CoCalc -- freebsd-update-8.patch

GitHub Repository: freebsd/freebsd-doc
Path: blob/main/website/static/security/patches/EN-15:04/freebsd-update-8.patch
¹⁸⁰⁹⁶ views
1
Index: usr.sbin/freebsd-update/freebsd-update.8
2
===================================================================
3
--- usr.sbin/freebsd-update/freebsd-update.8	(revision 282245)
4
+++ usr.sbin/freebsd-update/freebsd-update.8	(working copy)
5
@@ -25,7 +25,7 @@
6
 .\"
7
 .\" $FreeBSD$
8
 .\"
9
-.Dd July 14, 2010
10
+.Dd March 2, 2015
11
 .Dt FREEBSD-UPDATE 8
12
 .Os FreeBSD
13
 .Sh NAME
14
@@ -36,10 +36,12 @@
15
 .Op Fl b Ar basedir
16
 .Op Fl d Ar workdir
17
 .Op Fl f Ar conffile
18
+.Op Fl F
19
 .Op Fl k Ar KEY
20
 .Op Fl r Ar newrelease
21
 .Op Fl s Ar server
22
 .Op Fl t Ar address
23
+.Op Fl -not-running-from-cron
24
 .Cm command ...
25
 .Sh DESCRIPTION
26
 The
27
@@ -49,21 +51,21 @@ updates to the FreeBSD base system.
28
 Note that updates are only available if they are being built for the
29
 FreeBSD release and architecture being used; in particular, the
30
 .Fx
31
-Security Team only builds updates for releases shipped in binary form 
32
+Security Team only builds updates for releases shipped in binary form
33
 by the
34
 .Fx
35
 Release Engineering Team, e.g.,
36
 .Fx
37
-7.3-RELEASE and
38
+9.3-RELEASE and
39
 .Fx
40
-8.0, but not
41
+10.1-RELEASE, but not
42
 .Fx
43
-6.3-STABLE or
44
+9.3-STABLE or
45
 .Fx
46
-9.0-CURRENT.
47
+11-CURRENT.
48
 .Sh OPTIONS
49
 The following options are supported:
50
-.Bl -tag -width "-f conffile"
51
+.Bl -tag -width "-r newrelease"
52
 .It Fl b Ar basedir
53
 Operate on a system mounted at
54
 .Ar basedir .
55
@@ -81,6 +83,10 @@ Read configuration options from
56
 .Ar conffile .
57
 (default:
58
 .Pa /etc/freebsd-update.conf )
59
+.It Fl F
60
+Force
61
+.Nm Cm fetch
62
+to proceed where it normally would not, such as an unfinished upgrade
63
 .It Fl k Ar KEY
64
 Trust an RSA key with SHA256 of
65
 .Ar KEY .
66
@@ -98,13 +104,21 @@ Mail output of
67
 command, if any, to
68
 .Ar address .
69
 (default: root, or as given in the configuration file.)
70
+.It Fl -not-running-from-cron
71
+Force
72
+.Nm Cm fetch
73
+to proceed when there is no controlling tty.
74
+This is for use by automated scripts and orchestration tools.
75
+Please do not run
76
+.Nm Cm fetch
77
+from crontab or similar using this flag, see:
78
+.Nm Cm cron
79
 .El
80
 .Sh COMMANDS
81
 The
82
 .Cm command
83
 can be any one of the following:
84
-.Pp
85
-.Bl -tag -width "-f conffile"
86
+.Bl -tag -width "rollback"
87
 .It Cm fetch
88
 Based on the currently installed world and the configuration
89
 options set, fetch all available binary updates.
90
@@ -128,6 +142,11 @@ Fetch files necessary for upgrading to a
91
 Before using this command, make sure that you read the
92
 announcement and release notes for the new release in
93
 case there are any special steps needed for upgrading.
94
+Note that this command may require up to 500 MB of space in
95
+.Ar workdir
96
+depending on which components of the
97
+.Fx
98
+base system are installed.
99
 .It Cm install
100
 Install the most recently fetched updates or upgrade.
101
 .It Cm rollback
102
@@ -149,7 +168,7 @@ other than 3AM, to avoid overly imposing
103
 on the server(s) hosting the updates.
104
 .It
105
 In spite of its name,
106
-.Cm
107
+.Nm
108
 IDS should not be relied upon as an "Intrusion Detection
109
 System", since if the system has been tampered with
110
 it cannot be trusted to operate correctly.
111
@@ -158,11 +177,11 @@ purposes, make sure you boot from a secu
112
 .El
113
 .Sh FILES
114
 .Bl -tag -width "/etc/freebsd-update.conf"
115
-.It /etc/freebsd-update.conf
116
+.It Pa /etc/freebsd-update.conf
117
 Default location of the
118
 .Nm
119
 configuration file.
120
-.It /var/db/freebsd-update/
121
+.It Pa /var/db/freebsd-update/
122
 Default location where
123
 .Nm
124
 stores temporary files and downloaded updates.
125
@@ -170,4 +189,4 @@ stores temporary files and downloaded up
126
 .Sh SEE ALSO
127
 .Xr freebsd-update.conf 5
128
 .Sh AUTHORS
129
-.An Colin Percival Aq [email protected]
130
+.An Colin Percival Aq Mt [email protected]
131
Index: usr.sbin/freebsd-update/freebsd-update.sh
132
===================================================================
133
--- usr.sbin/freebsd-update/freebsd-update.sh	(revision 282245)
134
+++ usr.sbin/freebsd-update/freebsd-update.sh	(working copy)
135
@@ -43,12 +43,15 @@ Options:
136
                   (default: /var/db/freebsd-update/)
137
   -f conffile  -- Read configuration options from conffile
138
                   (default: /etc/freebsd-update.conf)
139
+  -F           -- Force a fetch operation to proceed
140
   -k KEY       -- Trust an RSA key with SHA256 hash of KEY
141
   -r release   -- Target for upgrade (e.g., 6.2-RELEASE)
142
   -s server    -- Server from which to fetch updates
143
                   (default: update.FreeBSD.org)
144
   -t address   -- Mail output of cron command, if any, to address
145
                   (default: root)
146
+  --not-running-from-cron
147
+               -- Run without a tty, for use by automated tools
148
 Commands:
149
   fetch        -- Fetch updates from server
150
   cron         -- Sleep rand(3600) seconds, fetch updates, and send an
151
@@ -284,6 +287,9 @@ config_TargetRelease () {
152
 	else
153
 		return 1
154
 	fi
155
+	if echo ${TARGETRELEASE} | grep -qE '^[0-9.]+$'; then
156
+		TARGETRELEASE="${TARGETRELEASE}-RELEASE"
157
+	fi
158
 }
159
 
