This change is equivalent to the approach committed in r306417, but if
sed has a bug it could be exploited by the untrusted tar file. Instead,
generate the expected tar content and compare that with find's output.
convert the expected hash list to the expected tar content filesystem
layout, and compare that with find's output.
Submitted by: cperciva (in review D8052)
Reviewed by: oshogbo
MFC after: 2 weeks
Previously it was possible to smuggle in addional files that would
be used by later portsnap runs. Now we only move those files expected
to be in the snapshot into files/ and require that there are no
unexpected files.
This was used by portsnap attacks 2, 3, and 4 in the "non-cryptanalytic
attacks against FreeBSD update components" anonymous gist.
Reported by: anonymous gist
Reviewed by: allanjude, delphij
MFC after: ASAP
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D8052
using shell redirections instead of having gzip(1) to decide what
file to open.
Issue reported in the "non-cryptanalytic attacks against freebsd
update components" anonymous gist.
Reviewed by: allanjude, emaste
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D7653
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.
Still need to add real targets under targets/ to build packages.
Differential Revision: D2796
Reviewed by: brooks imp
and finish the job. ncurses is now the only Makefile in the tree that
uses it since it wasn't a simple mechanical change, and will be
addressed in a future commit.
have zero length. Filesystem corruption will tend to truncate files, and
since these are short that's likely to result in them becoming empty.
Suggested by: Richard Clayton
Convinced by: rwatson
MFC after: 3 weeks
them changed (or was removed from the tree) then portsnap would delete
that file. This happened earlier today when one of two empty port
directories was removed. Uniquifying the lists of needed files fixes
this.
9.2-RELEASE candidate.
MFC after: 3 days
handle splitting input files on a '|'. This greatly
reduces the time taken to process several databases
during the update process.
Additionally add some more debug logging.
This is done to speed up extraction significantly (both for portsnap
extract and update) in the case of slow NSS modules (like nss_ldap) as
it avoids having to look up uid and gid for root / wheel.
The reason this is a bigger problem for portsnap than for many other
system operations, is that portsnap executes tar(1) once for each port
so the internal uid/gid caching in tar(1) only helps a bit, resulting
in many user lookup calls.
Discussed with: cperciva
(1) phttpget is attempting to download enough files that it can't send
all the requests at once, and
(2) the remote server forcibly closes the connection, resulting in RST
packets being sent,
phttpget will receive a SIGPIPE and terminate without downloading all
of the files.
This is probably responsible for a number of hard-to-reproduce errors
with portsnap and freebsd-update.
MFC after: 3 days
paragraph clarifying that portsnap does not behave the same way as
cvs and cvsup where local modifications are concerned.
Submitted by: peter
Feet shot: peter, kris, obrien, + many others