From 1d32c50e0306b7b9d304bd0037a99252f9e6eb9a Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 6 Jul 2021 18:08:29 +0200 Subject: [PATCH 01/11] ddns.cgi: Fix sanity check logic. The input validation did not work in the proper way. It allways reported "No password" when using a provider which supports token and the token has been given. This of course is wrong and leaded to unuseable providers. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer --- html/cgi-bin/ddns.cgi | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index e30aa3d4f..0e3ccbe45 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -171,20 +171,28 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang:: $errormessage = $Lang::tr{'invalid domain name'}; } - # Check if a username has been sent. - if ($settings{'LOGIN'} eq '') { - $errormessage = $Lang::tr{'username not set'}; - } + # Check if the choosen provider supports token based authentication. + if ($settings{'SERVICE'} ~~ @token_provider) { + # Check if a token has been given. + unless ($settings{'TOKEN'}) { + $errormessage = $Lang::tr{'token not set'}; + } - # Check if a password has been typed in. - # freedns.afraid.org does not require this field. - if (($settings{'PASSWORD'} eq '') && ($settings{'SERVICE'} ne 'freedns.afraid.org') && ($settings{'SERVICE'} ne 'regfish.com')) { - $errormessage = $Lang::tr{'password not set'}; - } + # Automatically set the username to token. + $settings{'LOGIN'} = "token"; - # Check if a token has been given for provider which support tokens. - if (($settings{'SERVICE'} ~~ @token_provider) && ($settings{'TOKEN'} eq '')) { - $errormessage = $Lang::tr{'token not set'}; + # A provider without token support has been choosen. + } else { + # Check if a username has been sent. + if ($settings{'LOGIN'} eq '') { + $errormessage = $Lang::tr{'username not set'}; + } + + # Check if a password has been typed in. + # freedns.afraid.org does not require this field. + if (($settings{'PASSWORD'} eq '') && ($settings{'SERVICE'} ne 'freedns.afraid.org') && ($settings{'SERVICE'} ne 'regfish.com')) { + $errormessage = $Lang::tr{'password not set'}; + } } # Go furter if there was no error. From 0fd28c360e123d770017207b434ff1de0cb7ed38 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 9 Jul 2021 12:56:17 +0000 Subject: [PATCH 02/11] fireinfo.cgi: Fix kernel version Signed-off-by: Michael Tremer --- html/cgi-bin/fireinfo.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/fireinfo.cgi b/html/cgi-bin/fireinfo.cgi index e0221c5be..04e36faf4 100644 --- a/html/cgi-bin/fireinfo.cgi +++ b/html/cgi-bin/fireinfo.cgi @@ -94,7 +94,7 @@ my $ipfire_version = ; close(FILE); my $pakfire_version = &Pakfire::make_version(); -my $kernel_version = &General::system_output("uname", "-a"); +my @kernel_version = &General::system_output("uname", "-a"); &Header::openbox('100%', 'left', $Lang::tr{'fireinfo system version'}); print < $Lang::tr{'fireinfo kernel version'} - $kernel_version + @kernel_version END From 75ee0279ecaa8e5a8ee77d99ab466b4333b071a6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 9 Jul 2021 13:04:14 +0000 Subject: [PATCH 03/11] pakfire.cgi: Pass packages to install/uninstall as array Signed-off-by: Michael Tremer --- html/cgi-bin/pakfire.cgi | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/html/cgi-bin/pakfire.cgi b/html/cgi-bin/pakfire.cgi index 631587ce2..ff79b2def 100644 --- a/html/cgi-bin/pakfire.cgi +++ b/html/cgi-bin/pakfire.cgi @@ -55,14 +55,14 @@ sub refreshpage{&Header::openbox( 'Waiting', 1, "$Lang::tr{'pakfire install package'}.$cgiparams{'INSPAKS'}.$Lang::tr{'pakfire possible dependency'} +
$Lang::tr{'pakfire install package'}.@pkgs.$Lang::tr{'pakfire possible dependency'} 
 END
 		foreach (@output) {
@@ -92,15 +92,14 @@ END
 		exit;
 	}
 } elsif (($cgiparams{'ACTION'} eq 'remove') && (! -e $Pakfire::lockfile)) {
-
-	$cgiparams{'DELPAKS'} =~ s/\|/\ /g;
+	my @pkgs = split(/\|/, $cgiparams{'DELPAKS'});
 	if ("$cgiparams{'FORCE'}" eq "on") {
-		&General::system_background("/usr/local/bin/pakfire", "remove", "--non-interactive", "--no-colors", $cgiparams{'DELPAKS'});
+		&General::system_background("/usr/local/bin/pakfire", "remove", "--non-interactive", "--no-colors", @pkgs);
 	} else {
 		&Header::openbox("100%", "center", $Lang::tr{'request'});
-		my @output = &General::system_output("/usr/local/bin/pakfire", "resolvedeps", "--no-colors", $cgiparams{'DELPAKS'});
+		my @output = &General::system_output("/usr/local/bin/pakfire", "resolvedeps", "--no-colors", @pkgs);
 		print <
$Lang::tr{'pakfire uninstall package'}.$cgiparams{'DELPAKS'}.$Lang::tr{'pakfire possible dependency'} +
$Lang::tr{'pakfire uninstall package'}.@pkgs.$Lang::tr{'pakfire possible dependency'} 
 END
 		foreach (@output) {

