diff mbox series

ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody"

Message ID 59c78fd9-46a7-6290-ad8e-cae28cfc2bfc@ipfire.org
State Superseded
Headers
Series ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody" |

Commit Message

Peter Müller Aug. 22, 2022, 6:30 a.m. UTC 
  Fixes: #12917
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/rootfiles/core/170/update.sh | 3 +++
 lfs/ipblocklist-sources             | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

Comments

Bernhard Bitsch Aug. 22, 2022, 8 a.m. UTC | #1 
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 22.08.2022 um 08:30 schrieb Peter Müller:
> Fixes: #12917
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
>   config/rootfiles/core/170/update.sh | 3 +++
>   lfs/ipblocklist-sources             | 4 ++--
>   2 files changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
> index b6b66f3f1..c7dc09946 100644
> --- a/config/rootfiles/core/170/update.sh
> +++ b/config/rootfiles/core/170/update.sh
> @@ -164,6 +164,9 @@ ldconfig
>   mkdir -pv /var/lib/ipblocklist
>   chown nobody:nobody /var/lib/ipblocklist
>   
> +# Ensure permissions for /var/ipfire/ipblocklist are set properly
> +chown -Rv nobody:nobody /var/ipfire/ipblocklist
> +
>   # Rebuild fcrontab from scratch
>   /usr/bin/fcrontab -z
>   
> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources
> index 30b9e94a4..87bd95cca 100644
> --- a/lfs/ipblocklist-sources
> +++ b/lfs/ipblocklist-sources
> @@ -47,7 +47,7 @@ b2 :
>   
>   $(TARGET) :
>   	@$(PREBUILD)
> -	mkdir -p /var/ipfire/ipblocklist
> -	install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
> +	install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
> +	install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
>   
>   	@$(POSTBUILD)
Peter Müller Aug. 22, 2022, 8:08 p.m. UTC | #2 
Hello list,

today, Stefan reached out to me via phone and explained that /var/ipfire/ipblocklist/
should not be chown'ed to "nobody", since this would mean write access to the "sources"
file, a thing neither needed nor desirable.

Instead, he recommended touching a "modified" file in the same folder and granting
"nobody" write access to it. While testing, I noticed the same thing is necessary for
a "settings" file.

I will submit a second version of the patch in due course.

Best,
Peter Müller


> Fixes: #12917
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
>  config/rootfiles/core/170/update.sh | 3 +++
>  lfs/ipblocklist-sources             | 4 ++--
>  2 files changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
> index b6b66f3f1..c7dc09946 100644
> --- a/config/rootfiles/core/170/update.sh
> +++ b/config/rootfiles/core/170/update.sh
> @@ -164,6 +164,9 @@ ldconfig
>  mkdir -pv /var/lib/ipblocklist
>  chown nobody:nobody /var/lib/ipblocklist
>  
> +# Ensure permissions for /var/ipfire/ipblocklist are set properly
> +chown -Rv nobody:nobody /var/ipfire/ipblocklist
> +
>  # Rebuild fcrontab from scratch
>  /usr/bin/fcrontab -z
>  
> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources
> index 30b9e94a4..87bd95cca 100644
> --- a/lfs/ipblocklist-sources
> +++ b/lfs/ipblocklist-sources
> @@ -47,7 +47,7 @@ b2 :
>  
>  $(TARGET) :
>  	@$(PREBUILD)
> -	mkdir -p /var/ipfire/ipblocklist
> -	install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
> +	install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
> +	install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
>  
>  	@$(POSTBUILD)
Rob Brewer Aug. 22, 2022, 9:03 p.m. UTC | #3 
On Mon, 22 Aug 2022 20:08:00 +0000, Peter Müller wrote:

> Hello list,
> 
> today, Stefan reached out to me via phone and explained that
> /var/ipfire/ipblocklist/ should not be chown'ed to "nobody", since this
> would mean write access to the "sources"
> file, a thing neither needed nor desirable.
> 
> Instead, he recommended touching a "modified" file in the same folder
> and granting "nobody" write access to it. While testing, I noticed the
> same thing is necessary for a "settings" file.
> 
> I will submit a second version of the patch in due course.
> 
> Best,
> Peter Müller
> 
> 
If it helps I think Tim's original Ipblacklist had these permissions:

drwxr-xr-x 2 nobody nobody  4096 Feb  6  2022 ipblacklist

ls -l /var/ipfire/ipblacklist/

-rw-r--r-- 1 root   root     441 Aug 22 21:24 checked
-rw-r--r-- 1 root   root     190 Aug 22 21:24 modified
-rw-r--r-- 1 nobody nobody   305 Aug  3 10:29 settings
-rw-r--r-- 1 root   root   11443 Aug  3 09:28 sources
-rw-r--r-- 1 root   root       0 Feb  2  2022 status

So nobody.nobody would seem to be correct for the directory and is working 
OK here.


Rob
diff mbox series

Patch

diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
index b6b66f3f1..c7dc09946 100644
--- a/config/rootfiles/core/170/update.sh
+++ b/config/rootfiles/core/170/update.sh
@@ -164,6 +164,9 @@  ldconfig
 mkdir -pv /var/lib/ipblocklist
 chown nobody:nobody /var/lib/ipblocklist
 
+# Ensure permissions for /var/ipfire/ipblocklist are set properly
+chown -Rv nobody:nobody /var/ipfire/ipblocklist
+
 # Rebuild fcrontab from scratch
 /usr/bin/fcrontab -z
 
diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources
index 30b9e94a4..87bd95cca 100644
--- a/lfs/ipblocklist-sources
+++ b/lfs/ipblocklist-sources
@@ -47,7 +47,7 @@  b2 :
 
 $(TARGET) :
 	@$(PREBUILD)
-	mkdir -p /var/ipfire/ipblocklist
-	install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
+	install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
+	install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
 
 	@$(POSTBUILD)