ports/86177: [patch] Port security/freebsd-update should store working files under /var
Matthew X. Economou
xenophon+fbsdports at irtnog.org
Thu Sep 15 18:30:13 UTC 2005
>Number: 86177
>Category: ports
>Synopsis: [patch] Port security/freebsd-update should store working files under /var
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Sep 15 18:30:11 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Matthew X. Economou
>Release: FreeBSD 5.4-SECURITY i386
>Organization:
IRTNOG.ORG
>Environment:
N/A
>Description:
By default, the FreeBSD Update Client stores its working files under
/usr/local/freebsd-update. If one mounts the /usr or /usr/local file
system read-only as part of a server hardening procedure, freebsd-update
will no longer be able to store updates in the default package install
(although an alternate location can be specified, either by command-
line option or via indirection through a symbolic link). According to
hier(7), a directory under /var may be a more suitable location for
these files.
>How-To-Repeat:
N/A
>Fix:
I propose we add a frob to the security/freebsd-update port's Makefile
that allows the end user to select an alternate default location for the
client's working directory, and (at the port maintainer's discretion) to
set that default to /var/db/freebsd-update. A patch that adds this frob
is attached below. Please note that if the maintainer prefers, the
original default of "${PREFIX}/freebsd-update}" can be specified instead.
The remainder of the Makefile code will dynamically create whatever
directory is specified and add it to the port's packing list
(dynamically). Please also note this patch mimics code found in
ports/net/samba3/Makefile.
--- freebsd-update-workdir.patch begins here ---
--- ports/security/freebsd-update/Makefile.orig Thu Sep 15 14:14:13 2005
+++ ports/security/freebsd-update/Makefile Thu Sep 15 14:03:27 2005
@@ -23,12 +23,16 @@
# platforms, it either doesn't work or hasn't been tested.
ONLY_FOR_ARCHS= i386 amd64 alpha sparc64
+# Allow the end user to decide where the update files are stored.
+VARDIR= ${DESTDIR}/var
+FREEBSDUPDATE_WORKDIR=${VARDIR}/db/freebsd-update
+MAKE_ENV+= NOFREEBSDUPDATEDIR=yes
+
MAN5= freebsd-update.conf.5
MAN8= freebsd-update.8
PLIST_FILES= sbin/freebsd-update \
sbin/freebsd-update-verify \
etc/freebsd-update.conf.sample
-PLIST_DIRS= freebsd-update
PKGMESSAGE= ${WRKDIR}/pkg-message
@@ -42,10 +46,22 @@
${SED} -e "s#PREFIX=/usr/local#PREFIX=${PREFIX}#g" \
${WRKSRC}/freebsd-update > ${WRKSRC}/freebsd-update.new
${MV} ${WRKSRC}/freebsd-update.new ${WRKSRC}/freebsd-update
+ ${SED} -e "s#^WORKDIR=.*#WORKDIR=${FREEBSDUPDATE_WORKDIR}#" \
+ ${WRKSRC}/freebsd-update > ${WRKSRC}/freebsd-update.new
+ ${MV} ${WRKSRC}/freebsd-update.new ${WRKSRC}/freebsd-update
@${SED} -e "s=%%PREFIX%%=${PREFIX}=g" ${FILESDIR}/pkg-message \
> ${PKGMESSAGE}
post-install:
+ @test -d ${FREEBSDUPDATE_WORKDIR} || \
+ ${MKDIR} ${FREEBSDUPDATE_WORKDIR} && \
+ ${CHMOD} 700 ${FREEBSDUPDATE_WORKDIR} && \
+ ${CHOWN} root:wheel ${FREEBSDUPDATE_WORKDIR}
+ @${ECHO_CMD} "@exec ${MKDIR} ${FREEBSDUPDATE_WORKDIR} 2>/dev/null || true" >> ${TMPPLIST}
+ @${ECHO_CMD} "@exec ${CHMOD} 700 ${FREEBSDUPDATE_WORKDIR}" >> ${TMPPLIST}
+ @${ECHO_CMD} "@exec ${CHOWN} root:wheel ${FREEBSDUPDATE_WORKDIR}" >> ${TMPPLIST}
+ @${ECHO_CMD} "@unexec ${RMDIR} ${FREEBSDUPDATE_WORKDIR} 2>/dev/null || true" >> ${TMPPLIST}
+ @${ECHO_CMD} "@unexec ${ECHO_CMD} \"Warning: If you will *NOT* use this package any more, please remove ${FREEBSDUPDATE_WORKDIR}/* manually.\"" >> ${TMPPLIST}
@${CAT} ${PKGMESSAGE}
.include <bsd.port.mk>
--- freebsd-update-workdir.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list