		die "The given $file does not exist. Cannot change the ownership!\n";
+	}
+
+	# Change ownership of the file.
+	chown($uid, $gid, "$file");
+}
+
 1;
diff --git a/config/rootfiles/core/174/filelists/files b/config/rootfiles/core/174/filelists/files
index 8b7058f81..1854e1aa2 100644
--- a/config/rootfiles/core/174/filelists/files
+++ b/config/rootfiles/core/174/filelists/files
@@ -92,7 +92,9 @@ srv/web/ipfire/cgi-bin/proxy.cgi
 srv/web/ipfire/cgi-bin/traffic.cgi
 srv/web/ipfire/cgi-bin/updatexlrator.cgi
 usr/lib/firewall/rules.pl
+usr/local/bin/update-ipblocklists
 var/ipfire/graphs.pl
 var/ipfire/header.pl
 var/ipfire/ids-functions.pl
+var/ipfire/ipblocklist-functions.pl
 var/ipfire/network-functions.pl
diff --git a/config/rootfiles/core/174/update.sh b/config/rootfiles/core/174/update.sh
index 7acaad64e..25474a7b2 100644
--- a/config/rootfiles/core/174/update.sh
+++ b/config/rootfiles/core/174/update.sh
@@ -184,6 +184,9 @@ if [ -e "/opt/pakfire/db/installed/meta-perl-TimeDate" ] && [ -e "/opt/pakfire/d
 		/opt/pakfire/db/rootfiles/perl-TimeDate
 fi
 
+# Update IP blocklists to resolve fallout of #13072 as quickly as possible
+/usr/local/bin/update-location-database
+
 # This update needs a reboot...
 touch /var/run/need_reboot
 
diff --git a/lfs/e2fsprogs b/lfs/e2fsprogs
index 8db1c215c..4758b5401 100644
--- a/lfs/e2fsprogs
+++ b/lfs/e2fsprogs
@@ -24,7 +24,7 @@
 
 include Config
 
-VER      = 1.47.0
+VER      = 1.46.5
 
 THISAPP    = e2fsprogs-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 84f58b05a9f0e14e1a66c6e5171ff23b022f51c4e9a02d4d6d1d26c91909f3c7ec9c9f0462663a4457b4479043774502b8891f691e58a61f4ef6bf9ba33f33aa
+$(DL_FILE)_BLAKE2 = 8d8c02e891c464782a7cff518c41d793fc73366b57e17d80ffc5afd96e6144e354290e667e9710509a9dde4e5dab7e7185c5bf084c5bfd26219f05e5e92e0830
 
 install : $(TARGET)
 
diff --git a/src/scripts/update-ipblocklists b/src/scripts/update-ipblocklists
index 9918cac41..a17b47999 100644
--- a/src/scripts/update-ipblocklists
+++ b/src/scripts/update-ipblocklists
@@ -32,19 +32,6 @@ require "${General::swroot}/lang.pl";
 # Hash to store the settings.
 my %settings = ();
 
-# The user and group name as which this script should be run.
-my $run_as = 'nobody';
-
-# Get user and group id of the user.
-my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
-
-# Check if the script currently runs as root.
-if ( $> == 0 ) {
-	# Drop privileges and switch to the specified user and group.
-	POSIX::setgid( $gid );
-	POSIX::setuid( $uid );
-}
-
 # Establish the connection to the syslog service.
 openlog('ipblocklist', 'cons', 'user');
 
@@ -122,6 +109,12 @@ foreach my $blocklist (@blocklists) {
 			&_log_to_syslog("<ERROR> Could not update $blocklist blocklist - Unexpected error\!");
 		}
 	} else {
+		# Get the filename of the blocklist.
+		my $ipset_db_file = &IPblocklist::get_ipset_db_file($blocklist);
+
+		# Set the correct ownership.
+		&IPblocklist::set_ownership($ipset_db_file);
+
 		# Log successfull update.
 		&_log_to_syslog("<INFO> Successfully updated $blocklist blocklist.");
 
@@ -132,22 +125,25 @@ foreach my $blocklist (@blocklists) {
 
 # Check if a blocklist has been updated and therefore needs to be reloaded.
 if (@updated_blocklists) {
+	# Set correct ownership to the modified file.
+	&IPblocklist::set_ownership($IPblocklist::modified_file);
+
 	# Loop through the array.
 	foreach my $updated_blocklist (@updated_blocklists) {
 		# Get the blocklist file.
 		my $ipset_db_file = &IPblocklist::get_ipset_db_file($updated_blocklist);
 
 		# Call safe system function to reload/update the blocklist.
-		&General::system("ipset", "restore", "-f", "$ipset_db_file");
+		&General::safe_system("ipset", "restore", "-f", "$ipset_db_file");
 
 		# The set name contains a "v4" as suffix.
 		my $set_name = "$updated_blocklist" . "v4";
 
 		# Swap the sets to use the new one.
-		&General::system("ipset", "swap", "$set_name", "$updated_blocklist");
+		&General::safe_system("ipset", "swap", "$set_name", "$updated_blocklist");
 
 		# Destroy the old blocklist.
-		&General::system("ipset", "destroy", "$set_name");
+		&General::safe_system("ipset", "destroy", "$set_name");
 	}
 }
 


hooks/post-receive
--
IPFire 2.x development tree