From owner-freebsd-security@freebsd.org Thu Jul 4 04:37:40 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9BDF715C2E47 for ; Thu, 4 Jul 2019 04:37:40 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "eg.sd.rdtc.ru", Issuer "eg.sd.rdtc.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7479B80C85; Thu, 4 Jul 2019 04:37:29 +0000 (UTC) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: emaste@freebsd.org Received: from [10.58.0.4] (dadv@[10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id x644b81I049806 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 4 Jul 2019 11:37:08 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19:10.ufs To: Ed Maste , Doug Hardie References: <20190703004924.8A5411A7D5@freefall.freebsd.org> Cc: freebsd-security@freebsd.org From: Eugene Grosbein Message-ID: <02d4f9e8-f01f-aba1-1000-432a821a04d7@grosbein.net> Date: Thu, 4 Jul 2019 11:37:06 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 7479B80C85 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [0.34 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.34)[-0.340,0]; MX_INVALID(0.50)[greylisted]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-0.32)[-0.318,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; NEURAL_SPAM_SHORT(0.55)[0.549,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[]; IP_SCORE(0.05)[asn: 29072(0.22), country: RU(0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:29072, ipnet:2a03:3100::/32, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jul 2019 04:37:40 -0000 03.07.2019 19:29, Ed Maste wrote: > On Wed, 3 Jul 2019 at 11:21, Doug Hardie wrote: >> >> That is going to be a bit tricky to do on a headless server that is remote. None of mine have consoles. They are all accessed via SSH. Any ideas how this situation can be handled? > > Probably an rc.d script with BEFORE: root that invokes the fsck > command - something along the lines of the following (as yet untested > and missing error checking etc.): > > #!/bin/sh > # > > # PROVIDE: fsck_ufs > # BEFORE: root > # REQUIRE: fsck > # KEYWORD: nojail > > . /etc/rc.subr > > name="fsck_ufs" > desc="fsck UFS filesystems for FreeBSD-SA-19:10.ufs" > start_cmd="fsck_ufs_start" > stop_cmd=":" > > fsck_ufs_start() > { > fsck -t ufs -f -p -T ufs:-z > } > > load_rc_config $name > run_rc_command "$1" We should resurrect "early" rc.d script. Its removal in 6.x as opposed to rewrite was a mistake as such script is irreplaceable for multiple situations including pretty ordinary ones like enabling kernel crashdumps to gmirror.