Message ID | d0225ffd-d82d-ede0-87f1-9ca4fb879dd8@ipfire.org |
---|---|
State | Superseded |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MT6Nj21S9z3wbx for <patchwork@web04.haj.ipfire.org>; Thu, 15 Sep 2022 19:15:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MT6Ng13wzz1YZ; Thu, 15 Sep 2022 19:15:31 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MT6Ng0Dqxz2yDF; Thu, 15 Sep 2022 19:15:31 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MT6Nf0mBdz2xxk for <development@lists.ipfire.org>; Thu, 15 Sep 2022 19:15:30 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MT6Nc0qHpz1Q3 for <development@lists.ipfire.org>; Thu, 15 Sep 2022 19:15:27 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1663269329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LGnvUlGzZjtPRY3C2+OyX+FEZ5GM1VQLZ7S9SpvRGDg=; b=WD1qMRcgNfbfVHsObWfX0gxADyacN90s7O7SpABom5s7OFMgNtyZAqz9PQUdib/svxJPhy PHG45c1o6uOzz7DA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1663269329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LGnvUlGzZjtPRY3C2+OyX+FEZ5GM1VQLZ7S9SpvRGDg=; b=b9lvG2UKIXrFFGxbZAwZtKwG/it5TQ2iPqN8hdWHn+e8Xrcs7yysNWnG1NiKf5WgMw6cVl hnazr03BX69StVVtVmiLpipc7qx3yW5KcAVg9s6IzOfWqnQ8mW0fYb4EujNWwa+0hmRUCk 6FSwVnuhxIRywoEdSVVgAFuppz7m53Elc2G5yDUDZy0n7nkzUxMz1lQoElYZwmCpr+P28u +bWKc082Cl8eWAZ0xBVsWTZSk5QUb1NdCfTt1YfY173o/uS+TPbv1ZZ1mkilWO1/nYnjMV S3hj1j6veP1kXnfD5afmTraSfV6RkhgLnB/0Hb9qbBtsTRR7syd1OwdBSBaFeQ== Message-ID: <d0225ffd-d82d-ede0-87f1-9ca4fb879dd8@ipfire.org> Date: Thu, 15 Sep 2022 19:15:09 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [RFC PATCH] backup: Set owner of /var/ipfire/backup/{in,ex}clude to "root" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[RFC] backup: Set owner of /var/ipfire/backup/{in,ex}clude to "root"
|
|
Commit Message
Peter Müller
Sept. 15, 2022, 7:15 p.m. UTC
Since these files are static, there is no legitimate reason why they
should be owned (hence writable) by "nobody".
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
lfs/backup | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Comments
Hello Peter, I agree that the files should be owned by root. However, your patch doesn’t fix that. > On 15 Sep 2022, at 21:15, Peter Müller <peter.mueller@ipfire.org> wrote: > > Since these files are static, there is no legitimate reason why they > should be owned (hence writable) by "nobody". > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > lfs/backup | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/lfs/backup b/lfs/backup > index 6f686bf22..adbf16e65 100644 > --- a/lfs/backup > +++ b/lfs/backup > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -61,8 +61,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > -mkdir -p /var/ipfire/backup/bin > install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin > - install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ > - install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ > + install -v -m 644 -o root $(DIR_SRC)/config/backup/include /var/ipfire/backup/ > + install -v -m 644 -o root $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ They have been created as root before. That is the default. > chown nobody:nobody -R /var/ipfire/backup/ And here is where they will be changed. Still. > chown root:root -R /var/ipfire/backup/bin/ > -mkdir -p /var/ipfire/backup/addons > -- > 2.35.3 -Michael
Hello Michael, thanks for your reply. Indeed, glad you caught that. Before I submit a second version: Shouldn't the {in,ex}clude.user files also be owned by root? I was unable to find any instance in the source code where these are modified by an unprivileged user. On that note, is it intended/desired that many subfolders of /var/ipfire/ are owned by "nobody"? While I of course see the need for "nobody" to write _files_, do not quite get why the parent folders (such as /var/ipfire/auth/, /var/ipfire/ca/, etc. pp.) have to be owned by that user as well. Thanks, and best regards, Peter Müller > Hello Peter, > > I agree that the files should be owned by root. However, your patch doesn’t fix that. > >> On 15 Sep 2022, at 21:15, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Since these files are static, there is no legitimate reason why they >> should be owned (hence writable) by "nobody". >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> lfs/backup | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> diff --git a/lfs/backup b/lfs/backup >> index 6f686bf22..adbf16e65 100644 >> --- a/lfs/backup >> +++ b/lfs/backup >> @@ -1,7 +1,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -61,8 +61,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> -mkdir -p /var/ipfire/backup/bin >> install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin >> - install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ >> - install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ >> + install -v -m 644 -o root $(DIR_SRC)/config/backup/include /var/ipfire/backup/ >> + install -v -m 644 -o root $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ > > They have been created as root before. That is the default. > >> chown nobody:nobody -R /var/ipfire/backup/ > > And here is where they will be changed. Still. > >> chown root:root -R /var/ipfire/backup/bin/ >> -mkdir -p /var/ipfire/backup/addons >> -- >> 2.35.3 > > -Michael
Hello, > On 17 Sep 2022, at 12:17, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > thanks for your reply. Indeed, glad you caught that. > > Before I submit a second version: Shouldn't the {in,ex}clude.user files also be owned > by root? I was unable to find any instance in the source code where these are modified > by an unprivileged user. Yes. > On that note, is it intended/desired that many subfolders of /var/ipfire/ are owned > by "nobody"? While I of course see the need for "nobody" to write _files_, do not quite > get why the parent folders (such as /var/ipfire/auth/, /var/ipfire/ca/, etc. pp.) have > to be owned by that user as well. Sometimes, programs create temporary files which is why those directories need to have those ownerships. It would be much more preferable to create any temporary files in /tmp and then move then, but the code is written that way, and I would prefer to not touch it any more. -Michael > > Thanks, and best regards, > Peter Müller > > >> Hello Peter, >> >> I agree that the files should be owned by root. However, your patch doesn’t fix that. >> >>> On 15 Sep 2022, at 21:15, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Since these files are static, there is no legitimate reason why they >>> should be owned (hence writable) by "nobody". >>> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> lfs/backup | 6 +++--- >>> 1 file changed, 3 insertions(+), 3 deletions(-) >>> >>> diff --git a/lfs/backup b/lfs/backup >>> index 6f686bf22..adbf16e65 100644 >>> --- a/lfs/backup >>> +++ b/lfs/backup >>> @@ -1,7 +1,7 @@ >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >>> +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -61,8 +61,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> @$(PREBUILD) >>> -mkdir -p /var/ipfire/backup/bin >>> install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin >>> - install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ >>> - install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ >>> + install -v -m 644 -o root $(DIR_SRC)/config/backup/include /var/ipfire/backup/ >>> + install -v -m 644 -o root $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ >> >> They have been created as root before. That is the default. >> >>> chown nobody:nobody -R /var/ipfire/backup/ >> >> And here is where they will be changed. Still. >> >>> chown root:root -R /var/ipfire/backup/bin/ >>> -mkdir -p /var/ipfire/backup/addons >>> -- >>> 2.35.3 >> >> -Michael
diff --git a/lfs/backup b/lfs/backup index 6f686bf22..adbf16e65 100644 --- a/lfs/backup +++ b/lfs/backup @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -61,8 +61,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) -mkdir -p /var/ipfire/backup/bin install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin - install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ - install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ + install -v -m 644 -o root $(DIR_SRC)/config/backup/include /var/ipfire/backup/ + install -v -m 644 -o root $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ chown nobody:nobody -R /var/ipfire/backup/ chown root:root -R /var/ipfire/backup/bin/ -mkdir -p /var/ipfire/backup/addons