FreeBSD Mail Archives

Date:      Thu, 28 Jul 2022 18:02:09 +0300
From:      niko.nastonen@icloud.com
To:        "freebsd-pkg@freebsd.org" <freebsd-pkg@FreeBSD.org>
Subject:   Re: pkg and root privileges
Message-ID:  <00413BE8-BDF9-41B9-92DE-224A26A78CD4@icloud.com>
In-Reply-To: <0320D2DB-F61B-4F8B-B80F-D7765860283E@icloud.com>
References:  <0320D2DB-F61B-4F8B-B80F-D7765860283E@icloud.com>

index | next in thread | previous in thread | raw e-mail

[-- Attachment #1 --]
Did a little bugfixing and cleanup, now looks much better.

diff --git a/fetch.c b/fetch.c
index a310fbc..a6d1fb8 100644
--- a/fetch.c
+++ b/fetch.c
@@ -34,6 +34,7 @@
 #include <ctype.h>
 #include <fcntl.h>
 #include <errno.h>
+#include <pwd.h>
 #include <stdio.h>
 #include <string.h>
 #include <fetch.h>
@@ -48,6 +49,8 @@
 #include "private/utils.h"
 #include "private/fetch.h"

+extern void drop_privileges(void);
+
 static struct fetcher {
        const char *scheme;
        int (*open)(struct pkg_repo *, struct url *, off_t *);
@@ -82,7 +85,6 @@ static struct fetcher {
        },
 };

-
 int
 pkg_fetch_file_tmp(struct pkg_repo *repo, const char *url, char *dest,
        time_t t)
@@ -175,6 +177,8 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,
        off_t            r;
        char             buf[8192];
        int              retcode = EPKG_OK;
+       int              pstat;
+       pid_t            pid;
        off_t            sz = 0;
        size_t           buflen = 0;
        size_t           left = 0;
@@ -197,6 +201,22 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,
         * Error if using plain http://, https:// etc with SRV
         */

+       pid = fork();
+
+       switch (pid) {
+       case -1:
+               pkg_emit_error("Unable to fork");
+               return (EPKG_FATAL);
+       case 0:
+               drop_privileges();
+               break;
+       default:
+               while (waitpid(pid, &pstat, 0) == -1 && errno == EINTR)
+                       ;
+
+               return (WEXITSTATUS(pstat));
+       }
+
        pkg_debug(1, "Request to fetch %s", url);
        if (repo != NULL &&
                strncmp(URL_SCHEME_PREFIX, url, strlen(URL_SCHEME_PREFIX)) == 0) {
@@ -256,6 +276,7 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,
                        break;
                }
        }
+
        if (fetcher == NULL) {
                pkg_emit_error("Unknown scheme: %s", u->scheme);
                return (EPKG_FATAL);
@@ -283,6 +304,7 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,
        left = sizeof(buf);
        if (sz > 0)
                left = sz - done;
+
        while ((r = fread(buf, 1, left < buflen ? left : buflen, remote)) > 0) {
                if (write(dest, buf, r) != r) {
                        pkg_emit_errno("write", "");
@@ -354,5 +376,6 @@ cleanup:
        /* restore original doc */
        fetchFreeURL(u);

