Date: Fri, 29 Apr 2005 11:10:43 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Jon Noack <noackjr@alumni.rice.edu> Cc: ports@freebsd.org Subject: Re: portupgrade regression? Message-ID: <20050429091043.GD16549@eddie.nitro.dk> In-Reply-To: <42694383.7090500@alumni.rice.edu> References: <42689D49.4050908@alumni.rice.edu> <20050422140619.GA785@zaphod.nitro.dk> <42694383.7090500@alumni.rice.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--Qbvjkv9qwOGw/5Fx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.04.22 13:33:39 -0500, Jon Noack wrote: > On 4/22/2005 9:06 AM, Simon L. Nielsen wrote: > >On 2005.04.22 01:44:25 -0500, Jon Noack wrote: > >>Ever since the security fix for CAN-2005-0610, portupgrade and company= =20 > >>have been behaving oddly for me. The root cause of this seems to be=20 > >>that the pkgdb is being updated needlessly with every operation: > > > >After the patch pkgdb.fixme is created in /var/db/pkg, which causes > >the portupgrade package database update check to always fail. >=20 > I get it now: portupgrade compares the /var/db/pkg timestamp to the=20 > pkgdb.db timestamp to figure out when to update. Creating pkgdb.fixme=20 > in /var/db/pkg will bump the /var/db/pkg timestamp and make it always=20 > seem like pkgdb.db is old and needs to be updating. Correct. > >>Am I trying to do something that I shouldn't? What is the correct > >>behavior here? > > > >It is definitely a bug that the package database is rebuild every > >time, and portversion fails due to that problem. The solution is > >probably to create pkgdb.fixme in another directory, but I haven't yet > >found a secure and reliable fix. I am looking into it (and if anybody > >has good ideas, or patches, please contact me). >=20 > The following change (relative to the original source) leaves the=20 > default as the @db_dir but allows one to override it with PKG_TMPDIR or= =20 > TMPDIR: > > ********************************************************************** > --- pkgdb.rb.orig Mon Oct 18 09:59:09 2004 > +++ pkgdb.rb Fri Apr 22 13:25:20 2005 > @@ -96,7 +96,7 @@ > @db_dir =3D File.expand_path(new_db_dir || ENV['PKG_DBDIR'] ||=20 > '/var/db/pkg') >=20 > @db_file =3D File.join(@db_dir, 'pkgdb.db') > - @tmp_dir =3D ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp' > + @tmp_dir =3D ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || @db_dir > @fixme_file =3D File.join(@tmp_dir, 'pkgdb.fixme') > @db_filebase =3D @db_file.sub(/\.db$/, '') > close_db > ********************************************************************** >=20 > One would need to apply the same change to pkgsqldb.rb. That change=20 > resolves the issue for me but preserves a secure default. Is that an=20 > acceptable compromise? The problem with that solution leaves people with legitimate setups (where PKG_TMPDIR or TMPDIR is set to a world write able dir) are then vulnerable to symlink attacks. I think I have found the way to fix this both so it works for non-root, make pkgdb.db not be updated all the time, and so it does not cause new security problems, but I need to work out a few quirks (my first version did not work correctly). Hopefully I will get it working this weekend, if not I will add a bandaid so you can make it work by setting an environment variable. Sorry about the delay in fixing this. --=20 Simon L. Nielsen --Qbvjkv9qwOGw/5Fx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCcfoTh9pcDSc1mlERAufTAKCibxUuraDtdxnC2Qaxqco3gR2HpgCeJd4o lAQ3YSO/bwMUT1aZeaA9GMI= =crGv -----END PGP SIGNATURE----- --Qbvjkv9qwOGw/5Fx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050429091043.GD16549>