160
 # Define what happens to output of utilities
161
@@ -396,6 +402,12 @@ init_params () {
162
 
163
 	# No commands specified yet
164
 	COMMANDS=""
165
+
166
+	# Force fetch to proceed
167
+	FORCEFETCH=0
168
+
169
+	# Run without a TTY
170
+	NOTTYOK=0
171
 }
172
 
173
 # Parse the command line
174
@@ -408,6 +420,12 @@ parse_cmdline () {
175
 			if [ ! -z "${CONFFILE}" ]; then usage; fi
176
 			shift; CONFFILE="$1"
177
 			;;
178
+		-F)
179
+			FORCEFETCH=1
180
+			;;
181
+		--not-running-from-cron)
182
+			NOTTYOK=1
183
+			;;
184
 
185
 		# Configuration file equivalents
186
 		-b)
187
@@ -569,7 +587,7 @@ fetch_setup_verboselevel () {
188
 # running *-p[0-9]+, strip off the last part; if the
189
 # user is running -SECURITY, call it -RELEASE.  Chdir
190
 # into the working directory.
191
-fetch_check_params () {
192
+fetchupgrade_check_params () {
193
 	export HTTP_USER_AGENT="freebsd-update (${COMMAND}, `uname -r`)"
194
 
195
 	_SERVERNAME_z=\
196
@@ -577,6 +595,7 @@ fetch_check_params () {
197
 	_KEYPRINT_z="Key must be given via -k option or configuration file."
198
 	_KEYPRINT_bad="Invalid key fingerprint: "
199
 	_WORKDIR_bad="Directory does not exist or is not writable: "
200
+	_WORKDIR_bad2="Directory is not on a persistent filesystem: "
201
 
202
 	if [ -z "${SERVERNAME}" ]; then
203
 		echo -n "`basename $0`: "
204
@@ -600,6 +619,13 @@ fetch_check_params () {
205
 		echo ${WORKDIR}
206
 		exit 1
207
 	fi
208
+	case `df -T ${WORKDIR}` in */dev/md[0-9]* | *tmpfs*)
209
+		echo -n "`basename $0`: "
210
+		echo -n "${_WORKDIR_bad2}"
211
+		echo ${WORKDIR}
212
+		exit 1
213
+		;;
214
+	esac
215
 	chmod 700 ${WORKDIR}
216
 	cd ${WORKDIR} || exit 1
217
 
218
@@ -652,9 +678,29 @@ fetch_check_params () {
219
 	BDHASH=`echo ${BASEDIR} | sha256 -q`
220
 }
221
 
222
+# Perform sanity checks etc. before fetching updates.
223
+fetch_check_params () {
224
+	fetchupgrade_check_params
225
+
226
+	if ! [ -z "${TARGETRELEASE}" ]; then
227
+		echo -n "`basename $0`: "
228
+		echo -n "-r option is meaningless with 'fetch' command.  "
229
+		echo "(Did you mean 'upgrade' instead?)"
230
+		exit 1
231
+	fi
232
+
233
+	# Check that we have updates ready to install
234
+	if [ -f ${BDHASH}-install/kerneldone -a $FORCEFETCH -eq 0 ]; then
235
+		echo "You have a partially completed upgrade pending"
236
+		echo "Run '$0 install' first."
237
+		echo "Run '$0 fetch -F' to proceed anyway."
238
+		exit 1
239
+	fi
240
+}
241
+
242
 # Perform sanity checks etc. before fetching upgrades.
243
 upgrade_check_params () {
244
-	fetch_check_params
245
+	fetchupgrade_check_params
246
 
247
 	# Unless set otherwise, we're upgrading to the same kernel config.
248
 	NKERNCONF=${KERNCONF}
249
@@ -1185,7 +1231,7 @@ fetch_metadata_sanity () {
250
 	# Some aliases to save space later: ${P} is a character which can
251
 	# appear in a path; ${M} is the four numeric metadata fields; and
252
 	# ${H} is a sha256 hash.
253
-	P="[-+./:=%@_[~[:alnum:]]"
254
+	P="[-+./:=,%@_[~[:alnum:]]"
255
 	M="[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+"
256
 	H="[0-9a-f]{64}"
257
 
258
@@ -1456,7 +1502,7 @@ fetch_inspect_system () {
259
 	    sort -k 3,3 -t '|' > $2.tmp
260
 	rm filelist
261
 
262
-	# Check if an error occured during system inspection
263
+	# Check if an error occurred during system inspection
264
 	if [ -f .err ]; then
265
 		return 1
266
 	fi
267
@@ -2240,6 +2286,19 @@ upgrade_oldall_to_oldnew () {
268
 	mv $2 $3
269
 }
270
 
271
+# Helper for upgrade_merge: Return zero true iff the two files differ only
272
+# in the contents of their RCS tags.
273
+samef () {
274
+	X=`sed -E 's/\\$FreeBSD.*\\$/\$FreeBSD\$/' < $1 | ${SHA256}`
275
+	Y=`sed -E 's/\\$FreeBSD.*\\$/\$FreeBSD\$/' < $2 | ${SHA256}`
276
+
277
+	if [ $X = $Y ]; then
278
+		return 0;
279
+	else
280
+		return 1;
281
+	fi
282
+}
283
+
284
 # From the list of "old" files in $1, merge changes in $2 with those in $3,
285
 # and update $3 to reflect the hashes of merged files.
286
 upgrade_merge () {
287
@@ -2323,6 +2382,14 @@ upgrade_merge () {
288
 
289
 		# Ask the user to handle any files which didn't merge.
290
 		while read F; do
291
+			# If the installed file differs from the version in
292
+			# the old release only due to RCS tag expansion
293
+			# then just use the version in the new release.
294
+			if samef merge/old/${F} merge/${OLDRELNUM}/${F}; then
295
+				cp merge/${RELNUM}/${F} merge/new/${F}
296
+				continue
297
+			fi
298
+
299
 			cat <<-EOF
300
 
