ipblocklist: Ensure /var/ipfire/ipblocklist is owned and writable by "nobody"
Commit Message
Fixes: #12917
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/rootfiles/core/170/update.sh | 3 +++
lfs/ipblocklist-sources | 4 ++--
2 files changed, 5 insertions(+), 2 deletions(-)
Comments
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 22.08.2022 um 08:30 schrieb Peter Müller:
> Fixes: #12917
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/rootfiles/core/170/update.sh | 3 +++
> lfs/ipblocklist-sources | 4 ++--
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
> index b6b66f3f1..c7dc09946 100644
> --- a/config/rootfiles/core/170/update.sh
> +++ b/config/rootfiles/core/170/update.sh
> @@ -164,6 +164,9 @@ ldconfig
> mkdir -pv /var/lib/ipblocklist
> chown nobody:nobody /var/lib/ipblocklist
>
> +# Ensure permissions for /var/ipfire/ipblocklist are set properly
> +chown -Rv nobody:nobody /var/ipfire/ipblocklist
> +
> # Rebuild fcrontab from scratch
> /usr/bin/fcrontab -z
>
> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources
> index 30b9e94a4..87bd95cca 100644
> --- a/lfs/ipblocklist-sources
> +++ b/lfs/ipblocklist-sources
> @@ -47,7 +47,7 @@ b2 :
>
> $(TARGET) :
> @$(PREBUILD)
> - mkdir -p /var/ipfire/ipblocklist
> - install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
> + install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
> + install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
>
> @$(POSTBUILD)
Hello list,
today, Stefan reached out to me via phone and explained that /var/ipfire/ipblocklist/
should not be chown'ed to "nobody", since this would mean write access to the "sources"
file, a thing neither needed nor desirable.
Instead, he recommended touching a "modified" file in the same folder and granting
"nobody" write access to it. While testing, I noticed the same thing is necessary for
a "settings" file.
I will submit a second version of the patch in due course.
Best,
Peter Müller
> Fixes: #12917
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/rootfiles/core/170/update.sh | 3 +++
> lfs/ipblocklist-sources | 4 ++--
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
> index b6b66f3f1..c7dc09946 100644
> --- a/config/rootfiles/core/170/update.sh
> +++ b/config/rootfiles/core/170/update.sh
> @@ -164,6 +164,9 @@ ldconfig
> mkdir -pv /var/lib/ipblocklist
> chown nobody:nobody /var/lib/ipblocklist
>
> +# Ensure permissions for /var/ipfire/ipblocklist are set properly
> +chown -Rv nobody:nobody /var/ipfire/ipblocklist
> +
> # Rebuild fcrontab from scratch
> /usr/bin/fcrontab -z
>
> diff --git a/lfs/ipblocklist-sources b/lfs/ipblocklist-sources
> index 30b9e94a4..87bd95cca 100644
> --- a/lfs/ipblocklist-sources
> +++ b/lfs/ipblocklist-sources
> @@ -47,7 +47,7 @@ b2 :
>
> $(TARGET) :
> @$(PREBUILD)
> - mkdir -p /var/ipfire/ipblocklist
> - install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
> + install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
> + install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
>
> @$(POSTBUILD)
On Mon, 22 Aug 2022 20:08:00 +0000, Peter Müller wrote:
> Hello list,
>
> today, Stefan reached out to me via phone and explained that
> /var/ipfire/ipblocklist/ should not be chown'ed to "nobody", since this
> would mean write access to the "sources"
> file, a thing neither needed nor desirable.
>
> Instead, he recommended touching a "modified" file in the same folder
> and granting "nobody" write access to it. While testing, I noticed the
> same thing is necessary for a "settings" file.
>
> I will submit a second version of the patch in due course.
>
> Best,
> Peter Müller
>
>
If it helps I think Tim's original Ipblacklist had these permissions:
drwxr-xr-x 2 nobody nobody 4096 Feb 6 2022 ipblacklist
ls -l /var/ipfire/ipblacklist/
-rw-r--r-- 1 root root 441 Aug 22 21:24 checked
-rw-r--r-- 1 root root 190 Aug 22 21:24 modified
-rw-r--r-- 1 nobody nobody 305 Aug 3 10:29 settings
-rw-r--r-- 1 root root 11443 Aug 3 09:28 sources
-rw-r--r-- 1 root root 0 Feb 2 2022 status
So nobody.nobody would seem to be correct for the directory and is working
OK here.
Rob
@@ -164,6 +164,9 @@ ldconfig
mkdir -pv /var/lib/ipblocklist
chown nobody:nobody /var/lib/ipblocklist
+# Ensure permissions for /var/ipfire/ipblocklist are set properly
+chown -Rv nobody:nobody /var/ipfire/ipblocklist
+
# Rebuild fcrontab from scratch
/usr/bin/fcrontab -z
@@ -47,7 +47,7 @@ b2 :
$(TARGET) :
@$(PREBUILD)
- mkdir -p /var/ipfire/ipblocklist
- install -v -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
+ install -d -o nobody -g nobody -m 0755 /var/ipfire/ipblocklist
+ install -v -o nobody -g nobody -m 0644 $(DIR_SRC)/config/ipblocklist/sources /var/ipfire/ipblocklist
@$(POSTBUILD)