Date: Fri, 29 Apr 2005 11:10:43 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Jon Noack <noackjr@alumni.rice.edu> Cc: ports@freebsd.org Subject: Re: portupgrade regression? Message-ID: <20050429091043.GD16549@eddie.nitro.dk> In-Reply-To: <42694383.7090500@alumni.rice.edu> References: <42689D49.4050908@alumni.rice.edu> <20050422140619.GA785@zaphod.nitro.dk> <42694383.7090500@alumni.rice.edu>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 2005.04.22 13:33:39 -0500, Jon Noack wrote: > On 4/22/2005 9:06 AM, Simon L. Nielsen wrote: > >On 2005.04.22 01:44:25 -0500, Jon Noack wrote: > >>Ever since the security fix for CAN-2005-0610, portupgrade and company > >>have been behaving oddly for me. The root cause of this seems to be > >>that the pkgdb is being updated needlessly with every operation: > > > >After the patch pkgdb.fixme is created in /var/db/pkg, which causes > >the portupgrade package database update check to always fail. > > I get it now: portupgrade compares the /var/db/pkg timestamp to the > pkgdb.db timestamp to figure out when to update. Creating pkgdb.fixme > in /var/db/pkg will bump the /var/db/pkg timestamp and make it always > seem like pkgdb.db is old and needs to be updating. Correct. > >>Am I trying to do something that I shouldn't? What is the correct > >>behavior here? > > > >It is definitely a bug that the package database is rebuild every > >time, and portversion fails due to that problem. The solution is > >probably to create pkgdb.fixme in another directory, but I haven't yet > >found a secure and reliable fix. I am looking into it (and if anybody > >has good ideas, or patches, please contact me). > > The following change (relative to the original source) leaves the > default as the @db_dir but allows one to override it with PKG_TMPDIR or > TMPDIR: > > ********************************************************************** > --- pkgdb.rb.orig Mon Oct 18 09:59:09 2004 > +++ pkgdb.rb Fri Apr 22 13:25:20 2005 > @@ -96,7 +96,7 @@ > @db_dir = File.expand_path(new_db_dir || ENV['PKG_DBDIR'] || > '/var/db/pkg') > > @db_file = File.join(@db_dir, 'pkgdb.db') > - @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp' > + @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || @db_dir > @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme') > @db_filebase = @db_file.sub(/\.db$/, '') > close_db > ********************************************************************** > > One would need to apply the same change to pkgsqldb.rb. That change > resolves the issue for me but preserves a secure default. Is that an > acceptable compromise? The problem with that solution leaves people with legitimate setups (where PKG_TMPDIR or TMPDIR is set to a world write able dir) are then vulnerable to symlink attacks. I think I have found the way to fix this both so it works for non-root, make pkgdb.db not be updated all the time, and so it does not cause new security problems, but I need to work out a few quirks (my first version did not work correctly). Hopefully I will get it working this weekend, if not I will add a bandaid so you can make it work by setting an environment variable. Sorry about the delay in fixing this. -- Simon L. Nielsen [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCcfoTh9pcDSc1mlERAufTAKCibxUuraDtdxnC2Qaxqco3gR2HpgCeJd4o lAQ3YSO/bwMUT1aZeaA9GMI= =crGv -----END PGP SIGNATURE-----help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050429091043.GD16549>