From 124926ee86efc861167f07c22f66a42ce4eecb1e Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Fri, 9 Jul 2021 13:05:13 +0000
Subject: [PATCH 04/11] pakfire.cgi: Remove confusing dots in install message

Signed-off-by: Michael Tremer 
---
 html/cgi-bin/pakfire.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/pakfire.cgi b/html/cgi-bin/pakfire.cgi
index ff79b2def..42044b61d 100644
--- a/html/cgi-bin/pakfire.cgi
+++ b/html/cgi-bin/pakfire.cgi
@@ -62,7 +62,7 @@ if (($cgiparams{'ACTION'} eq 'install') && (! -e $Pakfire::lockfile)) {
 		&Header::openbox("100%", "center", $Lang::tr{'request'});
 		my @output = &General::system_output("/usr/local/bin/pakfire", "resolvedeps", "--no-colors", @pkgs);
 		print <
$Lang::tr{'pakfire install package'}.@pkgs.$Lang::tr{'pakfire possible dependency'} +
$Lang::tr{'pakfire install package'} @pkgs $Lang::tr{'pakfire possible dependency'} 
 END
 		foreach (@output) {
@@ -99,7 +99,7 @@ END
 		&Header::openbox("100%", "center", $Lang::tr{'request'});
 		my @output = &General::system_output("/usr/local/bin/pakfire", "resolvedeps", "--no-colors", @pkgs);
 		print <
$Lang::tr{'pakfire uninstall package'}.@pkgs.$Lang::tr{'pakfire possible dependency'} +
$Lang::tr{'pakfire uninstall package'} @pkgs $Lang::tr{'pakfire possible dependency'} 
 END
 		foreach (@output) {

From 6f15b0cbe0765cc9be1b133a070325998bf28f77 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Fri, 9 Jul 2021 13:19:08 +0000
Subject: [PATCH 05/11] pakfire.cgi: Sleep after running a pakfire command

This is required to have better chances in the race of showing the log
output afterwards.

