From ben@scientia.demon.co.uk  Wed May  3 10:16:25 2000
Return-Path: <ben@scientia.demon.co.uk>
Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13])
	by hub.freebsd.org (Postfix) with ESMTP id 4B73A37B8D3
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  3 May 2000 10:16:12 -0700 (PDT)
	(envelope-from ben@scientia.demon.co.uk)
Received: from magnesium.scientia.demon.co.uk ([192.168.91.34] ident=exim)
	by scientia.demon.co.uk with esmtp (Exim 3.12 #1)
	id 12n0Px-000ELw-00 for FreeBSD-gnats-submit@freebsd.org;
	Wed, 03 May 2000 15:46:25 +0100
Received: (from ben) by magnesium.scientia.demon.co.uk (Exim 3.12 #1)
	id 12n0Px-000LKM-00 for FreeBSD-gnats-submit@freebsd.org;
	Wed, 03 May 2000 15:46:25 +0100
Message-Id: <E12n0Px-000LKM-00@magnesium.scientia.demon.co.uk>
Date: Wed, 03 May 2000 15:46:25 +0100
From: Ben Smithurst <ben@scientia.demon.co.uk>
Reply-To: ben@scientia.demon.co.uk
To: FreeBSD-gnats-submit@freebsd.org
Subject: pkg_delete shouldn't insist on root
X-Send-Pr-Version: 3.2

>Number:         18373
>Category:       bin
>Synopsis:       pkg_delete shouldn't insist on root
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed May  3 10:20:03 PDT 2000
>Closed-Date:    Sat May 13 05:58:41 PDT 2000
>Last-Modified:  Sat May 13 05:58:56 PDT 2000
>Originator:     Ben Smithurst
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
>Environment:

>Description:

It is rather inconvenient that pkg_delete(1) requires the calling user
to be root, as this makes testing a port you have created hard (it
seems you have to be root to allow "make deinstall" do anything).  This
restriction seems unnecessary, and removing it certainly can't be a
security risk.

>How-To-Repeat:

make your own port, install it to ~/something, set PKG_DBDIR to
~/somethingelse, try to "make deinstall".

>Fix:

Convert the fatal error to a warning if the -f flag is used (which
conveniently is used by the ports system's "make deinstall").

Index: main.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/pkg_install/delete/main.c,v
retrieving revision 1.17
diff -u -r1.17 main.c
--- main.c	2000/02/18 07:00:01	1.17
+++ main.c	2000/05/03 14:43:46
@@ -107,8 +107,11 @@
     if (pkgs == start)
 	warnx("missing package name(s)"), usage();
     *pkgs = NULL;
-    if (!Fake && getuid() != 0)
-	errx(1, "you must be root to delete packages");
+    if (!Fake && getuid() != 0) {
+	if (!Force)
+	    errx(1, "you must be root to delete packages");
+	warnx("you must be root to delete packages (proceeding anyway)");
+    }
     if ((error = pkg_perform(start)) != 0) {
 	if (Verbose)
 	    warnx("%d package deletion(s) failed", error);
Index: pkg_delete.1
===================================================================
RCS file: /usr/cvs/src/usr.sbin/pkg_install/delete/pkg_delete.1,v
retrieving revision 1.16
diff -u -r1.16 pkg_delete.1
--- pkg_delete.1	2000/02/29 15:13:53	1.16
+++ pkg_delete.1	2000/05/03 14:38:29
@@ -94,7 +94,12 @@
 the package.  
 .It Fl f
 Force removal of the package, even if a dependency is recorded or the
-deinstall or require script fails.
+deinstall or require script fails.  This flag also allows
+.Nm
+to be run by non-root users, which can be useful for porters if the port has
+been installed to a directory writable by that user, and if
+.Ev PKG_DBDIR
+has been set to a directory writable by that user.
 .El
 
 .Pp

>Release-Note:
>Audit-Trail:

From: Neil Blakey-Milner <nbm@mithrandr.moria.org>
To: Ben Smithurst <ben@scientia.demon.co.uk>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/18373: pkg_delete shouldn't insist on root
Date: Thu, 4 May 2000 14:54:37 +0200

 On Wed 2000-05-03 (15:46), Ben Smithurst wrote:
 > It is rather inconvenient that pkg_delete(1) requires the calling user
 > to be root, as this makes testing a port you have created hard (it
 > seems you have to be root to allow "make deinstall" do anything).  This
 > restriction seems unnecessary, and removing it certainly can't be a
 > security risk.
 
