Message ID | 06825b38-ec53-38c5-c8ce-12d70c1acb5b@ipfire.org |
---|---|
State | Superseded |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MBNm2003xz3wdN for <patchwork@web04.haj.ipfire.org>; Mon, 22 Aug 2022 20:11:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MBNlz4TFSz14c; Mon, 22 Aug 2022 20:11:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MBNlz3rsqz2xbN; Mon, 22 Aug 2022 20:11:11 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MBNly0cLtz2xRJ for <development@lists.ipfire.org>; Mon, 22 Aug 2022 20:11:10 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MBNlw5b1nzd4 for <development@lists.ipfire.org>; Mon, 22 Aug 2022 20:11:08 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1661199069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YLz9DAN2BS9Y7K/4k7HRonsxDFA3U1zw27wSiKu07kg=; b=lGaiso95cbIYiBA3QTSDSFDOJWJjGnEEs4sMTqsntxSO0QNeNG4INbb/ecnYTWRYp8lirL U1CWe/ExyxrRXWBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1661199069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YLz9DAN2BS9Y7K/4k7HRonsxDFA3U1zw27wSiKu07kg=; b=XADM4FaJRdk+oP1We0CL4GaqHcb1aSBiVRzbPOyGkNbqQL+wzCSp0TvT/w8u6OT+74Kor4 qSlMsPxzJpjDIgpCnd0hU5/afkAPp5kfOKu8qf4URnck0XKqHKK0+As+tIop1JLgposTMI Vg+io8hl+tfUcRuLI8WPcl9sMNO9iDrEet08Wpj5iMmXPCgUQxfoCMqo8qZqA9J9lEokvI uAtgWH4usVXV1CVHWOLQHh3FTANzPM0hxgaRhk++tZcenW5bGteCvl0HcmxKkIpzhEMLWw +M95koFi6ih3GN3cEIAJmP6d/4vSE/mut9SpWlZIGrgvxXRmef4RejnqQriz+w== Message-ID: <06825b38-ec53-38c5-c8ce-12d70c1acb5b@ipfire.org> Date: Mon, 22 Aug 2022 20:11:06 +0000 MIME-Version: 1.0 Subject: [PATCH v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody" Content-Language: en-US To: development@lists.ipfire.org References: <59c78fd9-46a7-6290-ad8e-cae28cfc2bfc@ipfire.org> <ddc5c786-2a77-03c6-dcdf-8ba7d349f8b1@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> In-Reply-To: <ddc5c786-2a77-03c6-dcdf-8ba7d349f8b1@ipfire.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[v2] ipblocklist: Both "settings" and "modify" need to be writable for "nobody"
|
|
Commit Message
Peter Müller
Aug. 22, 2022, 8:11 p.m. UTC
The second version of this patch avoids being generous with file
permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources
must not be writable to "nobody".
Therefore, the needed files ("settings" and "modify") are prepared
during the Core Upgrade and LFS file, and equipped with appropriate
permissions.