Signed-off-by: Michael Tremer 
---
 html/cgi-bin/pakfire.cgi | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/html/cgi-bin/pakfire.cgi b/html/cgi-bin/pakfire.cgi
index 42044b61d..0cf522ba1 100644
--- a/html/cgi-bin/pakfire.cgi
+++ b/html/cgi-bin/pakfire.cgi
@@ -58,6 +58,7 @@ if (($cgiparams{'ACTION'} eq 'install') && (! -e $Pakfire::lockfile)) {
 	my @pkgs = split(/\|/, $cgiparams{'INSPAKS'});
 	if ("$cgiparams{'FORCE'}" eq "on") {
 		&General::system_background("/usr/local/bin/pakfire", "install", "--non-interactive", "--no-colors", @pkgs);
+		sleep(2);
 	} else {
 		&Header::openbox("100%", "center", $Lang::tr{'request'});
 		my @output = &General::system_output("/usr/local/bin/pakfire", "resolvedeps", "--no-colors", @pkgs);
@@ -95,6 +96,7 @@ END
 	my @pkgs = split(/\|/, $cgiparams{'DELPAKS'});
 	if ("$cgiparams{'FORCE'}" eq "on") {
 		&General::system_background("/usr/local/bin/pakfire", "remove", "--non-interactive", "--no-colors", @pkgs);
+		sleep(2);
 	} else {
 		&Header::openbox("100%", "center", $Lang::tr{'request'});
 		my @output = &General::system_output("/usr/local/bin/pakfire", "resolvedeps", "--no-colors", @pkgs);

From b6cad4d231086bb95b47563aac75b6321dd70c8e Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Fri, 9 Jul 2021 13:23:56 +0000
Subject: [PATCH 06/11] pakfire: Put tar options into an array

Signed-off-by: Michael Tremer 
---
 src/pakfire/lib/functions.sh | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/pakfire/lib/functions.sh b/src/pakfire/lib/functions.sh
index 5918649db..25bd4be1e 100644
--- a/src/pakfire/lib/functions.sh
+++ b/src/pakfire/lib/functions.sh
@@ -22,16 +22,24 @@
 . /etc/sysconfig/rc
 . $rc_functions
 
+TAR_OPTIONS=(
+	--acls
+	--xattrs
+	--xattrs-include='*'
+	--no-overwrite-dir
+	--preserve-permissions
+	--numeric-owner
+)
+
 extract_files() {
 	echo "Extracting files..."
-	tar --acls --xattrs --xattrs-include='*' \
-		-xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
+	tar -xavf /opt/pakfire/tmp/files* "${TAR_OPTIONS[@]}" -C /
 	echo "...Finished."
 }
 
 extract_backup_includes() {
 	echo "Extracting backup includes..."
-	tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / \
+	tar xavf /opt/pakfire/tmp/files* "${TAR_OPTIONS[@]}" -C / \
 		var/ipfire/backup/addons/includes
 	echo "...Finished."
 }

From c639ab1d31d51b534539ea27516c672cb9f3ec41 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Fri, 9 Jul 2021 13:25:00 +0000
Subject: [PATCH 07/11] pakfire: Do not delay directory restore

https://www.gnu.org/software/tar/manual/tar.html#Directory-Modification-Times-and-Permissions

Signed-off-by: Michael Tremer 
---
 src/pakfire/lib/functions.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/pakfire/lib/functions.sh b/src/pakfire/lib/functions.sh
index 25bd4be1e..f784cf792 100644
--- a/src/pakfire/lib/functions.sh
+++ b/src/pakfire/lib/functions.sh
@@ -27,6 +27,7 @@ TAR_OPTIONS=(
 	--xattrs
 	--xattrs-include='*'
 	--no-overwrite-dir
+	--no-delay-directory-restore
 	--preserve-permissions
 	--numeric-owner
 )

From a26986a3b059beeb3f9c37867575dd932f1aa23e Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Fri, 9 Jul 2021 13:25:41 +0000
Subject: [PATCH 08/11] core158: Ship pakfire functions.sh

Signed-off-by: Michael Tremer 
---
 config/rootfiles/core/158/filelists/files | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/rootfiles/core/158/filelists/files b/config/rootfiles/core/158/filelists/files
index 903ae9450..299ce1e2e 100644
--- a/config/rootfiles/core/158/filelists/files
+++ b/config/rootfiles/core/158/filelists/files
@@ -1,6 +1,7 @@
 etc/rc.d/init.d/firewall
 etc/ssh/sshd_config
 opt/pakfire/lib/functions.pl
+opt/pakfire/lib/functions.sh
 opt/pakfire/pakfire
 usr/lib/firewall/ipsec-policy
 var/ipfire/backup/bin/backup.pl

From d0ba077ed3851346b1dd6d82867103df8446aea8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20M=C3=BCller?= 
Date: Wed, 7 Jul 2021 19:27:14 +0200
Subject: [PATCH 09/11] Pakfire: call "sync" in function.sh after having
 extracted archives
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After upgrading to Core Update 157, a few number of users reported their
systems to be unworkable after a reboot. Most of them (the systems, not
the users) were apparently missing the new Linux kernel in their Grub
configuration, causing a non-functional bootloader written to disk.

