Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Apr 2005 11:10:43 +0200
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        Jon Noack <noackjr@alumni.rice.edu>
Cc:        ports@freebsd.org
Subject:   Re: portupgrade regression?
Message-ID:  <20050429091043.GD16549@eddie.nitro.dk>
In-Reply-To: <42694383.7090500@alumni.rice.edu>
References:  <42689D49.4050908@alumni.rice.edu> <20050422140619.GA785@zaphod.nitro.dk> <42694383.7090500@alumni.rice.edu>

next in thread | previous in thread | raw e-mail | index | archive | help

--Qbvjkv9qwOGw/5Fx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2005.04.22 13:33:39 -0500, Jon Noack wrote:
> On 4/22/2005 9:06 AM, Simon L. Nielsen wrote:
> >On 2005.04.22 01:44:25 -0500, Jon Noack wrote:
> >>Ever since the security fix for CAN-2005-0610, portupgrade and company=
=20
> >>have been behaving oddly for me.  The root cause of this seems to be=20
> >>that the pkgdb is being updated needlessly with every operation:
> >
> >After the patch pkgdb.fixme is created in /var/db/pkg, which causes
> >the portupgrade package database update check to always fail.
>=20
> I get it now: portupgrade compares the /var/db/pkg timestamp to the=20
> pkgdb.db timestamp to figure out when to update.  Creating pkgdb.fixme=20
> in /var/db/pkg will bump the /var/db/pkg timestamp and make it always=20
> seem like pkgdb.db is old and needs to be updating.

Correct.

> >>Am I trying to do something that I shouldn't?  What is the correct
> >>behavior here?
> >
> >It is definitely a bug that the package database is rebuild every
> >time, and portversion fails due to that problem.  The solution is
> >probably to create pkgdb.fixme in another directory, but I haven't yet
> >found a secure and reliable fix.  I am looking into it (and if anybody
> >has good ideas, or patches, please contact me).
>=20
> The following change (relative to the original source) leaves the=20
> default as the @db_dir but allows one to override it with PKG_TMPDIR or=
=20
> TMPDIR:
>
> **********************************************************************
> --- pkgdb.rb.orig       Mon Oct 18 09:59:09 2004
> +++ pkgdb.rb    Fri Apr 22 13:25:20 2005
> @@ -96,7 +96,7 @@
>      @db_dir =3D File.expand_path(new_db_dir || ENV['PKG_DBDIR'] ||=20
> '/var/db/pkg')
>=20
>      @db_file =3D File.join(@db_dir, 'pkgdb.db')
> -    @tmp_dir =3D ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
> +    @tmp_dir =3D ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || @db_dir
>      @fixme_file =3D File.join(@tmp_dir, 'pkgdb.fixme')
>      @db_filebase =3D @db_file.sub(/\.db$/, '')
>      close_db
> **********************************************************************
>=20
> One would need to apply the same change to pkgsqldb.rb.  That change=20
> resolves the issue for me but preserves a secure default.  Is that an=20
> acceptable compromise?

The problem with that solution leaves people with legitimate setups
(where PKG_TMPDIR or TMPDIR is set to a world write able dir) are then
vulnerable to symlink attacks.

I think I have found the way to fix this both so it works for
non-root, make pkgdb.db not be updated all the time, and so it does
not cause new security problems, but I need to work out a few quirks
(my first version did not work correctly).  Hopefully I will get it
working this weekend, if not I will add a bandaid so you can make it
work by setting an environment variable.

Sorry about the delay in fixing this.

--=20
Simon L. Nielsen

--Qbvjkv9qwOGw/5Fx
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCcfoTh9pcDSc1mlERAufTAKCibxUuraDtdxnC2Qaxqco3gR2HpgCeJd4o
lAQ3YSO/bwMUT1aZeaA9GMI=
=crGv
-----END PGP SIGNATURE-----

--Qbvjkv9qwOGw/5Fx--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050429091043.GD16549>