301
 The following file could not be merged automatically: ${F}
302
@@ -2337,9 +2404,18 @@ manually...
303
 		# Ask the user to confirm that he likes how the result
304
 		# of merging files.
305
 		while read F; do
306
-			# Skip files which haven't changed.
307
-			if [ -f merge/new/${F} ] &&
308
-			    cmp -s merge/old/${F} merge/new/${F}; then
309
+			# Skip files which haven't changed except possibly
310
+			# in their RCS tags.
311
+			if [ -f merge/old/${F} ] && [ -f merge/new/${F} ] &&
312
+			    samef merge/old/${F} merge/new/${F}; then
313
+				continue
314
+			fi
315
+
316
+			# Skip files where the installed file differs from
317
+			# the old file only due to RCS tags.
318
+			if [ -f merge/old/${F} ] &&
319
+			    [ -f merge/${OLDRELNUM}/${F} ] &&
320
+			    samef merge/old/${F} merge/${OLDRELNUM}/${F}; then
321
 				continue
322
 			fi
323
 
324
@@ -2526,6 +2602,10 @@ upgrade_run () {
325
 	# Leave a note behind to tell the "install" command that the kernel
326
 	# needs to be installed before the world.
327
 	touch ${BDHASH}-install/kernelfirst
328
+
329
+	# Remind the user that they need to run "freebsd-update install"
330
+	# to install the downloaded bits, in case they didn't RTFM.
331
+	echo "To install the downloaded upgrades, run \"$0 install\"."
332
 }
333
 
334
 # Make sure that all the file hashes mentioned in $@ have corresponding
335
@@ -2577,14 +2657,14 @@ backup_kernel_finddir () {
336
 	while true ; do
337
 		# Pathname does not exist, so it is OK use that name
338
 		# for backup directory.
339
-		if [ ! -e $BACKUPKERNELDIR ]; then
340
+		if [ ! -e $BASEDIR/$BACKUPKERNELDIR ]; then
341
 			return 0
342
 		fi
343
 
344
 		# If directory do exist, we only use if it has our
345
 		# marker file.
346
-		if [ -d $BACKUPKERNELDIR -a \
347
-			-e $BACKUPKERNELDIR/.freebsd-update ]; then
348
+		if [ -d $BASEDIR/$BACKUPKERNELDIR -a \
349
+			-e $BASEDIR/$BACKUPKERNELDIR/.freebsd-update ]; then
350
 			return 0
351
 		fi
352
 
353
@@ -2592,7 +2672,7 @@ backup_kernel_finddir () {
354
 		# the end and try again.
355
 		CNT=$((CNT + 1))
356
 		if [ $CNT -gt 9 ]; then
357
-			echo "Could not find valid backup dir ($BACKUPKERNELDIR)"
358
+			echo "Could not find valid backup dir ($BASEDIR/$BACKUPKERNELDIR)"
359
 			exit 1
360
 		fi
361
 		BACKUPKERNELDIR="`echo $BACKUPKERNELDIR | sed -Ee 's/[0-9]\$//'`"
362
@@ -2619,17 +2699,17 @@ backup_kernel () {
363
 	# Remove old kernel backup files.  If $BACKUPKERNELDIR was
364
 	# "not ours", backup_kernel_finddir would have exited, so
365
 	# deleting the directory content is as safe as we can make it.
366
-	if [ -d $BACKUPKERNELDIR ]; then
367
-		rm -fr $BACKUPKERNELDIR
368
+	if [ -d $BASEDIR/$BACKUPKERNELDIR ]; then
369
+		rm -fr $BASEDIR/$BACKUPKERNELDIR
370
 	fi
371
 
372
 	# Create directories for backup.
373
-	mkdir -p $BACKUPKERNELDIR
374
-	mtree -cdn -p "${KERNELDIR}" | \
375
-	    mtree -Ue -p "${BACKUPKERNELDIR}" > /dev/null
376
+	mkdir -p $BASEDIR/$BACKUPKERNELDIR
377
+	mtree -cdn -p "${BASEDIR}/${KERNELDIR}" | \
378
+	    mtree -Ue -p "${BASEDIR}/${BACKUPKERNELDIR}" > /dev/null
379
 
380
 	# Mark the directory as having been created by freebsd-update.
381
-	touch $BACKUPKERNELDIR/.freebsd-update
382
+	touch $BASEDIR/$BACKUPKERNELDIR/.freebsd-update
383
 	if [ $? -ne 0 ]; then
384
 		echo "Could not create kernel backup directory"
385
 		exit 1
386
@@ -2647,8 +2727,8 @@ backup_kernel () {
387
 	fi
388
 
