From nobody Tue May 21 14:37:44 2024
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VkH8p1WRzz5LVLr
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Tue, 21 May 2024 14:37:46 +0000 (UTC)
	(envelope-from bapt@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VkH8p1036z4Nct;
	Tue, 21 May 2024 14:37:46 +0000 (UTC)
	(envelope-from bapt@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1716302266;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=LY3u1jiJmSg8MTyRt5n6ASmqszQvj/4snp6rsFH35dA=;
	b=BWjtpWbuTezZNiqSUJow0hOaDjDyXc2xfYuAaQryAaqVqYBGs6KeWisnnCMvl+9hG/odqf
	N58uSCK1PhO6OEzHfh/a9DromF7PJEflqglyx1zH5Pr/l4gxIsRclnbW4QxxYsRQZwJSP6
	SEuhMyo744pzAOB5BIunrQKtCBxNctzhKDACYlUnIQeJmFX/vPrKLN6CCPYvyZ+Kuu+1yl
	ZgbPnzKbA87NpwfkV/NU2NGf6RLOezdGKX+35Dzq2RT/6JPNVmc0ZkKt9J+wJCmpbU10A3
	gfrrUjOhAoJrdhCvkfPhNKxg6JOI+fzGXW6XmuGYtOkiHiCO0xfLC1SF2GVv3Q==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1716302266; a=rsa-sha256; cv=none;
	b=svoa6yNp5BmcCxX32ir5CoJg2Zdg0FHgMXRdq4rYbw4mlyFjDwp86n5ZA29OyX3Wv7uSY7
	Bx5/MAmNXnXRxxWUnpgSZyODn1z2r8+g7ZcZfkK5ZGEUUpSdvdcnCMgO0pWgAVYg+0p/VF
	pBOpNghxfddLOggBzuP2YYfqlE//Lc8rSLS32n2N+p8XUCR4zKDz1zmgqfbhJ9alUgOBX1
	WW2899Ks5JzuT81tGI7ZGEPhUP1q9Angn2EZT2oSPwrtXVg0AZZevZK1fbTuWyLsYpfDMN
	ST+aTDAObizARrQa4VWEfbDPXBXDwnlG+n4jufhax8NLbffJpvUlOmdK6qTOfA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1716302266;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=LY3u1jiJmSg8MTyRt5n6ASmqszQvj/4snp6rsFH35dA=;
	b=cn1qFdNiPrBKq1bkJR+0bCGk8pOqrqw4huyq+0IWA+xOj5oGgXY/0+I0ZHLVBEph8+Lbdy
	B+ujhVdyFMNoDIchgaK8UpYAvAHFhZ6y/TzQau4blZZ5mz8GYDpu19DFqZQFn0xscaj64r
	7zZLY4Sotv1NNeCioS02shSkTEr+cGIvL50Z9z2YPlpa7i1QJR06EKjD4dDAL2TTscZT6V
	clQ6NL/az336rmYXsT3DkvvuY15HsuQpyBfUvrQccTBHuro16yGa1vzDBC1QSgcyalPDUb
	E0F3nx69OvKFe7fNRnc3S0MifK3gm3Fbv+0XMDrmsLi9JMjpThhHEJeGxlJepQ==
Received: from aniel.nours.eu (nours.eu [IPv6:2001:41d0:8:3a4d::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: bapt)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4VkH8n728MzFbl;
	Tue, 21 May 2024 14:37:45 +0000 (UTC)
	(envelope-from bapt@freebsd.org)
Received: by aniel.nours.eu (Postfix, from userid 1001)
	id 3EE761F2941; Tue, 21 May 2024 16:37:44 +0200 (CEST)
Date: Tue, 21 May 2024 16:37:44 +0200
From: Baptiste Daroussin <bapt@freebsd.org>
To: "Patrick M. Hausen" <hausen@punkt.de>
Cc: Freebsd Stable <freebsd-stable@freebsd.org>
Subject: Re: pkg check -s - why does it try to open the pkg DB in r/w mode?
Message-ID: <ldjgqdfeg2zpnybjvpznv4i2biupmk65tiwmj2y6vysochrvic@ou4bw7kur7fq>
References: <BF421870-5993-4580-97BD-11E86509ED63@punkt.de>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BF421870-5993-4580-97BD-11E86509ED63@punkt.de>

On Tue 21 May 12:54, Patrick M. Hausen wrote:
> Hi all,
> 
> we have this jail based hosting environment and I began to debug some odd error message
> of the daily security check output:
> 
> -----------
> pkg: Insufficient privileges
> -----------
> 
> The cause was quickly found with truss:
> 
> -----------
> 14199: openat(AT_FDCWD,"/var/db/pkg",O_RDONLY|O_DIRECTORY|O_CLOEXEC,00) = 5 (0x5)
> 14199: fstatat(5,".",{ mode=drwxr-xr-x ,inode=34,size=5,blksize=4096 },0x0) = 0 (0x0)
> 14199: faccessat(5,".",R_OK,AT_EACCESS) = 0 (0x0)
> 14199: fstatat(5,"local.sqlite",{ mode=-rw-r--r-- ,inode=2,size=109010944,blksize=131072 },0x0) = 0 (0x0)
> 14199: faccessat(5,"local.sqlite",R_OK,AT_EACCESS) = 0 (0x0)
> 14199: fstatat(5,".",{ mode=drwxr-xr-x ,inode=34,size=5,blksize=4096 },0x0) = 0 (0x0)
> 14199: faccessat(5,".",R_OK,AT_EACCESS) = 0 (0x0)
> 14199: fstatat(5,"local.sqlite",{ mode=-rw-r--r-- ,inode=2,size=109010944,blksize=131072 },0x0) = 0 (0x0)
> 14199: faccessat(5,"local.sqlite",W_OK,AT_EACCESS) ERR#30 'Read-only file system'
> pkg: 14199: write(2,"pkg: ",5) = 5 (0x5)
> Insufficient privileges14199: write(2,"Insufficient privileges",23) = 23 (0x17)
> -----------
> 
> Yes, we mount lots of things into the jails r/o. The daily script runs `pkg -qsa` for a checksum check
> of all installed packages.
> 
> 
> Question: why does pkg need the database to be r/w for a -s/--checksum check?
> 

It does not anymore in git, I removed that need a couple of weeks ago, not yet
in the release.

Best regards,
Bapt