From sam@antinea.enst.fr  Fri Jan 12 01:59:30 2001
Return-Path: <sam@antinea.enst.fr>
Received: from ada.eu.org (marvin.enst.fr [137.194.161.2])
	by hub.freebsd.org (Postfix) with ESMTP id 79C8637B402
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 12 Jan 2001 01:59:30 -0800 (PST)
Received: from antinea.enst.fr (antinea.enst.fr [137.194.160.145])
	by ada.eu.org (Postfix) with ESMTP id 568351909B
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 12 Jan 2001 10:59:29 +0100 (CET)
Received: by antinea.enst.fr (Postfix, from userid 1000)
	id CBEB0326; Fri, 12 Jan 2001 10:59:28 +0100 (CET)
Message-Id: <20010112095928.CBEB0326@antinea.enst.fr>
Date: Fri, 12 Jan 2001 10:59:28 +0100 (CET)
From: sam@inf.enst.fr
Sender: sam@antinea.enst.fr
Reply-To: sam@inf.enst.fr
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: dumpon should check its argument more
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         24271
>Category:       bin
>Synopsis:       [patch] dumpon(8) should check its argument more
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 12 02:00:01 PST 2001
>Closed-Date:    Sat Feb 16 13:33:25 UTC 2008
>Last-Modified:  Sat Feb 16 13:33:25 UTC 2008
>Originator:     Samuel Tardieu
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
TELECOM Paris
>Environment:
	FreeBSD -CURRENT
>Description:
	dumpon should check that the argument is not a disk slice, or should
	require a flag (-f?) in this case. It would prevent bad crashes :/
>How-To-Repeat:
>Fix:

>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: sam@inf.enst.fr
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/24271: dumpon should check its argument more
Date: Fri, 12 Jan 2001 21:35:52 +1100 (EST)

 On Fri, 12 Jan 2001 sam@inf.enst.fr wrote:
 
 > >Description:
 > 	dumpon should check that the argument is not a disk slice, or should
 > 	require a flag (-f?) in this case. It would prevent bad crashes :/
 
 This is a feature.  dumpon (like swapon and newfs) should work on any disk
 device, including the whole disk.  It currently only works on disk devices
 whose containing slice is labeled, so it can only be misused to clobber
 BSD slices and not OtherOS slices (this is a bug :-).
 
 Bruce
 
 

From: Samuel Tardieu <sam@inf.enst.fr>
To: Bruce Evans <bde@zeta.org.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/24271: dumpon should check its argument more
Date: Fri, 12 Jan 2001 16:48:57 +0100

 On 12/01, Bruce Evans wrote:
 | On Fri, 12 Jan 2001 sam@inf.enst.fr wrote:
 | 
 | > >Description:
 | > 	dumpon should check that the argument is not a disk slice, or should
 | > 	require a flag (-f?) in this case. It would prevent bad crashes :/
 | 
 | This is a feature.  dumpon (like swapon and newfs) should work on any disk
 | device, including the whole disk.  It currently only works on disk devices
 | whose containing slice is labeled, so it can only be misused to clobber
 | BSD slices and not OtherOS slices (this is a bug :-).
 
 I would recommend to add a "-f" option anyway. It is way too easy to set
 (as I did yesterday) "dumpdev=/dev/ad0s2" in your rc.conf and be very
 surprised after a crash. If you really want to do this, you could do it
 with a "dumpon_flags=-f".
 
   Sam
 
 
 

From: Bruce Evans <bde@zeta.org.au>
To: Samuel Tardieu <sam@inf.enst.fr>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/24271: dumpon should check its argument more
Date: Sat, 13 Jan 2001 13:38:57 +1100 (EST)

 On Fri, 12 Jan 2001, Samuel Tardieu wrote:
 
 > On 12/01, Bruce Evans wrote:
 > | On Fri, 12 Jan 2001 sam@inf.enst.fr wrote:
 > | 
 > | > >Description:
 > | > 	dumpon should check that the argument is not a disk slice, or should
 > | > 	require a flag (-f?) in this case. It would prevent bad crashes :/
 > | 
 > | This is a feature.  dumpon (like swapon and newfs) should work on any disk
 > | device, including the whole disk.  It currently only works on disk devices
 > | whose containing slice is labeled, so it can only be misused to clobber
 > | BSD slices and not OtherOS slices (this is a bug :-).
 > 
 > I would recommend to add a "-f" option anyway. It is way too easy to set
 > (as I did yesterday) "dumpdev=/dev/ad0s2" in your rc.conf and be very
 > surprised after a crash. If you really want to do this, you could do it
 > with a "dumpon_flags=-f".
 