389
 	# Backup all the kernel files using hardlinks.
390
-	(cd $KERNELDIR && find . -type f $FINDFILTER -exec \
391
-	    cp -pl '{}' ${BACKUPKERNELDIR}/'{}' \;)
392
+	(cd ${BASEDIR}/${KERNELDIR} && find . -type f $FINDFILTER -exec \
393
+	    cp -pl '{}' ${BASEDIR}/${BACKUPKERNELDIR}/'{}' \;)
394
 
395
 	# Re-enable patchname expansion.
396
 	set +f
397
@@ -2746,7 +2826,7 @@ install_files () {
398
 
399
 		# Update linker.hints if necessary
400
 		if [ -s INDEX-OLD -o -s INDEX-NEW ]; then
401
-			kldxref -R /boot/ 2>/dev/null
402
+			kldxref -R ${BASEDIR}/boot/ 2>/dev/null
403
 		fi
404
 
405
 		# We've finished updating the kernel.
406
@@ -2797,14 +2877,14 @@ Kernel updates have been installed.  Ple
407
 		install_delete INDEX-OLD INDEX-NEW || return 1
408
 
409
 		# Rebuild /etc/spwd.db and /etc/pwd.db if necessary.
410
-		if [ /etc/master.passwd -nt /etc/spwd.db ] ||
411
-		    [ /etc/master.passwd -nt /etc/pwd.db ]; then
412
-			pwd_mkdb /etc/master.passwd
413
+		if [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/spwd.db ] ||
414
+		    [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/pwd.db ]; then
415
+			pwd_mkdb -d ${BASEDIR}/etc ${BASEDIR}/etc/master.passwd
416
 		fi
417
 
418
 		# Rebuild /etc/login.conf.db if necessary.
419
-		if [ /etc/login.conf -nt /etc/login.conf.db ]; then
420
-			cap_mkdb /etc/login.conf
421
+		if [ ${BASEDIR}/etc/login.conf -nt ${BASEDIR}/etc/login.conf.db ]; then
422
+			cap_mkdb ${BASEDIR}/etc/login.conf
423
 		fi
424
 
425
 		# We've finished installing the world and deleting old files
426
@@ -3011,21 +3091,8 @@ IDS_compare () {
427
 	mv INDEX-NOTMATCHING.tmp INDEX-NOTMATCHING
428
 
429
 	# Go through the lines and print warnings.
430
-	while read LINE; do
431
-		FPATH=`echo "${LINE}" | cut -f 1 -d '|'`
432
-		TYPE=`echo "${LINE}" | cut -f 2 -d '|'`
433
-		OWNER=`echo "${LINE}" | cut -f 3 -d '|'`
434
-		GROUP=`echo "${LINE}" | cut -f 4 -d '|'`
435
-		PERM=`echo "${LINE}" | cut -f 5 -d '|'`
436
-		HASH=`echo "${LINE}" | cut -f 6 -d '|'`
437
-		LINK=`echo "${LINE}" | cut -f 7 -d '|'`
438
-		P_TYPE=`echo "${LINE}" | cut -f 8 -d '|'`
439
-		P_OWNER=`echo "${LINE}" | cut -f 9 -d '|'`
440
-		P_GROUP=`echo "${LINE}" | cut -f 10 -d '|'`
441
-		P_PERM=`echo "${LINE}" | cut -f 11 -d '|'`
442
-		P_HASH=`echo "${LINE}" | cut -f 12 -d '|'`
443
-		P_LINK=`echo "${LINE}" | cut -f 13 -d '|'`
444
-
445
+	local IFS='|'
446
+	while read FPATH TYPE OWNER GROUP PERM HASH LINK P_TYPE P_OWNER P_GROUP P_PERM P_HASH P_LINK; do
447
 		# Warn about different object types.
448
 		if ! [ "${TYPE}" = "${P_TYPE}" ]; then
449
 			echo -n "${FPATH} is a "
450
@@ -3153,7 +3220,7 @@ get_params () {
451
 # Fetch command.  Make sure that we're being called
452
 # interactively, then run fetch_check_params and fetch_run
453
 cmd_fetch () {
454
-	if [ ! -t 0 ]; then
455
+	if [ ! -t 0 -a $NOTTYOK -eq 0 ]; then
456
 		echo -n "`basename $0` fetch should not "
457
 		echo "be run non-interactively."
458
 		echo "Run `basename $0` cron instead."
459

460
Product

Resources

Company