Fixes: #12917
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/rootfiles/core/170/update.sh | 4 ++++
lfs/ipblocklist-sources | 2 ++
2 files changed, 6 insertions(+)
Comments
Hello, I was told that this patch isn’t solving the problem it is supposed to solve. However, I do not see why. Could someone explain to my little brain why? -Michael > On 22 Aug 2022, at 21:11, Peter Müller <peter.mueller@ipfire.org> wrote: > > The second version of this patch avoids being generous with file > permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources > must not be writable to "nobody". > > Therefore, the needed files ("settings" and "modify") are prepared > during the Core Upgrade and LFS file, and equipped with appropriate > permissions. > > Fixes: #12917 > Cc: Stefan Schantl <stefan.schantl@ipfire.org> > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/rootfiles/core/170/update.sh | 4 ++++ > lfs/ipblocklist-sources | 2 ++ > 2 files changed, 6 insertions(+) > > diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh > index b6b66f3f1..9d16f4a32 100644 > --- a/config/rootfiles/core/170/update.sh > +++ b/config/rootfiles/core/170/update.sh > @@ -164,6 +164,10 @@ ldconfig > mkdir -pv /var/lib/ipblocklist > chown nobody:nobody /var/lib/ipblocklist > > +# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) > +touch /var/ipfire/ipblocklist/{settings,modified} > +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} > + > # Rebuild fcrontab from scratch > /usr/bin/fcrontab -z > > diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources > index 30b9e94a4..d0ce30350 100644 > --- a/lfs/ipblocklist-sources > +++ b/lfs/ipblocklist-sources > @@ -49,5 +49,7 @@ $(TARGET) : > @$(PREBUILD) > mkdir -p /var/ipfire/ipblocklist > install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist > + touch /var/ipfire/ipblocklist/{settings,modified} > + chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} > > @$(POSTBUILD) > -- > 2.35.3
Hello Michael, thanks for your reply and apologies for my belated response. Stefan pointed out to me that if we would create these files in ipblocklist itself, they would have became part of the component's rootfile (which was also not updated in the patch). This would have caused user settings for ipblocklist to be overwritten, if ipblocklist is updated in a future Core Update. configroot is the better place, since we must never ship this, and this is where all the other settings files are created already. Also, file permissions are already taken care of there. Version 3 should _finally_ solve the issue. Please let me know if it doesn't. All the best, Peter Müller > Hello, > > I was told that this patch isn’t solving the problem it is supposed to solve. > > However, I do not see why. Could someone explain to my little brain why? > > -Michael > >> On 22 Aug 2022, at 21:11, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> The second version of this patch avoids being generous with file >> permissions, as Stefan pointed out that /var/ipfire/ipblocklist/sources >> must not be writable to "nobody". >> >> Therefore, the needed files ("settings" and "modify") are prepared >> during the Core Upgrade and LFS file, and equipped with appropriate >> permissions. >> >> Fixes: #12917 >> Cc: Stefan Schantl <stefan.schantl@ipfire.org> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/rootfiles/core/170/update.sh | 4 ++++ >> lfs/ipblocklist-sources | 2 ++ >> 2 files changed, 6 insertions(+) >> >> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh >> index b6b66f3f1..9d16f4a32 100644 >> --- a/config/rootfiles/core/170/update.sh >> +++ b/config/rootfiles/core/170/update.sh >> @@ -164,6 +164,10 @@ ldconfig >> mkdir -pv /var/lib/ipblocklist >> chown nobody:nobody /var/lib/ipblocklist >> >> +# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) >> +touch /var/ipfire/ipblocklist/{settings,modified} >> +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} >> + >> # Rebuild fcrontab from scratch >> /usr/bin/fcrontab -z >> >> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources >> index 30b9e94a4..d0ce30350 100644 >> --- a/lfs/ipblocklist-sources >> +++ b/lfs/ipblocklist-sources >> @@ -49,5 +49,7 @@ $(TARGET) : >> @$(PREBUILD) >> mkdir -p /var/ipfire/ipblocklist >> install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist >> + touch /var/ipfire/ipblocklist/{settings,modified} >> + chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} >> >> @$(POSTBUILD) >> -- >> 2.35.3 >
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index b6b66f3f1..9d16f4a32 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -164,6 +164,10 @@ ldconfig mkdir -pv /var/lib/ipblocklist chown nobody:nobody /var/lib/ipblocklist +# Create necessary files for IPBlocklist and set their ownership accordingly (#12917) +touch /var/ipfire/ipblocklist/{settings,modified} +chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} + # Rebuild fcrontab from scratch /usr/bin/fcrontab -z diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources index 30b9e94a4..d0ce30350 100644 --- a/lfs/ipblocklist-sources +++ b/lfs/ipblocklist-sources @@ -49,5 +49,7 @@ $(TARGET) : @$(PREBUILD) mkdir -p /var/ipfire/ipblocklist install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist + touch /var/ipfire/ipblocklist/{settings,modified} + chown nobody:nobody /var/ipfire/ipblocklist/{settings,modified} @$(POSTBUILD)