From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 22:08:12 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 062A735B for ; Tue, 6 Jan 2015 22:08:12 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 84775663E5 for ; Tue, 6 Jan 2015 22:08:11 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id BBF3050F9; Tue, 6 Jan 2015 22:07:58 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 639E8C824; Tue, 6 Jan 2015 23:07:58 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Roger Marquis" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> <86y4plgjnm.fsf@nine.des.no> <20150106200824.C03045ED5@smtp.des.no> Date: Tue, 06 Jan 2015 23:07:58 +0100 In-Reply-To: <20150106200824.C03045ED5@smtp.des.no> (Roger Marquis's message of "Tue, 6 Jan 2015 11:59:32 -0800") Message-ID: <86pparef5t.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2015 22:08:12 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable "Roger Marquis" writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > I do it all the time: > > $ sudo env UNAME_r=3DX.Y-RELEASE freebsd-update fetch install > Not sure if using a jail to test is relevant but this never updates (my) > binaries to the specified RELEASE/RELENG, only to the current kernel's pa= tch > level. No, it updates everything. Like I said, I do this all the time, including with jails that run a different release than the host system. > Then there's the issue of specifying -RELEASE to mean -RELENG. There is no such thing as -RELENG. See sys/conf/newvers.sh. > > Actually, you want to do this from *outside* the jail, partly out of > > healthy paranoia and partly so freebsd-update will re-use previously > > downloaded indexes and patches > Updates to non-jailed environments are the preferred method to be sure but > patching and testing base updates in a jail can be more convenient. You missed my point. You can run freebsd-update outside the jail to update the contents of the jail. See the attached shell script. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=jail-upgrade.sh #!/bin/sh # # $Id$ # progname="$(basename $0)" # # Print an informational message. # info() { echo "$@" } # # Print an error message to stderr and exit. # error() { echo "$progname: $@" >&2 exit 1 } # # Ask a question and wait for an answer. Keep asking until the user # answers yes or no. # # Usage example: # # if yesno foo ; then echo yes ; else echo no ; fi # yesno() { while :; do echo -n "$@ (yes/no) " read answer case $answer in [Yy]|[Yy][Ee][Ss]) return 0 ;; [Nn]|[Nn][Oo]) return 1 ;; esac done } # # Print a usage string and exit. # usage() { echo "usage: $progname jailname [[from-release] to-release]" >&2 exit 1 } main() { case $# in 1) jailname="$1" ;; 2) jailname="$1" fromrel="$(uname -r)" torel="$2" ;; 3) jailname="$1" fromrel="$2" torel="$3" ;; *) usage ;; esac jailroot="/jail/$jailname" basehash="$(echo $jailroot | sha256 -q)" statedir="/var/db/freebsd-update/" install_link="$statedir/$basehash-install" conffile="$jailroot/etc/freebsd-update.conf" if [ -n "$torel" ] ; then fetch="upgrade" relarg="-r $torel" pre_uname="UNAME_r=$fromrel" post_uname="UNAME_r=$torel" else fetch="fetch" fi if [ -n "$torel" ] ; then if [ -n "${QUICK_UPGRADE+yes}" ] ; then echo "Upgrading $jailroot from $fromrel to $torel" else yesno "Upgrade $jailroot from $fromrel to $torel?" fi else if [ -n "${QUICK_UPGRADE+yes}" ] ; then echo "Upgrading $jailroot" else yesno "Update $jailroot?" fi fi || exit 0 if [ -n "${QUICK_UPGRADE+yes}" ] ; then export PAGER=cat fi set -e env $pre_uname freebsd-update -b "$jailroot" -d "$statedir" -f "$conffile" $relarg $fetch [ -d "$install_link" ] || exit 1 env $pre_uname freebsd-update -b "$jailroot" -d "$statedir" -f "$conffile" $relarg install if [ -n "${QUICK_UPGRADE+yes}" ] ; then echo "Quick upgrade, not restarting $jailname" elif yesno "Restart $jailname before proceeding?" ; then /etc/rc.d/jail restart $jailname fi [ -d "$install_link" ] || exit 0 env $post_uname freebsd-update -b "$jailroot" -d "$statedir" -f "$conffile" $relarg install [ -d "$install_link" ] || exit 0 env $post_uname freebsd-update -b "$jailroot" -d "$statedir" -f "$conffile" $relarg install } main "$@" --=-=-=--