-       return (retcode);
+       /* exit child */
+       exit(retcode);
 }

> On 26. Jul 2022, at 19.15, niko.nastonen@icloud.com wrote:
> 
> Hi.
> 
> There was a recent discussion on the FreeBSD forum about security of pkg and its ability to drop root privileges when fetching packages.
> 
> I couldn’t help but notice that there was a git commit
> 
> fcceab3f with comment "drop privileges when using libfetch”
> 
> and another one
> 
> f3b0469e with comment "Stop dropping privileges when fetching as it causes more issues than it solved”.
> 
> Can I ask what kind of issues the first commit introduces and why pkg still goes out to the internet unprotected?
> 
> In case the issues are already solved by later commits, let me present a silly patch (mostly copied from fcceab3f) for branch "release-1.18” which makes fetch use nobody instead of root.
> 
> Feel free to modify it to match “the real BSD hacker standards, if applicable” :-)
> 
> 
> 
> diff --git a/libpkg/fetch.c b/libpkg/fetch.c
> index a310fbc3..c8e02f5b 100644
> --- a/libpkg/fetch.c
> +++ b/libpkg/fetch.c
> @@ -30,10 +30,14 @@
>  #include <sys/wait.h>
>  #include <sys/socket.h>
>  #include <sys/time.h>
> +#include <sys/types.h>
>  
>  #include <ctype.h>
>  #include <fcntl.h>
> +#include <err.h>
>  #include <errno.h>
> +#include <pwd.h>
> +#include <signal.h>
>  #include <stdio.h>
>  #include <string.h>
>  #include <fetch.h>
> @@ -48,6 +52,10 @@
>  #include "private/utils.h"
>  #include "private/fetch.h"
>  
> +void sig_handler(int signal);
> +extern void drop_privileges(void);
> +int stop = 0;
> +
>  static struct fetcher {
>         const char *scheme;
>         int (*open)(struct pkg_repo *, struct url *, off_t *);
> @@ -82,7 +90,6 @@ static struct fetcher {
>         },
>  };
>  
> -
>  int
>  pkg_fetch_file_tmp(struct pkg_repo *repo, const char *url, char *dest,
>         time_t t)
> @@ -160,6 +167,13 @@ pkg_fetch_file(struct pkg_repo *repo, const char *url, char *dest, time_t t,
>         return (retcode);
>  }
>  
> +void sig_handler(int signal)
> +{
> +    if (signal == SIGINT)
> +           stop = 1;
> +}
> +
> +
>  #define URL_SCHEME_PREFIX      "pkg+"
>  
>  int
> @@ -175,6 +189,8 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,
>         off_t            r;
>         char             buf[8192];
>         int              retcode = EPKG_OK;
> +       int              pstat;
> +       pid_t            pid;
>         off_t            sz = 0;
>         size_t           buflen = 0;
>         size_t           left = 0;
> @@ -197,6 +213,25 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,
>          * Error if using plain http://, https:// etc with SRV
>          */
>  
> +       pid = fork();
> +
> +       switch (pid) {
> +       case -1:
> +               pkg_emit_error("Unable to fork");
> +               return (EPKG_FATAL);
> +       case 0:
> +               sigset(SIGINT, sig_handler);
> +               drop_privileges();
> +               break;
> +       default:
> +               waitpid(pid, &pstat, 0);
> +
> +               if (WEXITSTATUS(pstat) != 0)
> +                       return (EPKG_FATAL);
> +
> +               return (EPKG_OK);
> +       }
> +
>         pkg_debug(1, "Request to fetch %s", url);
>         if (repo != NULL &&
>                 strncmp(URL_SCHEME_PREFIX, url, strlen(URL_SCHEME_PREFIX)) == 0) {
> @@ -256,6 +291,7 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,
>                         break;
>                 }
>         }
> +
>         if (fetcher == NULL) {
>                 pkg_emit_error("Unknown scheme: %s", u->scheme);
>                 return (EPKG_FATAL);
> @@ -283,7 +319,14 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,
>         left = sizeof(buf);
>         if (sz > 0)
>                 left = sz - done;
> +
>         while ((r = fread(buf, 1, left < buflen ? left : buflen, remote)) > 0) {
> +
> +               if (stop)  {
> +                       retcode = EPKG_FATAL;
> +                       goto cleanup;
> +               }
> +
>                 if (write(dest, buf, r) != r) {
>                         pkg_emit_errno("write", "");
>                         retcode = EPKG_FATAL;
> @@ -351,6 +394,13 @@ cleanup:
>                 futimes(dest, ftimes);
>         }
>  
> +       if (strncmp(u->scheme, "ssh", 3) != 0) {
> +               if (retcode == EPKG_OK)
> +                       exit(0);
> +
> +               exit(EXIT_FAILURE);
> +       }
> +
>         /* restore original doc */
>         fetchFreeURL(u);

