* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. a85c4ef9e04d5c5c2c6305c09c75a5fe41efba8f
@ 2026-03-23 10:45 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2026-03-23 10:45 UTC (permalink / raw)
To: ipfire-scm
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via a85c4ef9e04d5c5c2c6305c09c75a5fe41efba8f (commit)
via 7d2fa94d53bc1b214931f14c8d40ece5f8ffc85f (commit)
via 3c4bf85df39fde1b8e134631f611e037cbd53759 (commit)
via 9aea2ccb23469e01a7cf31128dec5940004877fb (commit)
via ac0af608a403df46e816f3d54629380b6d3ced75 (commit)
from 2d8007b0e649843447ebc1a4e8df516cb753ea50 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a85c4ef9e04d5c5c2c6305c09c75a5fe41efba8f
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 23 10:42:07 2026 +0000
core202: Reload the firewall on update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 7d2fa94d53bc1b214931f14c8d40ece5f8ffc85f
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 23 10:41:21 2026 +0000
core202: Reload cronjobs
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3c4bf85df39fde1b8e134631f611e037cbd53759
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 23 10:41:08 2026 +0000
firewall: Permit access for Unbound
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9aea2ccb23469e01a7cf31128dec5940004877fb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 23 10:37:13 2026 +0000
unbound: Run as a separate user
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ac0af608a403df46e816f3d54629380b6d3ced75
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 23 10:22:18 2026 +0000
firewall: Create a chain that permits outbound traffic for local services
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cron/crontab | 2 +-
config/etc/group | 1 +
config/etc/passwd | 1 +
config/rootfiles/core/202/filelists/files | 2 ++
.../{oldcore/106 => core/202}/filelists/unbound | 0
config/rootfiles/core/202/update.sh | 31 ++++++++++++++++++++++
config/unbound/unbound.conf | 2 +-
lfs/unbound | 4 +--
src/initscripts/system/firewall | 7 +++++
9 files changed, 46 insertions(+), 4 deletions(-)
copy config/rootfiles/{oldcore/106 => core/202}/filelists/unbound (100%)
Difference in files:
diff --git a/config/cron/crontab b/config/cron/crontab
index 8df8bc0f6..5df2356ab 100644
--- a/config/cron/crontab
+++ b/config/cron/crontab
@@ -89,4 +89,4 @@ HOME=/
%weekly * * /bin/find /var/log/rrd -mtime +365 -type f -name '*.rrd' -delete -o -type d -empty -delete
# Update DNS trust anchor
-%daily,random * * @runas(nobody) /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
+%daily,random * * @runas(unbound) /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
diff --git a/config/etc/group b/config/etc/group
index 01d07266b..828e911d8 100644
--- a/config/etc/group
+++ b/config/etc/group
@@ -30,6 +30,7 @@ nobody:x:99:
users:x:100:
suricata:x:101:
logwatch:x:102:
+unbound:x:103:
cron:x:104:
syslogd:x:105:
klogd:x:106:
diff --git a/config/etc/passwd b/config/etc/passwd
index e769fb1af..deecce885 100644
--- a/config/etc/passwd
+++ b/config/etc/passwd
@@ -14,6 +14,7 @@ nobody:x:99:99:Nobody:/home/nobody:/bin/false
postfix:x:100:100::/var/spool/postfix:/bin/false
suricata:x:101:101:Suricata:/var/log/suricata:/bin/false
logwatch:x:102:102::/var/log/logwatch:/bin/false
+unbound:x:103:103:unbound User:/var/empty:/bin/false
cron:x:104:104::/:/bin/false
syslogd:x:105:105:/var/empty:/bin/false
klogd:x:106:106:/var/empty:/bin/false
diff --git a/config/rootfiles/core/202/filelists/files b/config/rootfiles/core/202/filelists/files
index 7b83995b3..67fc81b91 100644
--- a/config/rootfiles/core/202/filelists/files
+++ b/config/rootfiles/core/202/filelists/files
@@ -1,2 +1,4 @@
+etc/rc.d/init.d/firewall
srv/web/ipfire/cgi-bin/ids.cgi
