From patchwork Tue Mar 28 16:05:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 6736 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4PmF0L5ZFwz3xCl for ; Tue, 28 Mar 2023 16:05:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4PmF0J4763zlf; Tue, 28 Mar 2023 16:05:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4PmF0J1wWLz2y9s; Tue, 28 Mar 2023 16:05:52 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4PmF0G1WxCz2x9l for ; Tue, 28 Mar 2023 16:05:50 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4PmF0F0gvszd2; Tue, 28 Mar 2023 16:05:48 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1680019549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=d8uMBUp8zJ4+Z7DdxiGdKIHXTJUv4dPA45emxRYJwFA=; b=iE/nx3N2rO39O/DzHvbAI4PzM3qZwB6uuU8MLlHdHRvn5phdVgt8gKPDBKC5G/E6JXL8+l qDMgh6MIdL+IPeAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1680019549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=d8uMBUp8zJ4+Z7DdxiGdKIHXTJUv4dPA45emxRYJwFA=; b=p+kANcIXCsu0bc+lMXhMHGRmHxT0Klza6EZIc7frgBpGd7pbR0pyduSuIzixhIjK6vjXmJ s8I7uFWmXRbw9hWJ7cVXkcNPBrUSBBxTw/Vmpo87MHx4vcLg3Qt07NwFyvb5EcQyp2TlxO +FKqp6nlxa5Qaa6P3yD7RfBByicmufaJ6XkgJ8ngfkByoxMdMJm+OpYNTk6GKyLabCE1H9 SBP93GjvEumrX7MocyQsw6WLMuXEQS5FKViF3oO+pPLb3q7LxZgDGGUOutcLTw59QwPrhI ktBQw4xeGIkNj2J1MN9PJ3HomVkZ+tPYuLUocifCuXVfwp2JSyiFEwhBuHA9UQ== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH] update-ipblocklists: Fix loading new blocklists after update Date: Tue, 28 Mar 2023 18:05:42 +0200 Message-Id: <20230328160542.132432-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" * The script needs to run with root permissions in order to do the ipset operations. So remove code to drop the permissions on startup. * Adjust execute calls to use the proper functions from general functions. * Add some code to set the correct ownership (nobody:nobody) for changed files during script runtime. Fixes #13072. Signed-off-by: Stefan Schantl --- config/cfgroot/ipblocklist-functions.pl | 27 ++++++++++++++++++++++++ src/scripts/update-ipblocklists | 28 +++++++++++-------------- 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/config/cfgroot/ipblocklist-functions.pl b/config/cfgroot/ipblocklist-functions.pl index ecabf42e8..bd026a01d 100644 --- a/config/cfgroot/ipblocklist-functions.pl +++ b/config/cfgroot/ipblocklist-functions.pl @@ -383,4 +383,31 @@ sub get_holdoff_rate($) { return $value; } +# +## sub set_ownership(file) +## +## Function to set the correct ownership (nobody:nobody) to a given file. +## +# +sub set_ownership($) { + my ($file) = @_; + + # User and group of the WUI. + my $uname = "nobody"; + my $grname = "nobody"; + + # The chown function implemented in perl requies the user and group as nummeric id's. + my $uid = getpwnam($uname); + my $gid = getgrnam($grname); + + # Check if the given file exists. + unless ($file) { + # Stop the script and print error message. + die "The given $file does not exist. Cannot change the ownership!\n"; + } + + # Change ownership of the file. + chown($uid, $gid, "$file"); +} + 1; diff --git a/src/scripts/update-ipblocklists b/src/scripts/update-ipblocklists index 9918cac41..a17b47999 100644 --- a/src/scripts/update-ipblocklists +++ b/src/scripts/update-ipblocklists @@ -32,19 +32,6 @@ require "${General::swroot}/lang.pl"; # Hash to store the settings. my %settings = (); -# The user and group name as which this script should be run. -my $run_as = 'nobody'; - -# Get user and group id of the user. -my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ]; - -# Check if the script currently runs as root. -if ( $> == 0 ) { - # Drop privileges and switch to the specified user and group. - POSIX::setgid( $gid ); - POSIX::setuid( $uid ); -} - # Establish the connection to the syslog service. openlog('ipblocklist', 'cons', 'user'); @@ -122,6 +109,12 @@ foreach my $blocklist (@blocklists) { &_log_to_syslog(" Could not update $blocklist blocklist - Unexpected error\!"); } } else { + # Get the filename of the blocklist. + my $ipset_db_file = &IPblocklist::get_ipset_db_file($blocklist); + + # Set the correct ownership. + &IPblocklist::set_ownership($ipset_db_file); + # Log successfull update. &_log_to_syslog(" Successfully updated $blocklist blocklist."); @@ -132,22 +125,25 @@ foreach my $blocklist (@blocklists) { # Check if a blocklist has been updated and therefore needs to be reloaded. if (@updated_blocklists) { + # Set correct ownership to the modified file. + &IPblocklist::set_ownership($IPblocklist::modified_file); + # Loop through the array. foreach my $updated_blocklist (@updated_blocklists) { # Get the blocklist file. my $ipset_db_file = &IPblocklist::get_ipset_db_file($updated_blocklist); # Call safe system function to reload/update the blocklist. - &General::system("ipset", "restore", "-f", "$ipset_db_file"); + &General::safe_system("ipset", "restore", "-f", "$ipset_db_file"); # The set name contains a "v4" as suffix. my $set_name = "$updated_blocklist" . "v4"; # Swap the sets to use the new one. - &General::system("ipset", "swap", "$set_name", "$updated_blocklist"); + &General::safe_system("ipset", "swap", "$set_name", "$updated_blocklist"); # Destroy the old blocklist. - &General::system("ipset", "destroy", "$set_name"); + &General::safe_system("ipset", "destroy", "$set_name"); } }