[-- Attachment #2 --]
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Did a little bugfixing and cleanup, now looks much better.<div class=""><br class=""><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class=""><b class="">diff --git a/fetch.c b/fetch.c</b></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class=""><b class="">index a310fbc..a6d1fb8 100644</b></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class=""><b class="">--- a/fetch.c</b></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class=""><b class="">+++ b/fetch.c</b></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -34,6 +34,7 @@</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;ctype.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;fcntl.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;errno.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+#include &lt;pwd.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;stdio.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;string.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;fetch.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -48,6 +49,8 @@</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include "private/utils.h"</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include "private/fetch.h"</div><p style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></p><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+extern void drop_privileges(void);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;static struct fetcher {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; const char *scheme;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; int (*open)(struct pkg_repo *, struct url *, off_t *);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -82,7 +85,6 @@ static struct fetcher {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; },</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;};</div><p style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></p><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">-</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;int</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;pkg_fetch_file_tmp(struct pkg_repo *repo, const char *url, char *dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; time_t t)</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -175,6 +177,8 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; off_t&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; r;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; char &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; buf[8192];</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; int&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; retcode = EPKG_OK;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; int&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pstat;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; pid_t&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pid;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; off_t&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sz = 0;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; size_t &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; buflen = 0;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; size_t &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; left = 0;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -197,6 +201,22 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; * Error if using plain http://, https:// etc with SRV</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; */</div><p style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></p><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; pid = fork();</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; switch (pid) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; case -1:</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pkg_emit_error("Unable to fork");</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return (EPKG_FATAL);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; case 0:</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; drop_privileges();</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; default:</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; while (waitpid(pid, &amp;pstat, 0) == -1 &amp;&amp; errno == EINTR)</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return (WEXITSTATUS(pstat));</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; pkg_debug(1, "Request to fetch %s", url);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; if (repo != NULL &amp;&amp;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; strncmp(URL_SCHEME_PREFIX, url, strlen(URL_SCHEME_PREFIX)) == 0) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -256,6 +276,7 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; if (fetcher == NULL) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pkg_emit_error("Unknown scheme: %s", u-&gt;scheme);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return (EPKG_FATAL);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -283,6 +304,7 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; left = sizeof(buf);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; if (sz &gt; 0)</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; left = sz - done;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; while ((r = fread(buf, 1, left &lt; buflen ? left : buflen, remote)) &gt; 0) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (write(dest, buf, r) != r) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pkg_emit_errno("write", "");</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -354,5 +376,6 @@ cleanup:</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; /* restore original doc */</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; fetchFreeURL(u);</div><p style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></p><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">- &nbsp; &nbsp; &nbsp; return (retcode);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; /* exit child */</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; exit(retcode);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;}</div><div><br class=""><blockquote type="cite" class=""><div class="">On 26. Jul 2022, at 19.15, <a href="mailto:niko.nastonen@icloud.com" class="">niko.nastonen@icloud.com</a> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><span class="VIiyi" jsaction="mouseup:BR6jm" jsname="jqKxS" lang="en">Hi.</span></div><div class=""><span class="VIiyi" jsaction="mouseup:BR6jm" jsname="jqKxS" lang="en"><br class=""></span></div><span class="VIiyi" jsaction="mouseup:BR6jm" jsname="jqKxS" lang="en">There was a recent discussion on the FreeBSD forum about security of pkg and its ability to drop root privileges when fetching packages.</span><div class=""><span class="VIiyi" jsaction="mouseup:BR6jm" jsname="jqKxS" lang="en"><br class=""></span></div><div class=""><span class="VIiyi" jsaction="mouseup:BR6jm" jsname="jqKxS" lang="en">I couldn’t help but notice that there was a git commit</span></div><div class=""><span class="VIiyi" jsaction="mouseup:BR6jm" jsname="jqKxS" lang="en"><br class=""></span></div><div class="">fcceab3f with comment "drop privileges when using libfetch”</div><div class=""><br class=""></div><div class="">and another one</div><div class=""><br class=""></div><div class="">f3b0469e with comment "Stop dropping privileges when fetching as it causes more issues than it solved”.</div><div class=""><br class=""></div><div class="">Can I ask what kind of issues the first commit introduces and why pkg still goes out to the internet unprotected?</div><div class=""><br class=""></div><div class="">In case the issues are already solved by later commits, let me present a silly patch (mostly copied from fcceab3f) for branch "release-1.18” which makes fetch use nobody instead of root.