From a66fe2a79178f68b8c123f1dda569fe696240352 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Fri, 21 May 2021 15:40:38 +0200 Subject: [PATCH 1/6] Core Update 157: Apply changed SSH configurations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is necessary to fix SSH not starting after upgrading to Core Update 157 unless it's settings are manually written via the WebUI. Reported-by: Erik Kapfer Reported-by: Tom Rymes Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/rootfiles/core/157/update.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index ce7b6f5bf..a53aa0759 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -97,6 +97,9 @@ extract_files # update linker config ldconfig +# Apply local configuration to sshd_config +/usr/local/bin/sshctrl + # Update Language cache /usr/local/bin/update-lang-cache From 3359061d68c0e872c18c7baa45b77311c2f8f385 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Fri, 21 May 2021 15:41:05 +0200 Subject: [PATCH 2/6] Core Update 157: Ship backup package to apply changed permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is required as "backup" itself does not gets updated automatically, contrary to it's LFS file suggesting by having a "PAK_VER" number. In order to fix #12619, it is therefore necessary to ship the backup files with Core Update 157. Partially fixes: #12619 Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/rootfiles/core/157/filelists/backup | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/157/filelists/backup diff --git a/config/rootfiles/core/157/filelists/backup b/config/rootfiles/core/157/filelists/backup new file mode 120000 index 000000000..38e28a8b4 --- /dev/null +++ b/config/rootfiles/core/157/filelists/backup @@ -0,0 +1 @@ +../../../common/backup \ No newline at end of file From 7ae9f2212278c89365d62589b6d54d7adf39b638 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Fri, 21 May 2021 15:41:29 +0200 Subject: [PATCH 3/6] pppd: Explicitly ship pppd shared object files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These are needed by pppd, but were not previously shipped as such. Instead, since their parent directory at /usr/lib/pppd/${version}/ was not commented out, we implicitly shipped the entire directory. This patch does not change our behaviour in the end, but makes things more transparent to developers. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/rootfiles/common/ppp | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp index 8d0af69c4..d61fdf811 100644 --- a/config/rootfiles/common/ppp +++ b/config/rootfiles/common/ppp @@ -38,18 +38,18 @@ etc/ppp/standardloginscript #usr/include/pppd/upap.h usr/lib/pppd usr/lib/pppd/2.4.9 -#usr/lib/pppd/2.4.9/minconn.so -#usr/lib/pppd/2.4.9/openl2tp.so -#usr/lib/pppd/2.4.9/passprompt.so -#usr/lib/pppd/2.4.9/passwordfd.so -#usr/lib/pppd/2.4.9/pppoatm.so -#usr/lib/pppd/2.4.9/pppoe.so -#usr/lib/pppd/2.4.9/pppol2tp.so -#usr/lib/pppd/2.4.9/radattr.so -#usr/lib/pppd/2.4.9/radius.so -#usr/lib/pppd/2.4.9/radrealms.so -#usr/lib/pppd/2.4.9/rp-pppoe.so -#usr/lib/pppd/2.4.9/winbind.so +usr/lib/pppd/2.4.9/minconn.so +usr/lib/pppd/2.4.9/openl2tp.so +usr/lib/pppd/2.4.9/passprompt.so +usr/lib/pppd/2.4.9/passwordfd.so +usr/lib/pppd/2.4.9/pppoatm.so +usr/lib/pppd/2.4.9/pppoe.so +usr/lib/pppd/2.4.9/pppol2tp.so +usr/lib/pppd/2.4.9/radattr.so +usr/lib/pppd/2.4.9/radius.so +usr/lib/pppd/2.4.9/radrealms.so +usr/lib/pppd/2.4.9/rp-pppoe.so +usr/lib/pppd/2.4.9/winbind.so usr/sbin/chat usr/sbin/pppd usr/sbin/pppdump From 488e29e033097eadabd152e97022b71c21e6a414 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Fri, 21 May 2021 15:41:50 +0200 Subject: [PATCH 4/6] Core Update 157: Delete shared object files leftover from pppd 2.4.8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/rootfiles/core/157/update.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh index a53aa0759..94b10723f 100644 --- a/config/rootfiles/core/157/update.sh +++ b/config/rootfiles/core/157/update.sh @@ -124,6 +124,10 @@ rm -f \ /usr/lib/dma-mbox-create \ /usr/lib/openssh/ssh-keysign +# Delete orphaned pppd 2.4.8 shared object files +rm -rf \ + /usr/lib/pppd/2.4.8/ + # Start services /etc/init.d/sshd restart /etc/init.d/apache restart From b6e3a3eec9e0848b339bbe60ad475ff9f583aed3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Fri, 21 May 2021 15:42:14 +0200 Subject: [PATCH 5/6] nagios-plugins: Set SUID bit for plugins which need it to function properly MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- lfs/nagios-plugins | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lfs/nagios-plugins b/lfs/nagios-plugins index d35a94bbe..cdf1910b0 100644 --- a/lfs/nagios-plugins +++ b/lfs/nagios-plugins @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nagios-plugins -PAK_VER = 5 +PAK_VER = 6 DEPS = @@ -92,4 +92,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Prevent Nagios plugins from being owned (and hence writeable) by "nobody" chown root:root -R /usr/lib/nagios/plugins + # Unfortunately, some of these plugins need the SUID bit to do their work properly + chmod +s \ + /usr/lib/nagios/plugins/check_dhcp \ + /usr/lib/nagios/plugins/check_icmp \ + /usr/lib/nagios/plugins/check_ide_smart \ + /usr/lib/nagios/plugins/check_ping + @$(POSTBUILD) From 2b51f53cfd32d6f24aba49c8fde822be8bee6d56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Fri, 21 May 2021 15:42:36 +0200 Subject: [PATCH 6/6] Icinga: Do not ship event handlers for Nagios MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These are owned (hence being writable) by "nobody", posing a potential security risk. Since the files itself were already exluded from being shipped, their parent directory should be as well. This patch should reduce the amount of executable files being owned by nobody to zero after upgrading to Core Update 157. Due to complexity reasons, not all applications available in Pakfire could be tested, though, so your mileage may vary. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/rootfiles/packages/icinga | 2 +- lfs/icinga | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/packages/icinga b/config/rootfiles/packages/icinga index f81ba9db2..000be6346 100644 --- a/config/rootfiles/packages/icinga +++ b/config/rootfiles/packages/icinga @@ -25,7 +25,7 @@ usr/bin/icinga usr/bin/icingastats #usr/lib/icinga usr/lib/icinga/p1.pl -usr/lib/nagios/plugins/eventhandlers +#usr/lib/nagios/plugins/eventhandlers #usr/lib/nagios/plugins/eventhandlers/disable_active_service_checks #usr/lib/nagios/plugins/eventhandlers/disable_notifications #usr/lib/nagios/plugins/eventhandlers/distributed-monitoring diff --git a/lfs/icinga b/lfs/icinga index 6534722ac..456f66388 100644 --- a/lfs/icinga +++ b/lfs/icinga @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = icinga -PAK_VER = 4 +PAK_VER = 5 DEPS = nagios-plugins