stagedir vs. jail

Peter Looyenga pl at catslair.org
Sun Oct 13 14:30:35 UTC 2013 

On Sun, Oct 13, 2013 at 12:58:53PM +0200, Ekkehard Gehm wrote:

> Nope that doesn't work as there is no way to globally disable staging,
> if you add NO_STAGE in make.conf all you end up with is a messed package
db, if
> you are very very lucky it might sometime work.

I know this method is frowned upon because it's not a method which was
intended to be used by end users, but I have to disagree with you here: this
setting seems to work flawlessly in disabling staging.

In my situation I'm using a /tmp directory which has the exec flag disabled
in order to prevent escalation whenever a customer website uses scripts
which aren't as secured as they (c/sh)ould have been. At the very least it
blocks 3rd parties from having an easy place to execute their stuff.

Ever since staging was introduced I've been having issues where
installations or upgrades stopping somewhere near the end and gave an error
that the script couldn't execute ./INSTALL. It took me a while but I traced
it back to the use of the pkg_add command; apparently it's used to install
the created package but without pointing it to a dedicated temporary
directory, thus pkg_add defaults to using either /var/tmp or /tmp. Both of
which have exec disabled on my system, and so the installation fails.

Needless to say but as soon as I specify NO_STAGING on the commandline or in
make.conf (which I've been using during upgrade sessions from FreeBSD 9.1 to
9.2 where I rebuild some ports to be sure everything kept working optimally)
the whole installation process seems to resort to the previous situation and
I get no errors regarding ./INSTALL which can't be executed.

Using portmaster or the pkg_info / pkg_version tools also don't show any
problems with my package database. Though I could imagine things to be
different when using pkgng, I haven't experimented much with that as of yet.

As said; I realize that this may not have been intended and it may be ill
advised, but at this point this surely seems to be a very effective way to
turn staging off.

Right now the new stating process gives me more bother than advantages
unfortunately. I can understand the theoretical advantages, but fact of the
matter is that those don't apply on my situation.


With kind regards,

Peter 


--
.\\ S/MIME public key: http://www.catslair.org/pubkey.crt
    +- My semi-private Root CA: http://ssl.losoco.nl/losoco.crt

More information about the freebsd-ports mailing list