</div><div class=""><br class=""></div><div class="">Feel free to modify it to match “the real BSD hacker standards, if applicable” :-)</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><p style="margin: 0px 0px 2px; font-stretch: normal; font-size: 16px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 19px;" class=""><b class=""></b><br class=""></p><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class=""><b class="">diff --git a/libpkg/fetch.c b/libpkg/fetch.c</b></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class=""><b class="">index a310fbc3..c8e02f5b 100644</b></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class=""><b class="">--- a/libpkg/fetch.c</b></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class=""><b class="">+++ b/libpkg/fetch.c</b></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -30,10 +30,14 @@</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;sys/wait.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;sys/socket.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;sys/time.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+#include &lt;sys/types.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;ctype.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;fcntl.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+#include &lt;err.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;errno.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+#include &lt;pwd.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+#include &lt;signal.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;stdio.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;string.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include &lt;fetch.h&gt;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -48,6 +52,10 @@</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include "private/utils.h"</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#include "private/fetch.h"</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+void sig_handler(int signal);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+extern void drop_privileges(void);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+int stop = 0;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;static struct fetcher {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; const char *scheme;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; int (*open)(struct pkg_repo *, struct url *, off_t *);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -82,7 +90,6 @@ static struct fetcher {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; },</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;};</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">-</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;int</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;pkg_fetch_file_tmp(struct pkg_repo *repo, const char *url, char *dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; time_t t)</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -160,6 +167,13 @@ pkg_fetch_file(struct pkg_repo *repo, const char *url, char *dest, time_t t,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; return (retcode);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;}</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+void sig_handler(int signal)</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+{</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+&nbsp; &nbsp; if (signal == SIGINT)</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; stop = 1;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+}</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;#define URL_SCHEME_PREFIX&nbsp; &nbsp; &nbsp; "pkg+"</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;int</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -175,6 +189,8 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; off_t&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; r;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; char &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; buf[8192];</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; int&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; retcode = EPKG_OK;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; int&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pstat;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; pid_t&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pid;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; off_t&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sz = 0;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; size_t &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; buflen = 0;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; size_t &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; left = 0;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -197,6 +213,25 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; * Error if using plain http://, https:// etc with SRV</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; */</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; pid = fork();</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; switch (pid) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; case -1:</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pkg_emit_error("Unable to fork");</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return (EPKG_FATAL);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; case 0:</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sigset(SIGINT, sig_handler);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; drop_privileges();</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; default:</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; waitpid(pid, &amp;pstat, 0);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (WEXITSTATUS(pstat) != 0)</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return (EPKG_FATAL);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return (EPKG_OK);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; pkg_debug(1, "Request to fetch %s", url);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; if (repo != NULL &amp;&amp;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; strncmp(URL_SCHEME_PREFIX, url, strlen(URL_SCHEME_PREFIX)) == 0) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -256,6 +291,7 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; if (fetcher == NULL) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pkg_emit_error("Unknown scheme: %s", u-&gt;scheme);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return (EPKG_FATAL);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -283,7 +319,14 @@ pkg_fetch_file_to_fd(struct pkg_repo *repo, const char *url, int dest,</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; left = sizeof(buf);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; if (sz &gt; 0)</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; left = sz - done;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; while ((r = fread(buf, 1, left &lt; buflen ? left : buflen, remote)) &gt; 0) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (stop)&nbsp; {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; retcode = EPKG_FATAL;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; goto cleanup;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (write(dest, buf, r) != r) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; pkg_emit_errno("write", "");</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; retcode = EPKG_FATAL;</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">@@ -351,6 +394,13 @@ cleanup:</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; futimes(dest, ftimes);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;; min-height: 15px;" class="">&nbsp;<br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; if (strncmp(u-&gt;scheme, "ssh", 3) != 0) {</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (retcode == EPKG_OK)</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; exit(0);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; exit(EXIT_FAILURE);</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+ &nbsp; &nbsp; &nbsp; }</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">+</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; /* restore original doc */</div><div style="margin: 0px; font-stretch: normal; font-size: 13px; line-height: normal; font-family: &quot;Helvetica Neue&quot;;" class="">&nbsp; &nbsp; &nbsp; &nbsp; fetchFreeURL(u);</div></div></div></div></blockquote></div><br class=""></div></div></body></html>

help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00413BE8-BDF9-41B9-92DE-224A26A78CD4>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation