From 89cfa8c5c4f544c35c63fd7310fffe3b68ba17ff Mon Sep 17 00:00:00 2001 From: joerg Date: Thu, 13 Mar 2008 16:35:30 +0000 Subject: pkg_install-20080313: Audit functionality for pkg_admin. This uses the backend in libpkg_install and will be extended to check for vulnerabilities at pkg_add time later. --- pkgtools/pkg_install/files/admin/Makefile.in | 19 +- pkgtools/pkg_install/files/admin/admin.h | 18 + pkgtools/pkg_install/files/admin/audit.c | 424 ++++++++++++++++++++++++ pkgtools/pkg_install/files/admin/config.c | 99 ++++++ pkgtools/pkg_install/files/admin/main.c | 48 ++- pkgtools/pkg_install/files/admin/pkg_admin.1 | 42 ++- pkgtools/pkg_install/files/admin/pkg_admin.cat1 | 33 +- pkgtools/pkg_install/files/lib/version.h | 4 +- 8 files changed, 668 insertions(+), 19 deletions(-) create mode 100644 pkgtools/pkg_install/files/admin/audit.c create mode 100644 pkgtools/pkg_install/files/admin/config.c (limited to 'pkgtools') diff --git a/pkgtools/pkg_install/files/admin/Makefile.in b/pkgtools/pkg_install/files/admin/Makefile.in index 4e763a8e226..db97f4ed5dd 100644 --- a/pkgtools/pkg_install/files/admin/Makefile.in +++ b/pkgtools/pkg_install/files/admin/Makefile.in @@ -1,9 +1,10 @@ -# $NetBSD: Makefile.in,v 1.13 2008/03/10 12:14:32 wiz Exp $ +# $NetBSD: Makefile.in,v 1.14 2008/03/13 16:35:30 joerg Exp $ srcdir= @srcdir@ prefix= @prefix@ exec_prefix= @exec_prefix@ +sysconfdir= @sysconfdir@ sbindir= @sbindir@ mandir= @mandir@ datarootdir= @datarootdir@ @@ -11,10 +12,10 @@ datarootdir= @datarootdir@ man1dir= $(mandir)/man1 cat1dir= $(mandir)/cat1 +BOOTSTRAP= @bootstrap@ + CC= @CC@ CCLD= $(CC) -LIBS= -linstall @LIBS@ -CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib DEFS= @DEFS@ CFLAGS= @CFLAGS@ LDFLAGS= @LDFLAGS@ -L../lib @@ -23,7 +24,17 @@ INSTALL= @INSTALL@ PROG= pkg_admin -OBJS= check.o main.o +.if empty(BOOTSTRAP) +LIBS= -linstall -lbz2 -lz @LIBS@ +OBJS= audit.o check.o config.o main.o +CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib \ + -DSYSCONFDIR=\"$(sysconfdir)\" +.else +LIBS= -linstall @LIBS@ +OBJS= check.o config.o main.o +CPPFLAGS= @CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBOOTSTRAP \ + -DSYSCONFDIR=\"$(sysconfdir)\" +.endif all: $(PROG) diff --git a/pkgtools/pkg_install/files/admin/admin.h b/pkgtools/pkg_install/files/admin/admin.h index 934bbfada3b..bcad1f6baeb 100644 --- a/pkgtools/pkg_install/files/admin/admin.h +++ b/pkgtools/pkg_install/files/admin/admin.h @@ -32,5 +32,23 @@ */ extern int quiet; +extern int verbose; + +extern const char *pkg_vulnerabilities_dir; +extern const char *pkg_vulnerabilities_file; +extern const char *pkg_vulnerabilities_url; +extern const char *fetch_cmd; +extern const char *ignore_advisories; +extern const char tnf_vulnerability_base[]; void check(char **); + +void audit_pkgdb(int, char **); +void audit_pkg(int, char **); +void audit_batch(int, char **); +void check_pkg_vulnerabilities(int, char **); +void fetch_pkg_vulnerabilities(int, char **); + +void pkg_install_config(const char *); + +void usage(void); diff --git a/pkgtools/pkg_install/files/admin/audit.c b/pkgtools/pkg_install/files/admin/audit.c new file mode 100644 index 00000000000..8a83924b3f8 --- /dev/null +++ b/pkgtools/pkg_install/files/admin/audit.c @@ -0,0 +1,424 @@ +/* $NetBSD: audit.c,v 1.1 2008/03/13 16:35:30 joerg Exp $ */ + +#if HAVE_CONFIG_H +#include "config.h" +#endif +#include +#if HAVE_SYS_CDEFS_H +#include +#endif +#ifndef lint +__RCSID("$NetBSD: audit.c,v 1.1 2008/03/13 16:35:30 joerg Exp $"); +#endif + +/*- + * Copyright (c) 2008 Joerg Sonnenberger . + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#if HAVE_SYS_TYPES_H +#include +#endif +#if HAVE_SYS_STAT_H +#include +#endif +#if HAVE_SYS_WAIT_H +#include +#endif +#if HAVE_ERR_H +#include +#endif +#if HAVE_ERRNO_H +#include +#endif +#if HAVE_SIGNAL_H +#include +#endif +#if HAVE_STDIO_H +#include +#endif +#if HAVE_STRING_H +#include +#endif + +#include "admin.h" +#include "lib.h" + +static int check_eol = 0; +static int check_signature = 0; +static const char *limit_vul_types = NULL; + +static struct pkg_vulnerabilities *pv; + +static void +parse_options(int argc, char **argv) +{ + int ch; + + optreset = 1; + optind = 0; + + while ((ch = getopt(argc, argv, "est")) != -1) { + switch (ch) { + case 'e': + check_eol = 1; + break; + case 's': + check_signature = 1; + break; + case 't': + limit_vul_types = optarg; + break; + default: + usage(); + /* NOTREACHED */ + } + } +} + +static int +check_exact_pkg(const char *pkg) +{ + const char *iter, *next; + int ret; + size_t i; + + ret = 0; + for (i = 0; i < pv->entries; ++i) { + if (ignore_advisories != NULL) { + size_t url_len = strlen(pv->advisory[i]); + size_t entry_len; + + for (iter = ignore_advisories; *iter; iter = next) { + if ((next = strchr(iter, '\n')) == NULL) { + entry_len = strlen(iter); + next = iter + entry_len; + } else { + entry_len = next - iter; + ++next; + } + if (url_len != entry_len) + continue; + if (!strncmp(pv->advisory[i], iter, entry_len)) + break; + } + if (*iter != '\0') + continue; + } + if (limit_vul_types != NULL && + strcmp(limit_vul_types, pv->classification[i])) + continue; + if (!pkg_match(pv->vulnerability[i], pkg)) + continue; + if (strcmp("eol", pv->classification[i]) == 0) { + if (!check_eol) + continue; + if (quiet) + puts(pkg); + else + printf("Package %s has reached end-of-life (eol), " + "see %s/eol-packages\n", pkg, + tnf_vulnerability_base); + continue; + } + if (quiet) + puts(pkg); + else + printf("Package %s has a %s vulnerability, see %s\n", + pkg, pv->classification[i], pv->advisory[i]); + ret = 1; + } + return ret; +} + +static int +check_batch_exact_pkgs(const char *fname) +{ + FILE *f; + char buf[4096], *line, *eol; + int ret; + + ret = 0; + if (strcmp(fname, "-") == 0) + f = stdin; + else { + f = fopen(fname, "r"); + if (f == NULL) + err(EXIT_FAILURE, "Failed to open input file %s", + fname); + } + while ((line = fgets(buf, sizeof(buf), f)) != NULL) { + eol = line + strlen(line); + if (eol == line) + continue; + --eol; + if (*eol == '\n') { + if (eol == line) + continue; + *eol = '\0'; + } + ret |= check_exact_pkg(line); + } + if (f != stdin) + fclose(f); + + return ret; +} + +static int +check_one_installed_pkg(const char *pkg, void *cookie) +{ + int *ret = cookie; + + *ret |= check_exact_pkg(pkg); + return 0; +} + +static int +check_installed_pattern(const char *pattern) +{ + int ret = 0; + + match_installed_pkgs(pattern, check_one_installed_pkg, &ret); + + return ret; +} + +static void +check_and_read_pkg_vulnerabilities(void) +{ + struct stat st; + time_t now; + + if (pkg_vulnerabilities_file == NULL) + errx(EXIT_FAILURE, "PKG_VULNERABILITIES is not set"); + + if (verbose >= 1) { + if (stat(pkg_vulnerabilities_file, &st) == -1) { + if (errno == ENOENT) + errx(EXIT_FAILURE, + "pkg-vulnerabilities not found, run %s -d", + getprogname()); + errx(EXIT_FAILURE, "pkg-vulnerabilities not readable"); + } + now = time(NULL); + now -= st.st_mtime; + if (now < 0) + warnx("pkg-vulnerabilities is from the future"); + else if (now > 86400 * 7) + warnx("pkg-vulnerabilities is out of day (%d days old)", + now / 86400); + else if (verbose >= 2) + warnx("pkg-vulnerabilities is %d day%s old", + now / 86400, now / 86400 == 1 ? "" : "s"); + } + + pv = read_pkg_vulnerabilities(pkg_vulnerabilities_file, 0, check_signature); +} + +void +audit_pkgdb(int argc, char **argv) +{ + int rv; + + parse_options(argc, argv); + argv += optind; + + check_and_read_pkg_vulnerabilities(); + + rv = 0; + if (*argv == NULL) + rv |= check_installed_pattern("*"); + else { + for (; *argv != NULL; ++argv) + rv |= check_installed_pattern(*argv); + } + free_pkg_vulnerabilities(pv); + + if (rv == 0 && verbose >= 1) + fputs("No vulnerabilities found\n", stderr); + exit(rv ? EXIT_FAILURE : EXIT_SUCCESS); +} + +void +audit_pkg(int argc, char **argv) +{ + int rv; + + parse_options(argc, argv); + argv += optind; + + check_and_read_pkg_vulnerabilities(); + rv = 0; + for (; *argv != NULL; ++argv) + rv |= check_exact_pkg(*argv); + + free_pkg_vulnerabilities(pv); + + if (rv == 0 && verbose >= 1) + fputs("No vulnerabilities found\n", stderr); + exit(rv ? EXIT_FAILURE : EXIT_SUCCESS); +} + +void +audit_batch(int argc, char **argv) +{ + int rv; + + parse_options(argc, argv); + argv += optind; + + check_and_read_pkg_vulnerabilities(); + rv = 0; + for (; *argv != NULL; ++argv) + rv |= check_batch_exact_pkgs(*argv); + free_pkg_vulnerabilities(pv); + + if (rv == 0 && verbose >= 1) + fputs("No vulnerabilities found\n", stderr); + exit(rv ? EXIT_FAILURE : EXIT_SUCCESS); +} + +void +check_pkg_vulnerabilities(int argc, char **argv) +{ + parse_options(argc, argv); + if (argc != optind + 1) + usage(); + + pv = read_pkg_vulnerabilities(argv[optind], 0, check_signature); + free_pkg_vulnerabilities(pv); +} + +void +fetch_pkg_vulnerabilities(int argc, char **argv) +{ + struct pkg_vulnerabilities *pv_check; + const char *error; + pid_t child; + char *buf, *decompressed_input; + size_t buf_len, cur_len, decompressed_len; + ssize_t bytes_read; + int fd[2], status; + + parse_options(argc, argv); + if (argc != optind) + usage(); + + if (verbose >= 2) + fprintf(stderr, "ftp -o - %s\n", pkg_vulnerabilities_url); + + if (pipe(fd) == -1) + err(EXIT_FAILURE, "cannot create FTP data pipe"); + + child = vfork(); + if (child == -1) + err(EXIT_FAILURE, "cannot fork FTP process"); + if (child == 0) { + close(fd[0]); + close(STDOUT_FILENO); + if (dup2(fd[1], STDOUT_FILENO) == -1) { + static const char err_msg[] = + "cannot redirect stdout of FTP process\n"; + write(STDERR_FILENO, err_msg, sizeof(err_msg) - 1); + _exit(255); + } + close(fd[1]); + execlp(fetch_cmd, fetch_cmd, "-o", "-", + pkg_vulnerabilities_url, (char *)NULL); + _exit(255); + } + close(fd[1]); + + cur_len = 0; + buf_len = 32768; + if ((buf = malloc(buf_len + 1)) == NULL) { + error = "malloc failed"; + goto ftp_error; + } + + while ((bytes_read = read(fd[0], buf + cur_len, buf_len - cur_len)) > 0) { + cur_len += bytes_read; + if (cur_len * 2 < buf_len) + continue; + if (cur_len >= SSIZE_MAX / 2) { + error = "pkg-vulnerabilies too large"; + goto ftp_error; + } + buf_len *= 2; + if ((buf = realloc(buf, buf_len + 1)) == NULL) { + error = "realloc failed"; + goto ftp_error; + } + } + + if (bytes_read == -1) { + error = "read from FTP process failed"; + goto ftp_error; + } + + waitpid(child, &status, 0); + close(fd[0]); + + if (status) + errx(EXIT_FAILURE, + "Download of pkg-vulnerabilities from %s failed", + pkg_vulnerabilities_url); + + buf[cur_len] = '\0'; + + if (decompress_buffer(buf, cur_len, &decompressed_input, + &decompressed_len)) { + pv_check = parse_pkg_vulnerabilities(decompressed_input, + decompressed_len, check_signature); + free(decompressed_input); + } else { + pv_check = parse_pkg_vulnerabilities(buf, cur_len, + check_signature); + } + free_pkg_vulnerabilities(pv_check); + + fd[0] = open(pkg_vulnerabilities_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fd[0] == -1) + err(EXIT_FAILURE, "Cannot create pkg-vulnerability file %s", + pkg_vulnerabilities_file); + + if (write(fd[0], buf, cur_len) != cur_len) + err(EXIT_FAILURE, "Cannot write pkg-vulnerability file"); + if (close(fd[0]) == -1) + err(EXIT_FAILURE, "Cannot close pkg-vulnerability file after write"); + + free(buf); + + exit(EXIT_SUCCESS); + + ftp_error: + (void)kill(child, SIGTERM); + (void)close(fd[0]); + (void)waitpid(child, &status, 0); + err(EXIT_FAILURE, error); +} diff --git a/pkgtools/pkg_install/files/admin/config.c b/pkgtools/pkg_install/files/admin/config.c new file mode 100644 index 00000000000..4b1a670c74a --- /dev/null +++ b/pkgtools/pkg_install/files/admin/config.c @@ -0,0 +1,99 @@ +/* $NetBSD: config.c,v 1.1 2008/03/13 16:35:30 joerg Exp $ */ + +#if HAVE_CONFIG_H +#include "config.h" +#endif +#include +#if HAVE_SYS_CDEFS_H +#include +#endif +#ifndef lint +__RCSID("$NetBSD: config.c,v 1.1 2008/03/13 16:35:30 joerg Exp $"); +#endif + +/*- + * Copyright (c) 2008 Joerg Sonnenberger . + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#if HAVE_ERR_H +#include +#endif +#if HAVE_STRING_H +#include +#endif + +#include "admin.h" +#include "lib.h" + +const char *pkg_vulnerabilities_dir; +const char *pkg_vulnerabilities_file; +const char *pkg_vulnerabilities_url; +const char *fetch_cmd = FTP_CMD; +const char *ignore_advisories = NULL; +const char tnf_vulnerability_base[] = "ftp://ftp.NetBSD.org/pub/NetBSD/packages/vulns"; + +static struct config_variable { + const char *name; + const char **var; +} config_variables[] = { + { "GPG", &gpg_cmd }, + { "PKGVULNDIR", &pkg_vulnerabilities_dir }, + { "PKGVULNURL", &pkg_vulnerabilities_url }, + { "IGNORE_URL", &ignore_advisories }, + { "FETCH_CMD", &fetch_cmd }, + { NULL, NULL } +}; + +void +pkg_install_config(const char *config_file) +{ + char *value; + int ret; + struct config_variable *var; + + for (var = config_variables; var->name != NULL; ++var) { + value = var_get(config_file, var->name); + if (value != NULL) + *var->var = value; + } + + if (pkg_vulnerabilities_dir != NULL) + ret = asprintf(&value, "%s/pkg-vulnerabilities", pkg_vulnerabilities_dir); + else + ret = asprintf(&value, "%s/pkg-vulnerabilities", _pkgdb_getPKGDB_DIR()); + pkg_vulnerabilities_file = value; + if (ret == -1) + err(EXIT_FAILURE, "asprintf failed"); + if (pkg_vulnerabilities_url == NULL) { + ret = asprintf(&value, "%s/pkg-vulnerabilities.gz", + tnf_vulnerability_base); + pkg_vulnerabilities_url = value; + if (ret == -1) + err(EXIT_FAILURE, "asprintf failed"); + } +} diff --git a/pkgtools/pkg_install/files/admin/main.c b/pkgtools/pkg_install/files/admin/main.c index 475f49c1acb..b9d4e360524 100644 --- a/pkgtools/pkg_install/files/admin/main.c +++ b/pkgtools/pkg_install/files/admin/main.c @@ -1,4 +1,4 @@ -/* $NetBSD: main.c,v 1.37 2008/03/09 20:55:25 joerg Exp $ */ +/* $NetBSD: main.c,v 1.38 2008/03/13 16:35:30 joerg Exp $ */ #if HAVE_CONFIG_H #include "config.h" @@ -8,7 +8,7 @@ #include #endif #ifndef lint -__RCSID("$NetBSD: main.c,v 1.37 2008/03/09 20:55:25 joerg Exp $"); +__RCSID("$NetBSD: main.c,v 1.38 2008/03/13 16:35:30 joerg Exp $"); #endif /*- @@ -16,7 +16,8 @@ __RCSID("$NetBSD: main.c,v 1.37 2008/03/09 20:55:25 joerg Exp $"); * All rights reserved. * * This code is derived from software contributed to The NetBSD Foundation - * by Hubert Feyrer . + * by Hubert Feyrer and + * by Joerg Sonnenberger . * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -83,17 +84,17 @@ __RCSID("$NetBSD: main.c,v 1.37 2008/03/09 20:55:25 joerg Exp $"); #define DEFAULT_SFX ".t[bg]z" /* default suffix for ls{all,best} */ -static const char Options[] = "K:SVbd:qs:"; +static const char Options[] = "C:K:SVbd:qs:v"; -int quiet; +int quiet, verbose; static void set_unset_variable(char **, Boolean); /* print usage message and exit */ -static void +void usage(void) { - (void) fprintf(stderr, "usage: %s [-bqSV] [-d lsdir] [-K pkg_dbdir] [-s sfx] command args ...\n" + (void) fprintf(stderr, "usage: %s [-bqSvV] [-C config] [-d lsdir] [-K pkg_dbdir] [-s sfx] command args ...