- Currently if the urlfilter update is enabled then autoupdate.pl is renamed urlfilter and
added into either the daily, weekly or monthly fcron directoiries. If the update is
disabled then the urlfilter update script stays in the directory and is not removed.
- This patch adds in the option of remove to the urlfilterctrl program. The first part
of the urlfilterctrl.c code removes any existing symlinks so all that needs to be done
for the remove option is to not add any symlinks to the fcron directories.
- Confirmed in a vm testbed that the current approach leaves the symlink in place. Installed
the changes from this and the previous patch and confirmed that when the url update is
disabled the symlink is removed.
Fixes: Bug#10649
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch will return the exit code from the called process which has
not been done before. This made it more difficult to catch any
unsuccessful calls from the web UI.
Partly Fixes: #12863
Tested-by: Jon Murphy <jon.murphy@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There used to be a time where the authenticator crashed when the OpenVPN
daemon went away which is causing issues.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
* Addonctrl will now check in addon metadata for the exact initscript
names (Services). If more than one initscript is defined for an addon,
the requested action will be performed on all listed initscripts.
* Added posibility to perform action on a specific initscript of an
addon instead of on all initscripts of the addon.
* New action 'list-services' to display a list of services related to
an addon.
* New action 'boot-status' to display wether service(s) are enabled
to start on boot or not.
* More error checking and cleaner error reporting to user
* General cleanup and code restructuring to avoid code duplication
* Updated and made usage instructions more verbose.
Fixes: Bug#12935
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
If the CRL is outdated for some reason (e.g. a backup restored from ISO
where we don't run the migration scripts), this will update it on
reboot/restart of the service.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The scope option does not seem to work at all now, which is surprising
since I tested it quite well.
The secondary flag cannot be set from userspace (aparently), but it
works, so I would prefer to go with this option for now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
I am not sure what the rationale is here, but we should probably not do
this. Other hosts on the network will be able to update their ARP caches
properly.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
This is a little patch which will extend the aliases page to offer an
interface selection if there are more than one RED interfaces.
This is a little hack to make configuration easier for users who have
manually set up more than one RED interface (e.g. for load balancing or
fail-over) and want to use the UI to configure firewall rules.
As a little benefit on the side, I had to rewrite setaliases.c to use
ip(8) instead of ifconfig(8).
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
This script runs aside of OpenVPN and connects to the management socket.
On the socket, OpenVPN will post any new clients trying to authenticate
which will be handled by the authenticator.
If a client has 2FA enabled, it will be challanged for the current token
which will then be checked in a second pass.
Clients which do not have 2FA enabled will just be authenticated no
matter what and tls-verify will have handled the rest.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We have some scripts in /usr/local/bin which cannot be found by any
misc-progs which is fixed by this patch.
Fixes: #12811
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
* Return output of iptables directly instead of writing it to files.
* Make iptables wait for 5s if xtables is locked by another iptables
process. (--wait 5 argument)
* Add optional parameter "-x" to have iptables report exact numbers.
* Add optional parameter "-f" to display the filter table (default).
* Add optional parameter "-n" to display the nat table.
* Add optional parameter "-m" to display the mangle table.
* Adapt iptables.cgi and guardian.cgi to catch getipstat output
instead of reading temp-files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It is complicated to set the password in the C helper binary.
Therefore it is being set by a helper script.
This is still not an optimal solution since the password might be
exposed to the shell environment, but has the advantage that shell
command injection is no longer possible.
Fixes: #12562
Reported-by: Albert Schwarzkopf <ipfire@quitesimple.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There is no need for this being implemented and it is dangerous to allow
the user to create any shell accounts or users that belong to groups
with higher privileges.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This function invokes a new command similar to safe_system()
but without launching a shell before.
That way, it is possible to execute commands without any risk
of shell command injection from nobody.
Fixes: #12562
Reported-by: Albert Schwarzkopf <ipfire@quitesimple.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The helper binary is being dropped and etherwake is enabled
for CAP_NET_RAW. This allows execution by unprivileged users
as needed by the web user interface (nobody).
Reported-by: Albert Schwarzkopf <ipfire@quitesimple.org>
Fixes: #12562
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Samba is always linked against CUPS and therefore there is
no way to disable printing anyways.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This variable is no longer being used and was only used to
assign IP addresses to the individual interfaces.
However, the kernel knows best which IP address to select
as broadcast address for each network. Therefore we depend
on the kernel which allows us to support RFC3021.
Fixes: #12486 - no /31 transfer net available on red
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It could happen that the remote peer re-established the connection
before "ipsec reload" removed it from the daemon.
Now, we write the configuration files first, reload them
and then bring down any connections that are still established.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