var/ipfire/dns/dnsbl.json
+var/spool/cron/root.orig
diff --git a/config/rootfiles/core/202/filelists/unbound b/config/rootfiles/core/202/filelists/unbound
new file mode 120000
index 000000000..66adf0924
--- /dev/null
+++ b/config/rootfiles/core/202/filelists/unbound
@@ -0,0 +1 @@
+../../../common/unbound
\ No newline at end of file
diff --git a/config/rootfiles/core/202/update.sh b/config/rootfiles/core/202/update.sh
index 22fa92e82..9287d0918 100644
--- a/config/rootfiles/core/202/update.sh
+++ b/config/rootfiles/core/202/update.sh
@@ -31,6 +31,29 @@ for (( i=1; i<=$core; i++ )); do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
+# Delete the dnsmasq user if exists
+if getent passwd dnsmasq >/dev/null; then
+ userdel dnsmasq
+fi
+
+# Delete the dnsmasq group if exists
+if getent group dnsmasq >/dev/null; then
+ groupdel dnsmasq
+fi
+
+# Create the unbound group if not exists
+if ! getent group unbound >/dev/null; then
+ groupadd --gid 103 unbound
+fi
+
+# Create the unbound user if not exists
+if ! getent passwd unbound >/dev/null; then
+ useradd --system \
+ --uid 103 --gid 103 --comment "unbound User" \
+ --home-dir /var/empty --no-create-home \
+ --shell /bin/false unbound
+fi
+
# Remove files
# Extract files
@@ -42,6 +65,9 @@ ldconfig
# Restart init
#telinit u
+# Move variables files to the new unbound user
+chown unbound:unbound -Rv /var/lib/unbound/ /var/cache/unbound/
+
# Update Language cache
/usr/local/bin/update-lang-cache
@@ -52,7 +78,12 @@ ldconfig
/usr/local/bin/sshctrl
# Start services
+/etc/init.d/firewall restart
/etc/init.d/suricata restart
+/etc/init.d/unbound restart
+
+# Reload cronjobs
+fcrontab -z
# This update needs a reboot...
touch /var/run/need_reboot
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 424284aa6..7781f7d6b 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -9,7 +9,7 @@ server:
# Common Server Options
chroot: ""
directory: "/etc/unbound"
- username: "nobody"
+ username: "unbound"
do-ip6: no
# Modules
diff --git a/lfs/unbound b/lfs/unbound
index 9de96d8a5..604e3d4d4 100644
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -113,7 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
-mkdir -pv /var/lib/unbound
install -v -m 644 $(DIR_SRC)/config/unbound/root.key \
/var/lib/unbound/root.key
- chown -Rv nobody.nobody /var/lib/unbound
+ chown -Rv unbound:unbound /var/lib/unbound
# Ship ICANN's certificates to validate DNS trust anchors
install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \
@@ -121,7 +121,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install the cache directory
-mkdir -pv /var/cache/unbound
- chown nobody:nobody /var/cache/unbound
+ chown unbound:unbound /var/cache/unbound
@rm -rf $(DIR_APP)
@$(POSTBUILD)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 45b4bd56a..55b14957c 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -340,6 +340,10 @@ iptables_init() {
iptables -N OVPNINPUTN2N
iptables -A INPUT -j OVPNINPUTN2N
+ # Local Services
+ iptables -N LOCAL_OUTPUT
+ iptables -A OUTPUT -j LOCAL_OUTPUT
+
# Tor (outbound)
iptables -N TOR_OUTPUT
iptables -A OUTPUT -j TOR_OUTPUT
@@ -432,6 +436,9 @@ iptables_init() {
# run captivectrl
/usr/local/bin/captivectrl
+ # Grant Unbound access
+ iptables -A LOCAL_OUTPUT -m owner --uid-owner unbound -j ACCEPT
+
# If a Tor relay is enabled apply firewall rules
if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then
/usr/local/bin/torctrl restart &>/dev/null
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-23 10:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-03-23 10:45 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. a85c4ef9e04d5c5c2c6305c09c75a5fe41efba8f Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox