Bug 18373

Summary: pkg_delete shouldn't insist on root
Product: Base System Reporter: Ben Smithurst <ben>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 3.4-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff
none
pkg_delete.diff none

Description Ben Smithurst 2000-05-03 18:20:03 UTC 
It is rather inconvenient that pkg_delete(1) requires the calling user
to be root, as this makes testing a port you have created hard (it
seems you have to be root to allow "make deinstall" do anything).  This
restriction seems unnecessary, and removing it certainly can't be a
security risk.

Fix: Convert the fatal error to a warning if the -f flag is used (which
conveniently is used by the ports system's "make deinstall").
How-To-Repeat: 
make your own port, install it to ~/something, set PKG_DBDIR to
~/somethingelse, try to "make deinstall".
Comment 1 Neil Blakey-Milner 2000-05-04 13:54:37 UTC 
On Wed 2000-05-03 (15:46), Ben Smithurst wrote:
> It is rather inconvenient that pkg_delete(1) requires the calling user
> to be root, as this makes testing a port you have created hard (it
> seems you have to be root to allow "make deinstall" do anything).  This
> restriction seems unnecessary, and removing it certainly can't be a
> security risk.

Why not compare the owner of the PKG_DBDIR and the caller?  Overloading
'-f' might cause problems, so maybe another flag is necessary.

Neil
-- 
Neil Blakey-Milner
Hacker In Chief, Sunesi Clinical Systems
nbm@mithrandr.moria.org
Comment 2 n_hibma 2000-05-04 15:46:15 UTC 
> It is rather inconvenient that pkg_delete(1) requires the calling user
> to be root, as this makes testing a port you have created hard (it
> seems you have to be root to allow "make deinstall" do anything).  This
> restriction seems unnecessary, and removing it certainly can't be a
> security risk.

Example: libmm (used by a webserver) could then be deleted and the
webserver being brought down.

It _is_ a security risk.

Check the chmod man page for information on setting suid and setguid
bits to enable you to start pkg_delete as a normal user. Or write a suid
wrapper only executable by you.

Nick

--
n_hibma@webweaving.org
n_hibma@freebsd.org                                          USB project
http://www.etla.net/~n_hibma/
Comment 3 Nick Hibma freebsd_committer freebsd_triage 2000-05-04 15:50:51 UTC 
State Changed
From-To: open->closed

iThe suggestion given is not a good one. Solution for his case given. 
.
Comment 4 Nick Hibma freebsd_committer freebsd_triage 2000-05-04 21:14:07 UTC 
State Changed
From-To: closed->open

Neil Blakey-Milner seems to have good arguments on why he wants this. 
And why it should not be a problem.
Comment 5 Ben Smithurst 2000-05-05 01:13:29 UTC 
Nick Hibma wrote:

>> It is rather inconvenient that pkg_delete(1) requires the calling user
>> to be root, as this makes testing a port you have created hard (it
>> seems you have to be root to allow "make deinstall" do anything).  This
>> restriction seems unnecessary, and removing it certainly can't be a
>> security risk.
> 
> Example: libmm (used by a webserver) could then be deleted and the
> webserver being brought down.

It is?  Perhaps I'm being dumb, but what's to stop a user compiling
their own version of pkg_delete and removing the getuid check?  If libmm
has files deletable by a normal user, I don't even see what difference
it makes if they use pkg_delete or rm.  Perhaps you could explain?  Is
there something special about libmm or were you just picking a random
port?  (I don't even see a libmm port, so it must be part of another
port, but anyway...)

> Check the chmod man page for information on setting suid and setguid
> bits to enable you to start pkg_delete as a normal user. Or write a
> suid wrapper only executable by you.

Thanks but this is more than I need to do.  I don't want to be able to
delete ports installed "properly" (for want of a better word), just
ports I've installed in my home directory while testing a new port.  I
*don't* need root to do anything pkg_delete does in that case, and it
shouldn't force me to be root.

-- 
Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D
Comment 6 Ben Smithurst 2000-05-05 02:37:25 UTC 
Neil Blakey-Milner wrote:

> Why not compare the owner of the PKG_DBDIR and the caller?  Overloading
> '-f' might cause problems, so maybe another flag is necessary.

How about '-r' for consistency with newsyslog?

-- 
Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D
Comment 7 n_hibma 2000-05-05 10:00:40 UTC 
> It is?  Perhaps I'm being dumb, but what's to stop a user compiling
> their own version of pkg_delete and removing the getuid check?  If libmm
> has files deletable by a normal user, I don't even see what difference
> it makes if they use pkg_delete or rm.  Perhaps you could explain?  Is
> there something special about libmm or were you just picking a random
> port?  (I don't even see a libmm port, so it must be part of another
> port, but anyway...)

the port is called mm.

I thought that pkg_delete was setuid root. (and didn't check ... :-(

Nick

--
n_hibma@webweaving.org
n_hibma@freebsd.org                                          USB project
http://www.etla.net/~n_hibma/
Comment 8 Ben Smithurst 2000-05-05 17:11:17 UTC 
Ben Smithurst wrote:

> Neil Blakey-Milner wrote:
> 
>> Why not compare the owner of the PKG_DBDIR and the caller?  Overloading
>> '-f' might cause problems, so maybe another flag is necessary.
> 
> How about '-r' for consistency with newsyslog?

The attached patch implements this, and seems to work fine when I set
PKG_DELETE='pkg_delete -r'.

-- 
Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D
Comment 9 hoek freebsd_committer freebsd_triage 2000-05-13 13:58:41 UTC 
State Changed
From-To: open->closed