\n" "Where 'commands' and 'args' are:\n" " rebuild - rebuild pkgdb from +CONTENTS files\n" " rebuild-tree - rebuild +REQUIRED_BY files from forward deps\n" @@ -109,7 +110,12 @@ usage(void) " lsall /path/to/pkgpattern - list all pkgs matching the pattern\n" " lsbest /path/to/pkgpattern - list pkgs matching the pattern best\n" " dump - dump database\n" - " pmatch pattern pkg - returns true if pkg matches pattern, otherwise false\n", + " pmatch pattern pkg - returns true if pkg matches pattern, otherwise false\n" + " fetch-pkg-vulnerabilities [-s] - fetch new vulnerability file\n" + " check-pkg-vulneraiblities [-s] - check syntax and checksums of the vulnerability file\n" + " audit [-es] [-t type] ...\n" + " audit-pkg [-es] [-t type] ...\n" + " audit-batch [-es] [-t type] ...\n", getprogname()); exit(EXIT_FAILURE); } @@ -127,7 +133,7 @@ add_pkg(const char *pkgdir, void *vp) plist_t *p; package_t Plist; char *contents; - const char *PkgDBDir; + const char *PkgDBDir; char *PkgName, *dirp; char file[MaxPathSize]; char dir[MaxPathSize]; @@ -339,6 +345,7 @@ rebuild_tree(void) int main(int argc, char *argv[]) { + const char *config_file = SYSCONFDIR"/pkg_install.conf"; Boolean use_default_sfx = TRUE; Boolean show_basename_only = FALSE; char lsdir[MaxPathSize]; @@ -353,6 +360,10 @@ main(int argc, char *argv[]) while ((ch = getopt(argc, argv, Options)) != -1) switch (ch) { + case 'C': + config_file = optarg; + break; + case 'K': _pkgdb_setPKGDB_DIR(optarg); break; @@ -384,6 +395,10 @@ main(int argc, char *argv[]) use_default_sfx = FALSE; break; + case 'v': + ++verbose; + break; + default: usage(); /* NOTREACHED */ @@ -396,6 +411,8 @@ main(int argc, char *argv[]) usage(); } + pkg_install_config(config_file); + if (use_default_sfx) (void) snprintf(sfx, sizeof(sfx), "%s", DEFAULT_SFX); @@ -504,7 +521,20 @@ main(int argc, char *argv[]) } else if (strcasecmp(argv[0], "unset") == 0) { argv++; /* "unset" */ set_unset_variable(argv, TRUE); + } else if (strcasecmp(argv[0], "fetch-pkg-vulnerabilities") == 0) { + fetch_pkg_vulnerabilities(--argc, ++argv); + } else if (strcasecmp(argv[0], "check-pkg-vulnerabilities") == 0) { + check_pkg_vulnerabilities(--argc, ++argv); } +#ifndef BOOTSTRAP + else if (strcasecmp(argv[0], "audit") == 0) { + audit_pkgdb(--argc, ++argv); + } else if (strcasecmp(argv[0], "audit-pkg") == 0) { + audit_pkg(--argc, ++argv); + } else if (strcasecmp(argv[0], "audit-batch") == 0) { + audit_batch(--argc, ++argv); + } +#endif #ifdef PKGDB_DEBUG else if (strcasecmp(argv[0], "delkey") == 0) { int rc; diff --git a/pkgtools/pkg_install/files/admin/pkg_admin.1 b/pkgtools/pkg_install/files/admin/pkg_admin.1 index 34339add8ae..5287512f5d6 100644 --- a/pkgtools/pkg_install/files/admin/pkg_admin.1 +++ b/pkgtools/pkg_install/files/admin/pkg_admin.1 @@ -1,4 +1,4 @@ -.\" $NetBSD: pkg_admin.1,v 1.15 2008/01/29 15:39:30 hubertf Exp $ +.\" $NetBSD: pkg_admin.1,v 1.16 2008/03/13 16:35:30 joerg Exp $ .\" .