 It's no easier than setting "dumpdev=/dev/ad0s2c" or configuring swap on
 /dev/ad0s2c when you really meant /dev/ad0s2b.
 
 Bruce
 
 

From: Samuel Tardieu <sam@inf.enst.fr>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: Greg Lehey <grog@lemis.com>, freebsd-bugs@FreeBSD.org
Subject: Re: bin/24271: dumpon should check its argument more
Date: Sat, 13 Jan 2001 13:41:53 +0100

 On 13/01, David Malone wrote:
 
 | In tune with the Unix way (providing you with enough rope to shoot
 | yourself in the foot) it probably shouldn't check even if it was
 | easy to.  After all, it's just as easy to accidently dump onto one
 | of your filesystems, and there's no way to accidently detect that!
 
 Sure, but even newfs makes some checks before formatting a filesystem.
 
 The following patch adds two things:
 
   - if the special_file indicated is not tagged as swap in /etc/fstab,
     then -f must be used; this is consistent with the possibility of
     using a shared swap with another system;
 
   - as a bonus, you can now use raw names such as da0s2b instead of
     fully qualified names
 
 Documentation and startup scripts changes are also integrated in this patch.
 
   Sam
 
 diff -r -u /usr/src/etc/defaults/rc.conf ./etc/defaults/rc.conf
 --- /usr/src/etc/defaults/rc.conf	Thu Jan 11 14:00:54 2001
 +++ ./etc/defaults/rc.conf	Sat Jan 13 13:31:04 2001
 @@ -303,6 +303,7 @@
  sendmail_enable="NO"	# Run the sendmail daemon (YES/NO).
  sendmail_flags="-bd -q30m" # Flags to sendmail (if enabled)
  dumpdev="NO"		# Device name to crashdump to (or NO).
 +dumpon_flags=""		# Flags to pass to dumpon (if dumpdev set).
  enable_quotas="NO"      # turn on quotas on startup (or NO).
  check_quotas="YES"	# Check quotas on startup (or NO).
  accounting_enable="NO"	# Turn on process accounting (or NO).
 diff -r -u /usr/src/etc/rc ./etc/rc
 --- /usr/src/etc/rc	Thu Jan 11 14:00:41 2001
 +++ ./etc/rc	Sat Jan 13 13:24:52 2001
 @@ -440,7 +440,7 @@
  	;;
  *)
  	if [ -e "${dumpdev}" -a -d /var/crash ]; then
 -		dumpon -v ${dumpdev}
 +		dumpon ${dumpon_flags} -v ${dumpdev}
  		echo -n 'Checking for core dump: '
  		savecore /var/crash
  	fi
 diff -r -u /usr/src/sbin/dumpon/dumpon.8 ./sbin/dumpon/dumpon.8
 --- /usr/src/sbin/dumpon/dumpon.8	Thu Dec 14 12:47:12 2000
 +++ ./sbin/dumpon/dumpon.8	Sat Jan 13 13:19:17 2001
 @@ -40,6 +40,7 @@
  .Nd "specify a device for crash dumps"
  .Sh SYNOPSIS
  .Nm
 +.Op Fl f
  .Op Fl v
  .Ar special_file
  .Nm
 @@ -61,6 +62,13 @@
  .Pp
  The size of the specified dump device must be at least 64 KB greater the 
  size of physical memory.
 +.Pp
 +The
 +.Fl f
 +flag is needed when
 +.Ar special_file
 +is not declared as a swap partition in
 +.Pa /etc/fstab .
  .Pp
  The
  .Fl v
 diff -r -u /usr/src/sbin/dumpon/dumpon.c ./sbin/dumpon/dumpon.c
 --- /usr/src/sbin/dumpon/dumpon.c	Mon May  1 21:39:36 2000
 +++ ./sbin/dumpon/dumpon.c	Sat Jan 13 13:15:59 2001
 @@ -52,19 +52,26 @@
  #include <sys/sysctl.h>
  #include <sys/stat.h>
  #include <sysexits.h>
 +#include <paths.h>
 +#include <string.h>
 +#include <fstab.h>
  
  void	usage __P((void)) __dead2;
  
  int
  main(int argc, char **argv)
  {
 -	int ch, verbose, rv;
 +	int ch, verbose, force, rv;
  	struct stat stab;
  	int mib[2];
 +	char special[MAXPATHLEN];
  
