Userland patch level

Peter Wemm peter at wemm.org
Sat Oct 5 21:06:27 UTC 2013 

On 10/5/13 11:11 AM, Dag-Erling Smørgrav wrote:
> The attached patch adds a shell script, /libexec/freebsd-version, which
> has the current version patch level hardcoded and prints them when run.
> It can also be used to extract the version and patch level from the
> installed kernel, even before rebooting after an upgrade.  The goal is
> to be able to correctly determine the userland version in situations
> where it does not match what the running kernel reports, which is
> commonly the case when using freebsd-update or when running inside a
> jail.  In the long run, this will make it possible for `pkg audit` and
> similar tools to correctly report a vulnerable userland.

IMHO, promoting the parsing strings like this is fraught with danger.  The
canonical one-true-version is __FreeBSD_version, I'd much rather encourage
people to refer to that, and it is available in newvers.sh in the same way
that you're building it now.

We've been dealing with this problem at yahoo for several years now.
Providing a convenient way to parse the __FreeBSD_version and kern.osreldate
tags would be nice.

Up until now, the most reliable way to determine the kernel and userland
versions has been to parse kern.osreldate to find the running kernel, and to
parse /usr/include/osreldate.h to determine the userland version.

buildworld itself even uses /usr/include/osreldate.h to reliably determine
the userland version.

I realize it's not quite as convenient to pull an osreldate out of a random
kernel file (vs the running one), but at least the running one is available
when the kernel itself isn't.   What happens if you're in a chroot/jail
where the kernel file itself isn't even present in the file system - eg: was
pxe booted?

freebsd-version.sh.in seems fragile as presented.  It's missing
loader.conf.local parsing, hardcodes the assumption that you use /boot (vs
/efi), etc.  The usage string has a -i option that doesn't seem to exist.

Secteam does bump the osreldate for patch releases, right?  Woudn't that be
sufficient for userland audit tools to reliably identify vulnerable userlands?
-- 
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20131005/2b2e7bdd/attachment.sig>

More information about the freebsd-arch mailing list