\" Copyright (c) 1999-2008 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -42,7 +42,8 @@ .Nd perform various administrative tasks to the pkg system .Sh SYNOPSIS .Nm -.Op Fl bqSV +.Op Fl bqSvV +.Op Fl C Ar config .Op Fl d Ar lsdir .Op Fl K Ar pkg_dbdir .Op Fl s Ar sfx_pattern @@ -59,6 +60,10 @@ Print only the basenames when matching package names for .Cm lsall and .Cm lsbest . +.It Fl C Ar config +Read the configuration file from +.Ar config +instead of the system default. .It Fl d Ar lsdir Set .Ar lsdir @@ -99,6 +104,8 @@ and The default pattern is ".t[bg]z". .It Fl V Print version number and exit. +.It Fl v +Be more verbose. .El .Pp The following commands are supported: @@ -110,6 +117,26 @@ its file together with the package they belong to into the package database. This should be used only by .Xr pkg_view 1 . +.It Cm audit Oo Fl es Oc Oo Fl t Ar type Oc Oo Ar pkg Oc ... +Check the listed installed packages for vulnerabilities. +If no package is given, check all installed packages. +If +.Fl e +is given, also include end-of-life information. +If +.Fl s +is given, check the signature of the pkg-vulnerabilities file before using it. +.Fl t +restricts the reported vulnerabilities to type +.Ar type . +.It Cm audit-pkg Oo Fl es Oc Oo Fl t Ar type Oc Oo Ar pkg Oc ... +Like +.Cm audit , +but check only the given package names or patterns. +.It Cm audit-batch Oo Fl es Oc Oo Fl t Ar type Oc Oo Ar pkg-list Oc ... +Like +.Cm audit-pkg , +but read the package names or patterns one per line from the given files. .It Cm check Op Ar pkg ... Use this command to check the files belonging to some or all of the packages installed on the local machine against the checksum @@ -131,6 +158,12 @@ A warning message is printed if the expected checksum differs from the checksum of the file on disk. Symbolic links are also checked, ensuring that the targets on disk are the same as the contents recorded at package installation time. +.It Cm check-pkg-vulnerabilities Oo Fl s Oc Ar file +Check format and hashes in the pkg-vulnerabilties file +.Ar file . +If +.Fl s +is given, also check the embedded signature. .It Cm delete Ar pkg ... For each listed package, remove all file entries in the package database that belong to the package. @@ -141,6 +174,11 @@ Dump the contents of the package database, similar to .Cm pkg_info -F . Columns are printed for the keyfield used in the pkgdb - the filename -, and the data field - the package the file belongs to. +.It Cm fetch-pkg-vulnerabilities Op Fl s +Fetch a new pkg-vulnerabilities file, check the format and if +.Fl s +is given the signature. +If all checks are passed, write it to pkgdb. .It Cm lsall Ar /dir/pkgpattern .It Cm lsbest Ar /dir/pkgpattern List all/best package matching pattern in the given directory diff --git a/pkgtools/pkg_install/files/admin/pkg_admin.cat1 b/pkgtools/pkg_install/files/admin/pkg_admin.cat1 index 41f9721bd52..35545c6af18 100644 --- a/pkgtools/pkg_install/files/admin/pkg_admin.cat1 +++ b/pkgtools/pkg_install/files/admin/pkg_admin.cat1 @@ -4,8 +4,8 @@ NNAAMMEE ppkkgg__aaddmmiinn -- perform various administrative tasks to the pkg system SSYYNNOOPPSSIISS - ppkkgg__aaddmmiinn [--bbqqSSVV] [--dd _l_s_d_i_r] [--KK _p_k_g___d_b_d_i_r] [--ss _s_f_x___p_a_t_t_e_r_n] _c_o_m_m_a_n_d - [args ...] + ppkkgg__aaddmmiinn [--bbqqSSvvVV] [--CC _c_o_n_f_i_g] [--dd _l_s_d_i_r] [--KK _p_k_g___d_b_d_i_r] [--ss _s_f_x___p_a_t_t_e_r_n] + _c_o_m_m_a_n_d [args ...] DDEESSCCRRIIPPTTIIOONN This command performs various