 Why not compare the owner of the PKG_DBDIR and the caller?  Overloading
 '-f' might cause problems, so maybe another flag is necessary.
 
 Neil
 -- 
 Neil Blakey-Milner
 Hacker In Chief, Sunesi Clinical Systems
 nbm@mithrandr.moria.org
 

From: Nick Hibma <n_hibma@calcaphon.com>
To: Ben Smithurst <ben@scientia.demon.co.uk>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/18373: pkg_delete shouldn't insist on root
Date: Thu, 4 May 2000 15:46:15 +0100 (BST)

 > It is rather inconvenient that pkg_delete(1) requires the calling user
 > to be root, as this makes testing a port you have created hard (it
 > seems you have to be root to allow "make deinstall" do anything).  This
 > restriction seems unnecessary, and removing it certainly can't be a
 > security risk.
 
 Example: libmm (used by a webserver) could then be deleted and the
 webserver being brought down.
 
 It _is_ a security risk.
 
 Check the chmod man page for information on setting suid and setguid
 bits to enable you to start pkg_delete as a normal user. Or write a suid
 wrapper only executable by you.
 
 Nick
 
 --
 n_hibma@webweaving.org
 n_hibma@freebsd.org                                          USB project
 http://www.etla.net/~n_hibma/
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: n_hibma 
State-Changed-When: Thu May 4 07:50:51 PDT 2000 
State-Changed-Why:  
iThe suggestion given is not a good one. Solution for his case given. 
. 
State-Changed-From-To: closed->open 
State-Changed-By: n_hibma 
State-Changed-When: Thu May 4 13:14:07 PDT 2000 
State-Changed-Why:  
Neil Blakey-Milner seems to have good arguments on why he wants this. 
And why it should not be a problem. 

From: Ben Smithurst <ben@scientia.demon.co.uk>
To: Nick Hibma <n_hibma@calcaphon.com>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/18373: pkg_delete shouldn't insist on root
Date: Fri, 5 May 2000 01:13:29 +0100

 Nick Hibma wrote:
 
 >> It is rather inconvenient that pkg_delete(1) requires the calling user
 >> to be root, as this makes testing a port you have created hard (it
 >> seems you have to be root to allow "make deinstall" do anything).  This
 >> restriction seems unnecessary, and removing it certainly can't be a
 >> security risk.
 > 
 > Example: libmm (used by a webserver) could then be deleted and the
 > webserver being brought down.
 
 It is?  Perhaps I'm being dumb, but what's to stop a user compiling
 their own version of pkg_delete and removing the getuid check?  If libmm
 has files deletable by a normal user, I don't even see what difference
 it makes if they use pkg_delete or rm.  Perhaps you could explain?  Is
 there something special about libmm or were you just picking a random
 port?  (I don't even see a libmm port, so it must be part of another
 port, but anyway...)
 
 > Check the chmod man page for information on setting suid and setguid
 > bits to enable you to start pkg_delete as a normal user. Or write a
 > suid wrapper only executable by you.
 
 Thanks but this is more than I need to do.  I don't want to be able to
 delete ports installed "properly" (for want of a better word), just
 ports I've installed in my home directory while testing a new port.  I
 *don't* need root to do anything pkg_delete does in that case, and it
 shouldn't force me to be root.
 
 -- 
 Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D
 

From: Ben Smithurst <ben@scientia.demon.co.uk>
To: Neil Blakey-Milner <nbm@mithrandr.moria.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/18373: pkg_delete shouldn't insist on root
Date: Fri, 5 May 2000 02:37:25 +0100

 Neil Blakey-Milner wrote:
 
 > Why not compare the owner of the PKG_DBDIR and the caller?  Overloading
 > '-f' might cause problems, so maybe another flag is necessary.
 
 How about '-r' for consistency with newsyslog?
 
 -- 
 Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D
 

From: Nick Hibma <n_hibma@calcaphon.com>
To: Ben Smithurst <ben@scientia.demon.co.uk>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/18373: pkg_delete shouldn't insist on root
Date: Fri, 5 May 2000 10:00:40 +0100 (BST)

 > It is?  Perhaps I'm being dumb, but what's to stop a user compiling
 > their own version of pkg_delete and removing the getuid check?  If libmm
 > has files deletable by a normal user, I don't even see what difference
 > it makes if they use pkg_delete or rm.  Perhaps you could explain?  Is
 > there something special about libmm or were you just picking a random
 > port?  (I don't even see a libmm port, so it must be part of another
 > port, but anyway...)
 
 the port is called mm.
 
