portupgrade regression?
Simon L. Nielsen
simon at FreeBSD.org
Fri Apr 29 02:10:46 PDT 2005
On 2005.04.22 13:33:39 -0500, Jon Noack wrote:
> On 4/22/2005 9:06 AM, Simon L. Nielsen wrote:
> >On 2005.04.22 01:44:25 -0500, Jon Noack wrote:
> >>Ever since the security fix for CAN-2005-0610, portupgrade and company
> >>have been behaving oddly for me. The root cause of this seems to be
> >>that the pkgdb is being updated needlessly with every operation:
> >
> >After the patch pkgdb.fixme is created in /var/db/pkg, which causes
> >the portupgrade package database update check to always fail.
>
> I get it now: portupgrade compares the /var/db/pkg timestamp to the
> pkgdb.db timestamp to figure out when to update. Creating pkgdb.fixme
> in /var/db/pkg will bump the /var/db/pkg timestamp and make it always
> seem like pkgdb.db is old and needs to be updating.
Correct.
> >>Am I trying to do something that I shouldn't? What is the correct
> >>behavior here?
> >
> >It is definitely a bug that the package database is rebuild every
> >time, and portversion fails due to that problem. The solution is
> >probably to create pkgdb.fixme in another directory, but I haven't yet
> >found a secure and reliable fix. I am looking into it (and if anybody
> >has good ideas, or patches, please contact me).
>
> The following change (relative to the original source) leaves the
> default as the @db_dir but allows one to override it with PKG_TMPDIR or
> TMPDIR:
>
> **********************************************************************
> --- pkgdb.rb.orig Mon Oct 18 09:59:09 2004
> +++ pkgdb.rb Fri Apr 22 13:25:20 2005
> @@ -96,7 +96,7 @@
> @db_dir = File.expand_path(new_db_dir || ENV['PKG_DBDIR'] ||
> '/var/db/pkg')
>
> @db_file = File.join(@db_dir, 'pkgdb.db')
> - @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || '/var/tmp'
> + @tmp_dir = ENV['PKG_TMPDIR'] || ENV['TMPDIR'] || @db_dir
> @fixme_file = File.join(@tmp_dir, 'pkgdb.fixme')
> @db_filebase = @db_file.sub(/\.db$/, '')
> close_db
> **********************************************************************
>
> One would need to apply the same change to pkgsqldb.rb. That change
> resolves the issue for me but preserves a secure default. Is that an
> acceptable compromise?
The problem with that solution leaves people with legitimate setups
(where PKG_TMPDIR or TMPDIR is set to a world write able dir) are then
vulnerable to symlink attacks.
I think I have found the way to fix this both so it works for
non-root, make pkgdb.db not be updated all the time, and so it does
not cause new security problems, but I need to work out a few quirks
(my first version did not work correctly). Hopefully I will get it
working this weekend, if not I will add a bandaid so you can make it
work by setting an environment variable.
Sorry about the delay in fixing this.
--
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20050429/a4b15b99/attachment.bin
More information about the freebsd-ports
mailing list