While we seem to be able to rule out issues related to poor storage
(SDDs, flash cards, etc.) or very high I/O load, it occurred to me we
are not calling "sync" after having extracted a Core Update's .tar.gz
file.

This patch therefore proposes to do so. It is a somewhat homeopathic
approach, though, but might ensure all parts of the system to have
properly processed the contents of an extracted archive. While we cannot
even reasonably guess it will solve the problem(s) mentioned initially,
doing so cannot hurt either.

See also:
https://community.ipfire.org/t/after-update-ipfire-to-157-no-boot/5641/45

Signed-off-by: Peter Müller 
Signed-off-by: Michael Tremer 
---
 src/pakfire/lib/functions.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/pakfire/lib/functions.sh b/src/pakfire/lib/functions.sh
index f784cf792..67986e20e 100644
--- a/src/pakfire/lib/functions.sh
+++ b/src/pakfire/lib/functions.sh
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2012  IPFire Team                       #
+# Copyright (C) 2007-2021  IPFire Team                       #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -35,6 +35,7 @@ TAR_OPTIONS=(
 extract_files() {
 	echo "Extracting files..."
 	tar -xavf /opt/pakfire/tmp/files* "${TAR_OPTIONS[@]}" -C /
+	sync
 	echo "...Finished."
 }
 
@@ -42,6 +43,7 @@ extract_backup_includes() {
 	echo "Extracting backup includes..."
 	tar xavf /opt/pakfire/tmp/files* "${TAR_OPTIONS[@]}" -C / \
 		var/ipfire/backup/addons/includes
+	sync
 	echo "...Finished."
 }
 

From db7ef52a91e925a5097d064ebea6723d035e28e8 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Fri, 9 Jul 2021 15:24:33 +0000
Subject: [PATCH 10/11] core158: Run sshctrl

Signed-off-by: Michael Tremer 
---
 config/rootfiles/core/158/update.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/rootfiles/core/158/update.sh b/config/rootfiles/core/158/update.sh
index 42744e2a7..a0e8d842f 100644
--- a/config/rootfiles/core/158/update.sh
+++ b/config/rootfiles/core/158/update.sh
@@ -74,6 +74,9 @@ ldconfig
 # Filesytem cleanup
 /usr/local/bin/filesystem-cleanup
 
+# Apply local configuration to sshd_config
+/usr/local/bin/sshctrl
+
 # Start services
 /etc/init.d/vnstat restart
 /etc/init.d/rngd restart

From 37ef9fe4e07a97d3597b9d9e7895652fcfe79150 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Fri, 9 Jul 2021 16:17:43 +0000
Subject: [PATCH 11/11] stripper: Handle capabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.

This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.

Fixes: #12652
Reported-by: Peter Müller 
Signed-off-by: Michael Tremer 
Acked-by: Peter Müller 
Signed-off-by: Michael Tremer 
---
 src/stripper | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/stripper b/src/stripper
index ac5f58ca5..e51463c69 100755
--- a/src/stripper
+++ b/src/stripper
@@ -27,6 +27,10 @@ function _strip() {
 		fi
 	done
 
+	# Fetch any capabilities
+	local capabilities="$(getfattr --no-dereference --name="security.capability" \
+		--absolute-names --dump "${file}")"
+
 	local cmd=( "${strip}" )
 
 	case "$(file -bi ${file})" in
@@ -40,6 +44,11 @@ function _strip() {
 
 	echo "Stripping ${file}..."
 	${cmd[*]} ${file}
+
+	# Restore capabilities
+	if [ -n "${capabilities}" ]; then
+		setfattr --no-dereference --restore=<(echo "${capabilities}")
+	fi
 }
 
 for dir in ${dirs}; do