Date: Sun, 31 Aug 2003 11:37:12 -0700 From: Colin Percival <colin.percival@wadham.ox.ac.uk> To: Brett Glass <brett@lariat.org>, Colin Percival <colin.percival@wadham.ox.ac.uk>, stable@freebsd.org Subject: Re: Need to build some systems this week. Snapshots? Message-ID: <5.0.2.1.1.20030831111519.01c8c728@popserver.sfu.ca> In-Reply-To: <4.3.2.7.2.20030830184324.03a13a50@localhost> References: <5.0.2.1.1.20030828103403.02d683a8@popserver.sfu.ca> <200308280638.AAA19221@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:08 31/08/2003 -0600, Brett Glass wrote:
>I then brought in the "freebsd-update" package to update the system, which
>should (in theory) have nuked all of the known security holes in the base
>install.
>
>Alas, what I didn't realize at first (though I should have) was that the
>package was going to try to update "immutable" files. It couldn't do this,
>of course, because I'd installed with the "maximum" security settings,
>which set "securelevel" to 2. It failed to update those files, but gave no
>warning that it had failed; it was a good thing I noticed.
If FreeBSD Update fails to "chflags noschg" a file, it should stop with
the message "Error installing $FILE". If it didn't, that's a serious bug;
except...
> So, I changed /etc/rc.conf, rebooted, and ran freebsd-update again.
> Alas, freebsd-update told me that the system was fully updated and did nothing.
FreeBSD Update is stateless. It keeps old files available for rollback
purposes, but it does not "remember" that it has updated a file. If it
decided that nothing needed to be updated, it did so after checking that
the MD5 hashes of the currently installed files were correct.
In short, provided that you haven't rebuilt the world locally, if
FreeBSD Update reports "No updates available", your system is definitely up
to date.
>It then occurred to me: What would one do if the freebsd-update package
>itself had been linked with a buggy library?
There's only one binary in freebsd-update, and the only library calls it
makes are to malloc, free, fprintf, fopen, fread, fwrite, and fclose;
anyway, it's dynamically linked.
>The pkg_delete command issued a warning, however, complaining that it
>couldn't delete the directory /usr/local/freebsd-update. So, I nuked the
>directory by hand. (Will this cause future problems? I guess I'll see.)
/usr/local/freebsd-update/work/ contains the rollback files. If you
don't want them, nuking the directory is fine. (I spent a long time
wondering if I should nuke the directory as part of the uninstall script,
until I realized that would cause problems for people who were simply
upgrading from one version to another.)
> [snip discussion of ports and packages]
If you want to save time, you could always install all the (potentially
out of date) packages and run portupgrade. For dealing with updated
libraries, the following code might be helpful:
beastie# cat /root/port-rebuild-statics
#!/bin/sh
find /usr/local -type f -perm +111 ! -newer \
/usr/lib/`ls -art /usr/lib | tail -1` -print0 | \
xargs -0 file | grep "statically linked" | cut -f 1 -d ':' | \
xargs pkg_which | grep -v '^\?$' | sort -u | \
while read x; do portupgrade -fi $x < /dev/tty; done
Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20030831111519.01c8c728>