From owner-svn-src-user@FreeBSD.ORG Tue Feb 8 04:48:54 2011 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30E85106564A; Tue, 8 Feb 2011 04:48:54 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 222608FC08; Tue, 8 Feb 2011 04:48:54 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p184msd6033720; Tue, 8 Feb 2011 04:48:54 GMT (envelope-from dougb@svn.freebsd.org) Received: (from dougb@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p184mskO033718; Tue, 8 Feb 2011 04:48:54 GMT (envelope-from dougb@svn.freebsd.org) Message-Id: <201102080448.p184mskO033718@svn.freebsd.org> From: Doug Barton Date: Tue, 8 Feb 2011 04:48:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r218428 - user/dougb/portmaster X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2011 04:48:54 -0000 Author: dougb Date: Tue Feb 8 04:48:53 2011 New Revision: 218428 URL: http://svn.freebsd.org/changeset/base/218428 Log: Tweak the way INDEX files are downloaded and installed to be only require root privileges for the minimum possible number of actions, and do things in a more secure way: 1. If necessary to download the new INDEX.bz2, as a non-root user, do it in a temporary directory created with mktemp 2. If necessary to update the actual INDEX file unzip it in that same temporary directory 3. Only use $PM_SU_CMD to install the file if necessary 4. Unlink both INDEX and INDEX.bz2 in their real locations before installing the new versions Use unset for a lot more variables in the above code. Add the -p flag for install to pm_install_s Move the initialization of PM_WRKDIRPREFIX to the area where other build-related variables are handled Modified: user/dougb/portmaster/portmaster Modified: user/dougb/portmaster/portmaster ============================================================================== --- user/dougb/portmaster/portmaster Tue Feb 8 01:49:30 2011 (r218427) +++ user/dougb/portmaster/portmaster Tue Feb 8 04:48:53 2011 (r218428) @@ -285,7 +285,7 @@ pm_unlink () { /bin/test -e $1 && /bin/u # Superuser versions for commands that need root privileges pm_find_s () { $PM_SU_CMD /usr/bin/find $*; } -pm_install_s () { $PM_SU_CMD /usr/bin/install -o root -g wheel -m 644 $1 $2; } +pm_install_s () { $PM_SU_CMD /usr/bin/install -p -o root -g wheel -m 644 $1 $2; } pm_make_s () { ( unset -v CUR_DEPS INSTALLED_LIST PM_DEPTH build_l; unset -v MASTER_RB_LIST; $PM_SU_CMD /usr/bin/nice /usr/bin/make $PM_MAKE_ARGS $*; ); } @@ -749,38 +749,56 @@ if [ "$$" -eq "$PM_PARENT_PID" ]; then [ -z "$INDEXDIR" -a -n "$PM_INDEX_ONLY" -a -z "$pd" ] && INDEXDIR="$TMPDIR" - PM_INDEX="${INDEXDIR:-$pd}/${INDEXFILE}" + PM_INDEX="${INDEXDIR:=$pd}/${INDEXFILE}" if [ -z "$PM_NO_INDEX_FETCH" ]; then : ${FETCHINDEX:='fetch -am -o'} : ${MASTER_SITE_INDEX:='http://www.FreeBSD.org/ports/'} - index_fetch="$FETCHINDEX ${PM_INDEX}.bz2 ${MASTER_SITE_INDEX}${INDEXFILE}.bz2" do_index_fetch=yes_index_fetch index_time=`stat -f '%Um' ${PM_INDEX}.bz2 2>/dev/null` - [ -n "$index_time" ] && { - $index_fetch 2>/dev/null && do_index_fetch=no_index_fetch; } + if [ -n "$index_time" ]; then + # If root, this will succeed either way + if $FETCHINDEX ${PM_INDEX}.bz2 ${MASTER_SITE_INDEX}${INDEXFILE}.bz2 2>/dev/null; then + unset do_index_fetch + newindex="${PM_INDEX}.bz2" + fi + fi + + if [ -n "$do_index_fetch" ] || + [ ${index_time:-0} -ne `stat -f '%Um' ${PM_INDEX}.bz2 2>/dev/null` ]; then + dli=`mktemp -d ${TMPDIR}/d-${PM_PARENT_PID}-index` + if [ -n "$do_index_fetch" ]; then + ift="$FETCHINDEX ${dli}/${INDEXFILE}.bz2 ${MASTER_SITE_INDEX}${INDEXFILE}.bz2" + $ift || fail Could not perform $ift + unset ift + newindex="${dli}/${INDEXFILE}.bz2" + fi - if [ "$do_index_fetch" = yes_index_fetch ]; then - pm_sv 'Fetching new INDEX file' - $PM_SU_CMD $index_fetch || fail Could not perform $index_fetch - fi - - if [ ${index_time:-0} -ne `stat -f '%Um' ${PM_INDEX}.bz2 2>/dev/null` ]; then - temp_index=`pm_mktemp index` - bunzip2 < ${PM_INDEX}.bz2 > $temp_index - pm_sv 'Installing new INDEX file' - pm_install_s $temp_index $PM_INDEX - unlink $temp_index - unset temp_index + bunzip2 --keep < $newindex > ${dli}/$INDEXFILE + if [ -w "${INDEXDIR}/" ]; then + pm_unlink $PM_INDEX + mv ${dli}/$INDEXFILE $PM_INDEX + if [ -n "$do_index_fetch" ]; then + pm_unlink ${PM_INDEX}.bz2 + mv ${dli}/${INDEXFILE}.bz2 ${PM_INDEX}.bz2 + fi + else + pm_sv 'Installing new INDEX file' + pm_install_s ${dli}/$INDEXFILE $PM_INDEX + [ -n "$do_index_fetch" ] && + pm_install_s ${dli}/${INDEXFILE}.bz2 ${PM_INDEX}.bz2 + fi + rm -rf $dli ; unset dli fi - unset index_fetch do_index_fetch index_time + unset FETCHINDEX MASTER_SITE_INDEX do_index_fetch index_time newindex else [ -r "$PM_INDEX" ] || fail "The --no-index-fetch option was used, but $PM_INDEX does not exist" fi + unset INDEXFILE INDEXDIR PM_INDEX_PORTS=`pkg_version -Ivl\< $PM_INDEX | cut -f1 -d\<` export PM_INDEX_PORTS @@ -798,7 +816,6 @@ if [ "$$" -eq "$PM_PARENT_PID" ]; then fi if [ -n "$pd" ]; then - pm_cd_pd && PM_WRKDIRPREFIX=`pm_make_b -V WRKDIRPREFIX` && pm_cd - export pd else if [ -n "$EXPUNGE" -o -n "$CLEAN_STALE" ]; then @@ -2780,6 +2797,9 @@ if [ "$$" -eq "$PM_PARENT_PID" -a -z "$S if [ -z "$FETCH_ONLY" ]; then PM_NEEDS_UPDATE=' ' ; NO_DEP_UPDATES=no_dep_updates ; build_l='' export PM_NEEDS_UPDATE NO_DEP_UPDATES build_l + + [ -z "$PM_INDEX_ONLY" ] && + pm_cd_pd && PM_WRKDIRPREFIX=`pm_make_b -V WRKDIRPREFIX` && pm_cd - fi if [ -n "$PM_BUILD_ONLY_LIST" ]; then