Unprivileged user can prevent pkg add/install/delete from working (pkg issue 1222)
Stefan Esser
se at freebsd.org
Tue Jun 21 12:29:01 UTC 2016
Using portmaster to update some ports sometimes failed for me, when used
with PKG_NG.
I created https://github.com/freebsd/pkg/issues/1222 to describe and
document the problem.
Since the problem persists, I had anothe rlook and found, that the
cause described in issue 1222 did no longer apply, but instead that
the problem is much broader.
Package (de-)installation actions can be blocked by any unprovileged
user with the simple command:
$ pkg info | sleep 1000000
(This only works if the output from pkg info is large enough to keep
the pkg command blocked for the duration of the sleep, obviously ...)
The invocation in postmaster is equivalent to:
pkg query "%n-%v %o" | while read pkg origin
do
...
pkg add/delete ...
...
done
Depending on a number of factors, the inner pkg command fails if the
while loop has not consumed all output from the "pkg query" command.
This is easily fixed in portmaster (by buffering the output of the
"pkg query" command, before the loop is entered).
But this does not help with the fact, that any user can prevent the
installation or deletion of packages by keeping a "pkg info" process
blocked.
Instead of the example (with sleep) given above, "pkg info|more" does
also block package installation and deletion, since "more" does not
buffer all output from the command. And that might occur without the
user typing "pkg info|more" knowing that he blocks out "pkg add/delete"
for the duration of time he keeps the more command blocked ...
Regards, STefan
More information about the freebsd-pkg
mailing list