Date: Wed, 22 Jun 2016 23:01:40 +0300 From: Arto Pekkanen <isoa@kapsi.fi> To: Stefan Esser <se@freebsd.org> Cc: freebsd-pkg@freebsd.org Subject: Re: Unprivileged user can prevent pkg add/install/delete from working (pkg issue 1222) Message-ID: <86489f9ccb69b62bc61f24c6e7ce934b@kapsi.fi> In-Reply-To: <496aaa3c-9224-53a0-d1a7-e1b6043e7df4@freebsd.org> References: <496aaa3c-9224-53a0-d1a7-e1b6043e7df4@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Yeah, ouch, this is a pretty damn bad bug that should be fixed ASAP! Have you made an official PR already? If not, then please do: https://bugs.freebsd.org/bugzilla/enter_bug.cgi Stefan Esser kirjoitti 21.06.2016 15:28: > Using portmaster to update some ports sometimes failed for me, when > used > with PKG_NG. > > I created https://github.com/freebsd/pkg/issues/1222 to describe and > document the problem. > > Since the problem persists, I had anothe rlook and found, that the > cause described in issue 1222 did no longer apply, but instead that > the problem is much broader. > > Package (de-)installation actions can be blocked by any unprovileged > user with the simple command: > > $ pkg info | sleep 1000000 > > (This only works if the output from pkg info is large enough to keep > the pkg command blocked for the duration of the sleep, obviously ...) > > > The invocation in postmaster is equivalent to: > > pkg query "%n-%v %o" | while read pkg origin > do > ... > pkg add/delete ... > ... > done > > Depending on a number of factors, the inner pkg command fails if the > while loop has not consumed all output from the "pkg query" command. > > This is easily fixed in portmaster (by buffering the output of the > "pkg query" command, before the loop is entered). > > > But this does not help with the fact, that any user can prevent the > installation or deletion of packages by keeping a "pkg info" process > blocked. > > Instead of the example (with sleep) given above, "pkg info|more" does > also block package installation and deletion, since "more" does not > buffer all output from the command. And that might occur without the > user typing "pkg info|more" knowing that he blocks out "pkg add/delete" > for the duration of time he keeps the more command blocked ... > > Regards, STefan > _______________________________________________ > freebsd-pkg@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pkg > To unsubscribe, send any mail to "freebsd-pkg-unsubscribe@freebsd.org" -- Arto Pekkanen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86489f9ccb69b62bc61f24c6e7ce934b>