From owner-svn-src-head@freebsd.org Wed Jan 6 03:19:12 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C74DFA63EAE; Wed, 6 Jan 2016 03:19:12 +0000 (UTC) (envelope-from devin@shxd.cx) Received: from shxd.cx (mail.shxd.cx [64.201.244.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B9C4F1EB8; Wed, 6 Jan 2016 03:19:12 +0000 (UTC) (envelope-from devin@shxd.cx) Received: from 50-196-156-133-static.hfc.comcastbusiness.net ([50.196.156.133]:54795 helo=[172.16.10.54]) by shxd.cx with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1aGWJe-0001Ma-0d; Tue, 05 Jan 2016 10:26:42 -0800 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable From: Devin Teske Mime-Version: 1.0 (1.0) Subject: Re: svn commit: r293227 - head/etc Date: Tue, 5 Jan 2016 19:16:32 -0800 Message-Id: <5360EA7A-399F-4679-B58F-62D0112EA481@shxd.cx> References: <201601052120.u05LKlQw074919@repo.freebsd.org> <1452038404.1320.46.camel@freebsd.org> <20160106125617.E968@besplex.bde.org> Cc: Ian Lepore , Warner Losh , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org, Devin Teske In-Reply-To: <20160106125617.E968@besplex.bde.org> To: Bruce Evans X-Mailer: iPhone Mail (13C75) X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2016 03:19:13 -0000 This e-mail is extremely hard to parse and I think you are mistaken. The -f flag is more than just a counter to a possible -i Try to rm a file that has schg You will get a prompt without -i Adding -f will abate the prompt to attempt override of schg flag. There are more conditions in rm that lead to a prompt than simply those cond= itions involving -i and adding -f abates them all. --=20 Devin > On Jan 5, 2016, at 6:48 PM, Bruce Evans wrote: >=20 > On Tue, 5 Jan 2016, Ian Lepore wrote: >=20 >>> Log: >>> Use the more proper -f. Leave /bin/rm in place since that's what >>> other rc scripts have, though it isn't strictly necessary. >=20 > "proper -f" is hard to parse. I think you mean: >=20 > Use 'rm -f' to turn off -i in case rm is broken and is an alias which > has -i (and perhaps actually even something resembling rm) in it. More > precisely, use 'rm -f /usr/bin' to partly defend against the same bug > in /bin/rm (where it would be larger). Keep using /usr/rm instead of > restoring the use of plain rm since that is what other rc scripts have. > The previous change to use /bin/rm instead of plain rm was neither > necessary nor sufficient for fixing the bug. Neither is this one, but > it gets closer. It is a little-known bug in aliases that even absolute > pathnames can be aliased. So /bin/rm might be aliased to 'rm -ri /'. > Appending -f would accidentally help for that too, by turning it into > a syntax error, instead of accidentally making it more forceful by > turning -ri into -rf. >=20 > Hopefully this is all FUD. Non-interactive scripts shouldn't source any > files that are not mentioned in the script. /etc/rc depends on a secure > environment being set up by init and probably gets it since init doesn't > set up much. sh(1) documents closing the security hole of sourcing the > script in $ENV for non-interactive shells, but was never a problem for > /etc/rc since init must be trusted to not put security holes in $ENV. > But users could put security holes in a sourced config file like > /etc/rc.conf.local. >=20 >>> Modified: head/etc/rc >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D >>> --- head/etc/rc Tue Jan 5 21:20:46 2016 (r293226) >>> +++ head/etc/rc Tue Jan 5 21:20:47 2016 (r293227) >>> @@ -132,9 +132,9 @@ done >>> # Remove the firstboot sentinel, and reboot if it was requested. >>> if [ -e ${firstboot_sentinel} ]; then >>> [ ${root_rw_mount} =3D "yes" ] || mount -uw / >>> - /bin/rm ${firstboot_sentinel} >>> + /bin/rm -f ${firstboot_sentinel} >>> if [ -e ${firstboot_sentinel}-reboot ]; then >>> - /bin/rm ${firstboot_sentinel}-reboot >>> + /bin/rm -f ${firstboot_sentinel}-reboot >>> [ ${root_rw_mount} =3D "yes" ] || mount -ur / >>> kill -INT 1 >>> fi >>=20 >> Using rm -f to suppress an error message seems like a bad idea here -- >> if the sentinel file can't be removed that implies it's going to do >> firstboot behavior every time it boots, and that's the sort of error >> that should be in-your-face. Especially on the reboot one because >> you're going to be stuck in a reboot loop with no error message. >=20 > Er, -f on rm only turns off -i and supresses the warning message for > failing to remove nonexistent files. But we just tested that the file > exists, and in the impossible even of a race making it not exist by > the time that it runs, we have more problems than the failure of rm > since we use the file's existence as a control for other things. >=20 > So the only effect of this -f is to turn off -i, which can only be set > if the FUD was justified. >=20 > The correct fix seems to be 'unalias -a'. >=20 > Bruce >=20