 I thought that pkg_delete was setuid root. (and didn't check ... :-(
 
 Nick
 
 --
 n_hibma@webweaving.org
 n_hibma@freebsd.org                                          USB project
 http://www.etla.net/~n_hibma/
 
 

From: Ben Smithurst <ben@scientia.demon.co.uk>
To: Neil Blakey-Milner <nbm@mithrandr.moria.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/18373: pkg_delete shouldn't insist on root
Date: Fri, 5 May 2000 17:11:17 +0100

 --HcAYCG3uE/tztfnV
 Content-Type: text/plain; charset=us-ascii
 
 Ben Smithurst wrote:
 
 > Neil Blakey-Milner wrote:
 > 
 >> Why not compare the owner of the PKG_DBDIR and the caller?  Overloading
 >> '-f' might cause problems, so maybe another flag is necessary.
 > 
 > How about '-r' for consistency with newsyslog?
 
 The attached patch implements this, and seems to work fine when I set
 PKG_DELETE='pkg_delete -r'.
 
 -- 
 Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D
 
 --HcAYCG3uE/tztfnV
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="pkg_delete.diff"
 
 Index: main.c
 ===================================================================
 RCS file: /usr/cvs/src/usr.sbin/pkg_install/delete/main.c,v
 retrieving revision 1.17
 diff -u -r1.17 main.c
 --- main.c	2000/02/18 07:00:01	1.17
 +++ main.c	2000/05/05 16:10:44
 @@ -28,11 +28,12 @@
  #include "lib.h"
  #include "delete.h"
  
 -static char Options[] = "hvDdnfp:";
 +static char Options[] = "hvDdnfp:r";
  
  char	*Prefix		= NULL;
  Boolean	NoDeInstall	= FALSE;
  Boolean	CleanDirs	= FALSE;
 +Boolean	NeedRoot	= TRUE;
  
  static void usage __P((void));
  
 @@ -58,6 +59,10 @@
  	    Prefix = optarg;
  	    break;
  
 +	case 'r':
 +	    NeedRoot = FALSE;
 +	    break;
 +
  	case 'D':
  	    NoDeInstall = TRUE;
  	    break;
 @@ -107,8 +112,12 @@
      if (pkgs == start)
  	warnx("missing package name(s)"), usage();
      *pkgs = NULL;
 -    if (!Fake && getuid() != 0)
 -	errx(1, "you must be root to delete packages");
 +    if (!Fake && getuid() != 0) {
 +	warnx("you must be root to delete packages%s",
 +	  NeedRoot ? "" : " (proceeding anyway)");
 +	if (NeedRoot)
 +	    return EXIT_FAILURE;
 +    }
      if ((error = pkg_perform(start)) != 0) {
  	if (Verbose)
  	    warnx("%d package deletion(s) failed", error);
 Index: pkg_delete.1
 ===================================================================
 RCS file: /usr/cvs/src/usr.sbin/pkg_install/delete/pkg_delete.1,v
 retrieving revision 1.16
 diff -u -r1.16 pkg_delete.1
 --- pkg_delete.1	2000/02/29 15:13:53	1.16
 +++ pkg_delete.1	2000/05/05 16:04:28
 @@ -25,7 +25,7 @@
  .Nd a utility for deleting previously installed software package distributions
  .Sh SYNOPSIS
  .Nm
 -.Op Fl vDdnf
 +.Op Fl vDdnfr
  .Op Fl p Ar prefix
  .Ar pkg-name ...
  .Sh DESCRIPTION
 @@ -95,6 +95,13 @@
  .It Fl f
  Force removal of the package, even if a dependency is recorded or the
  deinstall or require script fails.
 +.It Fl r
 +This flag removes the restriction that
 +.Nm
 +to be run by root, which can be useful for porters if the port has
 +been installed to a directory writable by that user, and if
 +.Ev PKG_DBDIR
 +has been set to a directory writable by that user.
  .El
  
  .Pp
 
 --HcAYCG3uE/tztfnV--
 
State-Changed-From-To: open->closed 
State-Changed-By: hoek 
State-Changed-When: Sat May 13 05:58:41 PDT 2000 
State-Changed-Why:  
Fixed. 
>Unformatted:
