From owner-svn-src-all@freebsd.org Wed Jan 6 05:12:43 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C6EDA638AB; Wed, 6 Jan 2016 05:12:43 +0000 (UTC) (envelope-from devin@shxd.cx) Received: from shxd.cx (mail.shxd.cx [64.201.244.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 892801158; Wed, 6 Jan 2016 05:12:43 +0000 (UTC) (envelope-from devin@shxd.cx) Received: from [64.201.244.132] (port=54947 helo=[10.0.0.108]) by shxd.cx with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1aGY5U-0004u8-UY; Tue, 05 Jan 2016 12:20:13 -0800 From: Devin Teske Mime-Version: 1.0 (1.0) Subject: Re: svn commit: r293227 - head/etc Date: Tue, 5 Jan 2016 21:10:52 -0800 Message-Id: References: <201601052120.u05LKlQw074919@repo.freebsd.org> <1452038404.1320.46.camel@freebsd.org> <20160106125617.E968@besplex.bde.org> <5360EA7A-399F-4679-B58F-62D0112EA481@shxd.cx> Cc: Bruce Evans , Ian Lepore , Warner Losh , src-committers , "svn-src-all@freebsd.org" , "svn-src-head@freebsd.org" , Devin Teske In-Reply-To: To: Warner Losh X-Mailer: iPhone Mail (13C75) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2016 05:12:43 -0000 > On Jan 5, 2016, at 8:09 PM, Warner Losh wrote: >=20 > The correct fix is >=20 > > chflags -R 0 firstboot > rm -rf firstboot > >=20 > If you still can't remove it, too bad. Checking to make sure it worked rea= lly isn't > the unix way. Sometimes when you do stupid things, stupid results happen. >=20 You forgot to drop the mic and walk out. Looks good to me. --=20 Devin > Warner >=20 >> On Tue, Jan 5, 2016 at 8:16 PM, Devin Teske wrote: >> This e-mail is extremely hard to parse and I think you are mistaken. >>=20 >> The -f flag is more than just a counter to a possible -i >>=20 >> Try to rm a file that has schg >> You will get a prompt without -i >> Adding -f will abate the prompt to attempt override of schg flag. >>=20 >> There are more conditions in rm that lead to a prompt than simply those c= onditions involving -i and adding -f abates them all. >>=20 >> -- >> Devin >>=20 >> > On Jan 5, 2016, at 6:48 PM, Bruce Evans wrote: >> > >> > On Tue, 5 Jan 2016, Ian Lepore wrote: >> > >> >>> Log: >> >>> Use the more proper -f. Leave /bin/rm in place since that's what >> >>> other rc scripts have, though it isn't strictly necessary. >> > >> > "proper -f" is hard to parse. I think you mean: >> > >> > Use 'rm -f' to turn off -i in case rm is broken and is an alias which >> > has -i (and perhaps actually even something resembling rm) in it. More= >> > precisely, use 'rm -f /usr/bin' to partly defend against the same bug >> > in /bin/rm (where it would be larger). Keep using /usr/rm instead of >> > restoring the use of plain rm since that is what other rc scripts have.= >> > The previous change to use /bin/rm instead of plain rm was neither >> > necessary nor sufficient for fixing the bug. Neither is this one, but >> > it gets closer. It is a little-known bug in aliases that even absolute= >> > pathnames can be aliased. So /bin/rm might be aliased to 'rm -ri /'. >> > Appending -f would accidentally help for that too, by turning it into >> > a syntax error, instead of accidentally making it more forceful by >> > turning -ri into -rf. >> > >> > Hopefully this is all FUD. Non-interactive scripts shouldn't source an= y >> > files that are not mentioned in the script. /etc/rc depends on a secur= e >> > environment being set up by init and probably gets it since init doesn'= t >> > set up much. sh(1) documents closing the security hole of sourcing the= >> > script in $ENV for non-interactive shells, but was never a problem for >> > /etc/rc since init must be trusted to not put security holes in $ENV. >> > But users could put security holes in a sourced config file like >> > /etc/rc.conf.local. >> > >> >>> Modified: head/etc/rc >> >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D >> >>> --- head/etc/rc Tue Jan 5 21:20:46 2016 (r293226) >> >>> +++ head/etc/rc Tue Jan 5 21:20:47 2016 (r293227) >> >>> @@ -132,9 +132,9 @@ done >> >>> # Remove the firstboot sentinel, and reboot if it was requested. >> >>> if [ -e ${firstboot_sentinel} ]; then >> >>> [ ${root_rw_mount} =3D "yes" ] || mount -uw / >> >>> - /bin/rm ${firstboot_sentinel} >> >>> + /bin/rm -f ${firstboot_sentinel} >> >>> if [ -e ${firstboot_sentinel}-reboot ]; then >> >>> - /bin/rm ${firstboot_sentinel}-reboot >> >>> + /bin/rm -f ${firstboot_sentinel}-reboot >> >>> [ ${root_rw_mount} =3D "yes" ] || mount -ur / >> >>> kill -INT 1 >> >>> fi >> >> >> >> Using rm -f to suppress an error message seems like a bad idea here --= >> >> if the sentinel file can't be removed that implies it's going to do >> >> firstboot behavior every time it boots, and that's the sort of error >> >> that should be in-your-face. Especially on the reboot one because >> >> you're going to be stuck in a reboot loop with no error message. >> > >> > Er, -f on rm only turns off -i and supresses the warning message for >> > failing to remove nonexistent files. But we just tested that the file >> > exists, and in the impossible even of a race making it not exist by >> > the time that it runs, we have more problems than the failure of rm >> > since we use the file's existence as a control for other things. >> > >> > So the only effect of this -f is to turn off -i, which can only be set >> > if the FUD was justified. >> > >> > The correct fix seems to be 'unalias -a'. >> > >> > Bruce >> > >=20