Testing DNS Redirect code snippet

timf · 23 December 2020 18:21

I think it would need a new file in src/misc-progs - there doesn’t seem to be an existing file that does the firewall restart, but it’s easy enough to add a new one.

luani · 23 December 2020 18:23

Hi Jon,
I just got your mail. So if I understand you correctly, you need a “Restart Firewall” button (which executes system('/etc/rc.d/init.d/firewall restart >/dev/null');) added to optionsfw.cgi?
Regards, Leo

jon · 23 December 2020 18:40

Leo - You may want to read thru the above. When the above command runs nothing happens.

mfischer · 23 December 2020 19:45

Hi,

@luani:

Just to clear things up: the Save and Restart-button already exists.

He should do (Code snippet from above):

    system("/usr/local/bin/firewallctrl");
	system("/etc/rc.d/init.d/firewall restart >/dev/null 2>&1 ");  # <=== THIS IS NOT WORKING FROM GUI!

The line /usr/local/bin/firwallctrl is working. Settings are saved.

The problem comes with either /etc/rc.d/init.d/firewall restart or with a new command system("/usr/local/bin/optionsfw.ctrl"); You mentioned this.

Code for optionsfwctrl.c can be found here.

The second command(s) only run from a root console.

I’m searching for a practical and safe solution for this…

Best,
Matthias

luani · 23 December 2020 19:53

Hi Jon, hi Matthias,
I’m sorry, I misread your last messages and thought you got it working. Thanks for the clarification.

So actually you are looking for a secure way to execute specific root commands from the web interface?

mfischer · 23 December 2020 20:08

Hi Leo,

Exactly.

I have a few ideas - but no breakthrough…

luani · 23 December 2020 21:31

Hi Matthias,
I had a quick look around the sources and I think I have an idea.
There is a file called “unboundctrl.c” which apparently is able to call init scripts. So I tried to figure out what they did differently.

github.com

ipfire/ipfire-2.x/blob/c4f1f56157955c018510f7cd20f3d4c21cb294bd/src/misc-progs/unboundctrl.c#L27


	if (!(initsetuid()))
		exit(1);
	if (argc < 2) {
		fprintf(stderr, "\nNo argument given.\n\nunboundctrl restart|reload\n\n");
		exit(1);
	}
	if (strcmp(argv[1], "restart") == 0) {
		safe_system("/etc/rc.d/init.d/unbound restart");
	} else if (strcmp(argv[1], "reload") == 0) {
		safe_system("/etc/rc.d/init.d/unbound reload");
	} else {
		fprintf(stderr, "\nBad argument given.\n\nunboundctrl restart|reload\n\n");
		exit(1);
	}
	return 0;
}

This unboundctrl is used in three CGIs and I’m pretty sure it works as intended.

github.com

ipfire/ipfire-2.x/blob/a9f69cbf01cd306dbc20c5761eedcdd97bc492e8/html/cgi-bin/dnsforward.cgi#L127


		$changed = 'yes';
	} else {
		# stay on edit mode if an error occur
		if ($cgiparams{'EDITING'} ne 'no')
		{
			$cgiparams{'ACTION'} = $Lang::tr{'edit'};
			$cgiparams{'ID'} = $cgiparams{'EDITING'};
		}
	}
	# Restart unbound
	system('/usr/local/bin/unboundctrl reload >/dev/null');
}
###
# Remove existing entries.
#
if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'})
{
	my $id = 0;
	open(FILE, ">$filename") or die 'Unable to open config file.';
	flock FILE, 2;

Now I think the missing piece of the puzzle is hidden in the Makefile. There is a list called “SUID_PROGS”:

github.com

ipfire/ipfire-2.x/blob/a9f69cbf01cd306dbc20c5761eedcdd97bc492e8/src/misc-progs/Makefile#L26


# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################
CC      = gcc
CFLAGS ?= -O2 -Wall
LIBS    = -lsmooth -lnewt
PROGS = iowrap
SUID_PROGS = squidctrl sshctrl ipfirereboot \
	ipsecctrl timectrl dhcpctrl suricatactrl \
	applejuicectrl rebuildhosts backupctrl collectdctrl \
	logwatch wioscan wiohelper openvpnctrl firewallctrl \
	wirelessctrl getipstat qosctrl launch-ether-wake \
	redctrl syslogdctrl extrahdctrl sambactrl upnpctrl \
	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
	setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
	getconntracktable wirelessclient torctrl ddnsctrl unboundctrl \
	captivectrl
SUID_UPDX = updxsetperms

I think your “optionsfwctrl.c” must be included in this list…? And then it should work. At least, I hope you haven’t tried that yet
I am not at all familiar with the IPFire 2 build system, so I could be wrong. Might be worth investigating though.

mfischer · 24 December 2020 00:36

Hi Leo,

Many thanks for this tip - but sorry, I did this. But since I didn’t know it better, I used firewallctrl.c as “source” file.

Result (optionsfwctrl.c):

/* This file is part of the IPFire Firewall.
 *
 * This program is distributed under the terms of the GNU General Public
 * Licence.  See the file COPYING for details.
 *
 */

#include <stdlib.h>
#include "setuid.h"

int main(void)
{
	if (!(initsetuid()))
		exit(1);

	safe_system("/etc/rc.d/init.d/firewall restart >/dev/null 2>&1");

	return 0;
}

The compiled file doesn’t work from GUI - but as root from a root console.

Did I miss something? In the ‘include’-lines? Or syntax?

timf · 24 December 2020 11:47

Check the ownership and permissions - it should probably be owned by root and have the sticky bit set.

mfischer · 24 December 2020 15:35

Hi Tim,

Done.

Doesn’t work. Its exactly the same as before. Saving settings is ok, but the second command is only executed from root console.

CGI contains:

system("/usr/local/bin/firewallctrl");
system("/usr/local/bin/optionsfwctrl >/dev/null 2>&1 ");

Current rights:

root@ipfire: /usr/local/bin # ls optionsfwctrl -ls
16 -rwsr-x--T 1 root nobody 14640 Dec 24 13:31 optionsfwctrl

luani · 24 December 2020 17:52

Hi Matthias,

I wrote a quick optionsfwctrl based on unboundctrl on my development system. Compiled and started from web interface via “system();”, I got this output:

Setting up firewall [ OK ]

Exit code was “0”

Is there a log entry or something so I can verify that this really worked?

Edit: Here is what I did after compile & copy to /usr/local/bin:

#: chown root:nobody optionsfwctrl
#: chmod 4750 optionsfwctrl
#: ls optionsfwctrl -l
-rwsr-x— 1 root nobody 18064 Dec 24 18:27 optionsfwctrl

mfischer · 24 December 2020 23:42

Hi Leo,

interesting… -v please.

How did you do this? Starting from GUI never showed me an exit code!?

Based on your hint I modified unboundctrl.c - now testing.

Changing my existing optionsfwctrl.c to ‘root:nobody / 4750’ had no effect.

(Time passes…)

Ok - Done.

I took unboundctrl.c and rewrote it to execute safe_system("/etc/rc.d/init.d/firewall restart"); or safe_system("/etc/rc.d/init.d/firewall reload");
Used the same owner / rights as you.
Saving settings works but firewall does NOT restart. sigh

I still think that the main goal is the fact that the command /etc/rc.d/init.d/firewall restart needs to start a whole lot of ‘iptables’-commands with root privileges. And I just can’t get this to work from within GUI.

hvacguy · 25 December 2020 01:14

Add notation or popup “reboot required”

mfischer · 25 December 2020 08:10

@hvacguy
Hi Shaun,

this is already done automatically while hitting Save.

I’ll just add a few screenshots to demonstrate:

The patched optionsfw.cgi looks like this. I added DNS, NTP-switches. And: options for BLUE are only shown if BLUE exists:

These switches (should!) add a few REDIRECT rules - or delete them, if they exist - in the CUSTOMPREROUTING chain:

The adding - or deleting - of these rules has to be done with the command /etc/rc.d/init.d/firewall restart - and I like to trigger this through an added Save and Restart button at the end of optionsfw.cgi:

So when hitting Save not only the page settings are saved - as before - but additionally the firewall settings should be restarted “for changes to take effect”…

And because its the same procedure as before - plus a “few” tuning measures - the usual message appears after choosing Save And Restart:

Note that I changed the Force DNS on GREEN option.

But the CUSTOMPREROUTING chain isn’t changed, the rules for GREEN are still there:

And I’d like to avoid a complete reboot…

Doing exactly the same through a root console with executing /usr/local/bin/optionsfwctrl restart - a newly added program - works.

mfischer · 25 December 2020 12:44

Hi,

Problem solved. Everything is working.

Thanks to Shaun - explaining the whole thing once more helped me to find the solution.

It could have worked much earlier, there was just one line missing.

To make things short:

In the relevant code block from optionsfw.cgi the Save command-string system("/usr/local/bin/firewallctrl"); is used twice. Duh!

And so I had to add the Restart-command twice, too.

The complete block now reads (beginning with line 96):

...
#Get GUI values
&Header::getcgihash(\%settings);
if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
<->if ($settings{'defpol'} ne '1'){
<-><->$errormessage .= $Lang::tr{'new optionsfw later'};
<-><->&General::writehash($filename, \%settings);             # Save good settings
<-><->system("/usr/local/bin/firewallctrl");
<->}else{
<-><->if ($settings{'POLICY'} ne ''){
<-><-><->$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
<-><->}
<-><->if ($settings{'POLICY1'} ne ''){
<-><-><->$fwdfwsettings{'POLICY1'} = $settings{'POLICY1'};
<-><->}
<-><->my $MODE = $fwdfwsettings{'POLICY'};
<-><->my $MODE1 = $fwdfwsettings{'POLICY1'};
<-><->%fwdfwsettings = ();
<-><->$fwdfwsettings{'POLICY'} = "$MODE";
<-><->$fwdfwsettings{'POLICY1'} = "$MODE1";
<-><->&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
<-><->&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
<-><->system("/usr/local/bin/firewallctrl");
<->}
<->&General::readhash($filename, \%settings);             # Load good settings
}

if ($settings{'ACTION'} eq $Lang::tr{'fw settings save and restart'}) {
<->if ($settings{'defpol'} ne '1'){
<-><->$errormessage .= $Lang::tr{'new optionsfw later'};
<-><->&General::writehash($filename, \%settings);             # Save good settings
<-><->system("/usr/local/bin/firewallctrl");
<-><->system("/usr/local/bin/optionsfwctrl restart >/dev/null 2>&1");
<->}else{
<-><->if ($settings{'POLICY'} ne ''){
<-><-><->$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
<-><->}
<-><->if ($settings{'POLICY1'} ne ''){
<-><-><->$fwdfwsettings{'POLICY1'} = $settings{'POLICY1'};
<-><->}
<-><->my $MODE = $fwdfwsettings{'POLICY'};
<-><->my $MODE1 = $fwdfwsettings{'POLICY1'};
<-><->%fwdfwsettings = ();
<-><->$fwdfwsettings{'POLICY'} = "$MODE";
<-><->$fwdfwsettings{'POLICY1'} = "$MODE1";
<-><->&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
<-><->&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
<-><->system("/usr/local/bin/firewallctrl");
<-><->system("/usr/local/bin/optionsfwctrl restart >/dev/null 2>&1");
<->}
<->&General::readhash($filename, \%settings);             # Load good settings
}
...

That was all folks…

Best,
Matthias

jon · 29 December 2020 02:30

Matthias @mfischer -

Can you post the latest & greatest optionsfw.cgi (and any other files related to DNS/NTP redirect)? I’d like to load it up and give it a try.

Thanks!

mfischer · 29 December 2020 09:59

@jon

You got a PM…

jon · 30 May 2022 03:50

Fixed!

Patch here:
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=21b37391f9769718df7bd726453140f4ec8ff1c0