portupgrade regression?

Simon L. Nielsen simon at FreeBSD.org
Fri Apr 29 02:10:46 PDT 2005 

On 2005.04.22 13:33:39 -0500, Jon Noack wrote:
> On 4/22/2005 9:06 AM, Simon L. Nielsen wrote:
> >On 2005.04.22 01:44:25 -0500, Jon Noack wrote:
> >>Ever since the security fix for CAN-2005-0610, portupgrade and company 
> >>have been behaving oddly for me.  The root cause of this seems to be 
> >>that the pkgdb is being updated needlessly with every operation:
> >
> >After the patch pkgdb.fixme is created in /var/db/pkg, which causes
> >the portupgrade package database update check to always fail.
> 
> I get it now: portupgrade compares the /var/db/pkg timestamp to the 
> pkgdb.db timestamp to figure out when to update.  Creating pkgdb.fixme 
> in /var/db/pkg will bump the /var/db/pkg timestamp and make it always 
> seem like pkgdb.db is old and needs to be updating.

Correct.

> >>Am I trying to do something that I shouldn't?  What is the correct
> >>behavior here?
> >
> >It is definitely a bug that the package database is rebuild every
> >time, and portversion fails due to that problem.  The solution is
> >probably to create pkgdb.fixme in another directory, but I haven't yet
> >found a secure and reliable fix.  I am looking into it (and if anybody
> >has good ideas, or patches, please contact me).
> 
> The following change (relative to the original source) leaves the 
> default as the @db_dir but allows one to override it with PKG_TMPDIR or 
> TMPDIR:
>
> **********************************************************************
> --- pkgdb.rb.orig       Mon Oct 18 09:59:09 2004
> +++ pkgdb.rb    Fri Apr 22 13:25:20 2005
> @@ -96,7 +96,7 @@
>      @db_dir = File.expand_path(new_db_dir || ENV['PKG_DBDIR'] || 
> '/var/db/pkg')
> 
>      @db_file = File.join(@db_dir, 'pkgdb.db')
> -    @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
> +    @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || @db_dir
>      @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
>      @db_filebase = @db_file.sub(/\.db$/, '')
>      close_db
> **********************************************************************
> 
> One would need to apply the same change to pkgsqldb.rb.  That change 
> resolves the issue for me but preserves a secure default.  Is that an 
> acceptable compromise?

The problem with that solution leaves people with legitimate setups
(where PKG_TMPDIR or TMPDIR is set to a world write able dir) are then
vulnerable to symlink attacks.

I think I have found the way to fix this both so it works for
non-root, make pkgdb.db not be updated all the time, and so it does
not cause new security problems, but I need to work out a few quirks
(my first version did not work correctly).  Hopefully I will get it
working this weekend, if not I will add a bandaid so you can make it
work by setting an environment variable.

Sorry about the delay in fixing this.

-- 
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20050429/a4b15b99/attachment.bin

More information about the freebsd-ports mailing list