 -	verbose = rv = 0;
 -	while ((ch = getopt(argc, argv, "v")) != -1)
 +	verbose = force = rv = 0;
 +	while ((ch = getopt(argc, argv, "fv")) != -1)
  		switch((char)ch) {
 +		case 'f':
 +		  force = 1;
 +			break;
  		case 'v':
  			verbose = 1;
  			break;
 @@ -78,15 +85,43 @@
  		usage();
  
  	if (strcmp(argv[0], "off")) {
 -		rv = stat(argv[0], &stab);
 +		if (strrchr(argv[0], '/') == 0) {
 +			(void)snprintf(special, MAXPATHLEN, "%s%s", _PATH_DEV, argv[0]);
 +		} else {
 +			strncpy(special, argv[0], MAXPATHLEN);
 +		}
 +		rv = stat(special, &stab);
  		if (rv) {
 -			err(EX_OSFILE, "%s", argv[0]);
 +			err(EX_OSFILE, "%s", special);
  		}
  
  		if (!S_ISCHR(stab.st_mode)) {
  			errx(EX_USAGE,
  			     "%s: must specify a character disk device",
 -			     argv[0]);
 +			     special);
 +		}
 +		if (!force) {
 +			struct fstab *fsp;
 +
 +			if (!setfsent ())
 +				errx(EX_USAGE,
 +						 "%s: use -f if %s is not available",
 +						 special,
 +						 _PATH_FSTAB);
 +			while ((fsp = getfsent()) != NULL) {
 +				if (!strcmp(fsp->fs_spec, special)) {
 +					if (!strcmp(fsp->fs_type, FSTAB_SW))
 +						goto fs_ok;
 +					errx(EX_USAGE,
 +							 "%s: -f required to use a %s partition",
 +							 special,
 +							 fsp->fs_vfstype);
 +				}
 +			}
 +			errx(EX_USAGE,
 +					 "%s: -f required unless using a declared swap partition",
 +					 special);
 +		fs_ok:
  		}
  	} else {
  		stab.st_rdev = NODEV;
 @@ -106,7 +141,7 @@
  			printf("dumpon: crash dumps disabled\n");
  		} else {
  			printf("dumpon: crash dumps to %s (%lu, %lu)\n",
 -			       argv[0],
 +			       special,
  			       (unsigned long)major(stab.st_rdev),
  			       (unsigned long)minor(stab.st_rdev));
  		}
 @@ -119,7 +154,7 @@
  usage()
  {
  	fprintf(stderr,
 -		"usage: dumpon [-v] special_file\n"
 +		"usage: dumpon [-f] [-v] special_file\n"
  		"       dumpon [-v] off\n");
  	exit(EX_USAGE);
  }
 diff -r -u /usr/src/share/man/man5/rc.conf.5 ./share/man/man5/rc.conf.5
 --- /usr/src/share/man/man5/rc.conf.5	Fri Dec 29 10:18:41 2000
 +++ ./share/man/man5/rc.conf.5	Sat Jan 13 13:28:19 2001
 @@ -1348,6 +1348,12 @@
  directory by the
  .Xr savecore 8
  program.
 +.It Ar dumpon_flags
 +(str) If
 +.Ar dumpdev
 +is set, these are the flags to pass to the
 +.Xr dumpon 8
 +program.
  .It Ar check_quotas
  (bool) Set to
  .Ar YES
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: rwatson 
State-Changed-When: Sat Feb 16 13:27:29 UTC 2008 
State-Changed-Why:  
After some discussion on #freebsd-bugbusters, it sounds like we should close 
this PR on the basis that UNIX likes to let you shoot your feet.  If we were 
designing swap/dump behavior from scratch, my preference would be to have a 
partition header in much the same way we have a superblock for file systems 
so that partition selection could be validated directly.  However, in the  
ame way that we don't validate partions for swap, we don't validate for 
dump, as dump and swap data may contain arbitrary contents. 

While it's not something we appear to heavily support in fstab anymore, I 
actually like the ability to dump to a separate partition or location from 
swap -- swap has a tendency to get overwritten for large file system checks 
(etc), whereas a dedicated dump partition isn't.  Likewise, on very small 
systems where textdumps are used and swapping isn't enabled, that 
distinction is also useful. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=24271 
>Unformatted:
