Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Aug 2012 07:04:47 +1000
From:      Peter Jeremy <peter@rulingia.com>
To:        Paul Schenkeveld <freebsd@psconsult.nl>
Cc:        freebsd-security@freebsd.org
Subject:   Re: getting the running patch level
Message-ID:  <20120820210447.GB27130@aspire.rulingia.com>
In-Reply-To: <20120819144637.GA17778@psconsult.nl>
References:  <31946.192.168.0.107.1344505442.squirrel@mail.redix.it:443> <20120819144637.GA17778@psconsult.nl>

next in thread | previous in thread | raw e-mail | index | archive | help

--kXdP64Ggrk/fb43R
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2012-Aug-19 16:46:37 +0200, Paul Schenkeveld <freebsd@psconsult.nl> wrot=
e:
>  - Teach both installworld and freebsd-update to maintain manifest
>    files of what is installed and log that update, place all manifests
>    somewhere under /var/db and the update log in /var/log.

I'm not sure what detail you intend here.  One line per installworld
or similar sounds OK.  One line per file seems excessive - especially
if you intend to retain history ("df -ki" suggests that a base install
is around 30,000 files).

>  - Having manifests of what's installed, one could check if all files
>    are stil the right version, if older manifests are not discarded
>    when performing an update this could also detect files that were
>    not updated for whatever reason or that were reverted, i.e. by
>    restoring some backup.  E.g.:
>
>      Current userland version: 8.3-RELEASE-p4
>      /usr/sbin/named is at 8.3-RELEASE-p2
>      /usr/bin/openssl is at 8.3-RELEASE

How do you envisage this tool determining that /usr/sbin/foo is at
8.3-RELEASE-p2 and this is incorrect when userland is at (eg)
8.3-RELEASE-p4?  Note that updating your system from 8.3-RELEASE-p2 to
8.3-RELEASE-p4 may not change /usr/sbin/foo and therefore it will
remain untouched.

>The /etc/issue file mentioned several times in this thread is like motd
>but intended to be shown before a login prompt.  This works for console
>logins (getty) but not for remote logins.

SSH includes provision for displaying information prior to login - see
the "Banner" option in sshd_config.  Note that this is most definitely
the wrong place to include system version details.

--=20
Peter Jeremy

--kXdP64Ggrk/fb43R
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlAypm8ACgkQ/opHv/APuIdJ5ACeMNFbmDyks/bni7oOYELRc/A/
zRYAoLQEjQHx8s5718YGvF0F82XzTuTu
=jh8H
-----END PGP SIGNATURE-----

--kXdP64Ggrk/fb43R--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120820210447.GB27130>