administrative tasks around the NetBSD @@ -17,6 +17,10 @@ OOPPTTIIOONNSS --bb Print only the basenames when matching package names for llssaallll and llssbbeesstt. + --CC _c_o_n_f_i_g + Read the configuration file from _c_o_n_f_i_g instead of the system + default. + --dd _l_s_d_i_r Set _l_s_d_i_r as the path to the directory in which to find matching package names for llssaallll and llssbbeesstt. @@ -41,6 +45,8 @@ OOPPTTIIOONNSS --VV Print version number and exit. + --vv Be more verbose. + The following commands are supported: aadddd _p_k_g _._._. @@ -49,6 +55,20 @@ OOPPTTIIOONNSS belong to into the package database. This should be used only by pkg_view(1). + aauuddiitt [--eess] [--tt _t_y_p_e] [_p_k_g] ... + Check the listed installed packages for vulnerabilities. If no + package is given, check all installed packages. If --ee is given, + also include end-of-life information. If --ss is given, check the + signature of the pkg-vulnerabilities file before using it. --tt + restricts the reported vulnerabilities to type _t_y_p_e. + + aauuddiitt--ppkkgg [--eess] [--tt _t_y_p_e] [_p_k_g] ... + Like aauuddiitt, but check only the given package names or patterns. + + aauuddiitt--bbaattcchh [--eess] [--tt _t_y_p_e] [_p_k_g_-_l_i_s_t] ... + Like aauuddiitt--ppkkgg, but read the package names or patterns one per + line from the given files. + cchheecckk [_p_k_g _._._.] Use this command to check the files belonging to some or all of the packages installed on the local machine against the checksum @@ -66,6 +86,10 @@ OOPPTTIIOONNSS targets on disk are the same as the contents recorded at package installation time. + cchheecckk--ppkkgg--vvuullnneerraabbiilliittiieess [--ss] _f_i_l_e + Check format and hashes in the pkg-vulnerabilties file _f_i_l_e. If + --ss is given, also check the embedded signature. + ddeelleettee _p_k_g _._._. For each listed package, remove all file entries in the package database that belong to the package. This should be used only by @@ -75,6 +99,11 @@ OOPPTTIIOONNSS --FF. Columns are printed for the keyfield used in the pkgdb - the filename -, and the data field - the package the file belongs to. + ffeettcchh--ppkkgg--vvuullnneerraabbiilliittiieess [--ss] + Fetch a new pkg-vulnerabilities file, check the format and if --ss + is given the signature. If all checks are passed, write it to + pkgdb. + llssaallll _/_d_i_r_/_p_k_g_p_a_t_t_e_r_n llssbbeesstt _/_d_i_r_/_p_k_g_p_a_t_t_e_r_n diff --git a/pkgtools/pkg_install/files/lib/version.h b/pkgtools/pkg_install/files/lib/version.h index a2eb86a657b..0a6307c47cb 100644 --- a/pkgtools/pkg_install/files/lib/version.h +++ b/pkgtools/pkg_install/files/lib/version.h @@ -1,4 +1,4 @@ -/* $NetBSD: version.h,v 1.96 2008/03/11 18:01:35 joerg Exp $ */ +/* $NetBSD: version.h,v 1.97 2008/03/13 16:35:31 joerg Exp $ */ /* * Copyright (c) 2001 Thomas Klausner. All rights reserved. @@ -33,6 +33,6 @@ #ifndef _INST_LIB_VERSION_H_ #define _INST_LIB_VERSION_H_ -#define PKGTOOLS_VERSION "20080311" +#define PKGTOOLS_VERSION "20080313" #endif /* _INST_LIB_VERSION_H_ */ -- cgit v1.2.3