Unprivileged user can prevent pkg add/install/delete from working (pkg issue 1222)
Arto Pekkanen
isoa at kapsi.fi
Wed Jun 22 20:01:43 UTC 2016
Yeah, ouch, this is a pretty damn bad bug that should be fixed ASAP!
Have you made an official PR already? If not, then please do:
https://bugs.freebsd.org/bugzilla/enter_bug.cgi
Stefan Esser kirjoitti 21.06.2016 15:28:
> Using portmaster to update some ports sometimes failed for me, when
> used
> with PKG_NG.
>
> I created https://github.com/freebsd/pkg/issues/1222 to describe and
> document the problem.
>
> Since the problem persists, I had anothe rlook and found, that the
> cause described in issue 1222 did no longer apply, but instead that
> the problem is much broader.
>
> Package (de-)installation actions can be blocked by any unprovileged
> user with the simple command:
>
> $ pkg info | sleep 1000000
>
> (This only works if the output from pkg info is large enough to keep
> the pkg command blocked for the duration of the sleep, obviously ...)
>
>
> The invocation in postmaster is equivalent to:
>
> pkg query "%n-%v %o" | while read pkg origin
> do
> ...
> pkg add/delete ...
> ...
> done
>
> Depending on a number of factors, the inner pkg command fails if the
> while loop has not consumed all output from the "pkg query" command.
>
> This is easily fixed in portmaster (by buffering the output of the
> "pkg query" command, before the loop is entered).
>
>
> But this does not help with the fact, that any user can prevent the
> installation or deletion of packages by keeping a "pkg info" process
> blocked.
>
> Instead of the example (with sleep) given above, "pkg info|more" does
> also block package installation and deletion, since "more" does not
> buffer all output from the command. And that might occur without the
> user typing "pkg info|more" knowing that he blocks out "pkg add/delete"
> for the duration of time he keeps the more command blocked ...
>
> Regards, STefan
> _______________________________________________
> freebsd-pkg at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pkg
> To unsubscribe, send any mail to "freebsd-pkg-unsubscribe at freebsd.org"
--
Arto Pekkanen
More information about the freebsd-pkg
mailing list