From 47b993ce95199373402e7c179af81f7ec385c350 Mon Sep 17 00:00:00 2001 From: Loic F Date: Mon, 5 Jul 2021 09:44:10 +0200 Subject: [PATCH 1/7] HBSD: add 'Download only' option Add option '-F' for download the latest update archive. The option is able to resume an interrupted download. Fix issues #57 signaled by Shawn Webb. Signed-off-by: Loic (cherry picked from commit 762bdf24c80d83f8f0091da6fac518ffba3df1be) --- usr.sbin/hbsd-update/hbsd-update | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/usr.sbin/hbsd-update/hbsd-update b/usr.sbin/hbsd-update/hbsd-update index 0563846c2621..5f5fa830d6ba 100755 --- a/usr.sbin/hbsd-update/hbsd-update +++ b/usr.sbin/hbsd-update/hbsd-update @@ -1,6 +1,6 @@ #!/bin/sh #- -# Copyright (c) 2015,2020 HardenedBSD +# Copyright (c) 2015,2020,2021 HardenedBSD # Author: Shawn Webb # # This work originally sponsored by G2, Inc @@ -43,6 +43,7 @@ dnssec_key="/usr/share/keys/hbsd-update/trusted/dnssec.key" revoke_dir="/usr/share/keys/hbsd-update/revoked" fetchonly=0 +downloadonly=0 ignorever=0 install_src=0 integriforce=1 @@ -118,6 +119,7 @@ usage() { debug_print "\t-c config\tUse a non-default config file" debug_print "\t-d\t\tDo not use DNSSEC validation" debug_print "\t-f\t\tFetch only" + debug_print "\t-F\t\tDownload only" debug_print "\t-h\t\tShow this help screen" debug_print "\t-I\t\tInteractively remove obsolete files" debug_print "\t-i\t\tIgnore version check" @@ -145,6 +147,10 @@ sigint_handler() { destroybe=${1} fi + if [ ${downloadonly} = 1 ]; then + exit 0 + fi + debug_print "[-] Caught SIGINT. Cleaning up." cleanup @@ -1119,7 +1125,7 @@ main() { local_kernel="" no_kernel=0 - while getopts '46dfhimnosBCDITUVb:c:j:K:k:r:Rt:u:v:' opt; do + while getopts '46dfFhimnosBCDITUVb:c:j:K:k:r:Rt:u:v:' opt; do case "${opt}" in 4) force_ipv4="yes" @@ -1148,6 +1154,9 @@ main() { f) fetchonly=1 ;; + F) + downloadonly=1 + ;; i) ignorever=1 ;; @@ -1250,6 +1259,13 @@ main() { exit 1 fi + if [ ${downloadonly} = 1 ]; then + debug_print "[*] Download the latest update to the current folder." + ${FETCH} ${net_flag} -o update-$(get_version).tar -arR \ + ${baseurl}/update-$(get_version).tar + exit 0 + fi + check_version res=${?} if [ ${res} -gt 0 ]; then From 24e88659ed5d20bc32bc103a50b791f5469c58d2 Mon Sep 17 00:00:00 2001 From: Loic F Date: Sat, 10 Jul 2021 07:58:57 +0200 Subject: [PATCH 2/7] HBSD: use fetch_update for 'download only' We now use the fetch_update for 'download only' function. This function has the advantage to control the checksum of the download file. Please note that there is no more resumption of the interrupted download. Reported-by: Shawn Webb Signed-off-by: Loic (cherry picked from commit b61c6a82ea42d10c2c784c1c2848fdc6c776bf69) --- usr.sbin/hbsd-update/hbsd-update | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/usr.sbin/hbsd-update/hbsd-update b/usr.sbin/hbsd-update/hbsd-update index 5f5fa830d6ba..cf30297febf3 100755 --- a/usr.sbin/hbsd-update/hbsd-update +++ b/usr.sbin/hbsd-update/hbsd-update @@ -406,7 +406,12 @@ fetch_update() { fi fi - # Step 3: Untar the update archive + # Step 3: Check whether to continue + if [ ${downloadonly} = 1 ]; then + exit 0 + fi + + # Step 4: Untar the update archive ${TAR} -xf ${tmpdir}/update.tar \ -C ${tmpdir} res=${?} @@ -1260,9 +1265,8 @@ main() { fi if [ ${downloadonly} = 1 ]; then - debug_print "[*] Download the latest update to the current folder." - ${FETCH} ${net_flag} -o update-$(get_version).tar -arR \ - ${baseurl}/update-$(get_version).tar + debug_print "[*] Download the latest update in ${tmpdir}" + fetch_update exit 0 fi From ec98736642cf36120ce4f92cac6da34d1c409c09 Mon Sep 17 00:00:00 2001 From: Loic F Date: Sun, 24 Oct 2021 17:41:52 +0200 Subject: [PATCH 3/7] HBSD: Fix 'find' for the revoked directory Remove the "No such file or directory" warning generate by find. Signed-off-by: Loic (cherry picked from commit d88660446c883997fa87fd5f3375f922dccba54f) --- usr.sbin/hbsd-update/hbsd-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.sbin/hbsd-update/hbsd-update b/usr.sbin/hbsd-update/hbsd-update index cf30297febf3..ef1a0fa6b8a9 100755 --- a/usr.sbin/hbsd-update/hbsd-update +++ b/usr.sbin/hbsd-update/hbsd-update @@ -433,7 +433,7 @@ check_pubkey_validity() { updatehash=$(${SHA256} -q ${tmpdir}/pubkey.pem) - for f in $(${FIND} ${mountpoint}/usr/share/keys/hbsd-update/revoked -type f); do + for f in $(${FIND} ${mountpoint}/usr/share/keys/hbsd-update/revoked -type f -print 2>/dev/null); do filehash=$(${SHA256} -q ${f}) if [ "${filehash}" = "${updatehash}" ]; then echo "[-] This update has been signed with a revoked key." >&2 From d33c5a1bc7fb62512742e126112769d980296947 Mon Sep 17 00:00:00 2001 From: Loic F Date: Fri, 18 Feb 2022 08:26:08 +0100 Subject: [PATCH 4/7] HBSD: exclude /boot/efi with tar The commit 6c1ebef2 ("HBSD: Tell hbsd-update to skip /boot/efi") is not enough to solve the problem encountered with tar. Adding an exclude for /boot/efi. Signed-off-by: Loic Reported-by: @PKraszewski and @zsalab issue: #43 MFC-to: 13-STABLE MFC-to: 12-STABLE (cherry picked from commit 781c18cfe4c8d145a6062cb18fba12b58a36a9ac) --- usr.sbin/hbsd-update/hbsd-update | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr.sbin/hbsd-update/hbsd-update b/usr.sbin/hbsd-update/hbsd-update index ef1a0fa6b8a9..d15d3f2fdb2a 100755 --- a/usr.sbin/hbsd-update/hbsd-update +++ b/usr.sbin/hbsd-update/hbsd-update @@ -661,6 +661,7 @@ apply_base() { ${TAR} -xpf ${tmpdir}/base.txz \ -X ${tmpdir}/skip.txt \ --exclude ./boot \ + --exclude ./boot/efi \ -C ${mountpoint} res=${?} if [ ${res} -gt 0 ]; then @@ -669,7 +670,7 @@ apply_base() { boottmp=$(env TMPDIR=${tmpdir} ${MKTEMP} -d) [ ! -d ${mountpoint}/boot ] && mkdir ${mountpoint}/boot - ${TAR} -xpf ${tmpdir}/base.txz --include ./boot -C ${boottmp} + ${TAR} -xpf ${tmpdir}/base.txz --include ./boot --exclude ./boot/efi -C ${boottmp} ${TAR} -c -C ${boottmp}/boot -f - . | \ (cd ${mountpoint}/boot; ${TAR} -xpf -) res=${?} From 1aefb6c02dcc1b546e3b4fc240cdfccb7c6f2c2f Mon Sep 17 00:00:00 2001 From: Loic F Date: Fri, 18 Feb 2022 08:45:13 +0100 Subject: [PATCH 5/7] HBSD: improve the help options - Fixes a tabulation problem. - Adds an example for the '-t tmpdir' option. Signed-off-by: Loic MFC-to: 13-STABLE MFC-to: 12-STABLE (cherry picked from commit e16079580667e4e0d71c7bca2edb56652e892f03) --- usr.sbin/hbsd-update/hbsd-update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/hbsd-update/hbsd-update b/usr.sbin/hbsd-update/hbsd-update index d15d3f2fdb2a..83c056fd9019 100755 --- a/usr.sbin/hbsd-update/hbsd-update +++ b/usr.sbin/hbsd-update/hbsd-update @@ -130,9 +130,9 @@ usage() { debug_print "\t-n\t\tDo not install kernel" debug_print "\t-o\t\tDo not remove obsolete files/directories" debug_print "\t-R\t\tUse system nameserver for the DNS-based version check" - debug_print "\t-r path\tBootstrap root directory " + debug_print "\t-r path\t\tBootstrap root directory " debug_print "\t-s\t\tInstall sources (if present)" - debug_print "\t-t tmpdir\tTemporary directory" + debug_print "\t-t tmpdir\tTemporary directory (example: /root/tmp)" debug_print "\t-U\t\tAllow unsigned updates" debug_print "\t-v version\tUse a different version" debug_print "\t-V\t\tVerbose output" From 38df754a268e60b230017b37454490816cabad71 Mon Sep 17 00:00:00 2001 From: Loic F Date: Fri, 18 Feb 2022 08:52:40 +0100 Subject: [PATCH 6/7] HBSD: improve the debug_print display Improved display especially when the -V (Verbose output) option is used. Signed-off-by: Loic MFC-to: 13-STABLE MFC-to: 12-STABLE (cherry picked from commit 18369f86234cd679df698dff5397caf6606ea632) --- usr.sbin/hbsd-update/hbsd-update | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/usr.sbin/hbsd-update/hbsd-update b/usr.sbin/hbsd-update/hbsd-update index 83c056fd9019..12dde8175d88 100755 --- a/usr.sbin/hbsd-update/hbsd-update +++ b/usr.sbin/hbsd-update/hbsd-update @@ -402,7 +402,7 @@ fetch_update() { fi if [ ${verbose} -gt 0 ]; then - debug_print "[*] Verified hash: ${filehash} = ${pubhash}" + debug_print "[*] Verified hash: ${filehash}\n[*] ↳ Remote Hash: ${pubhash}" fi fi @@ -645,12 +645,13 @@ apply_base() { dirs="/bin /sbin /lib /libexec /usr/bin /usr/sbin /usr/lib" if [ ${verbose} -gt 0 ]; then - debug_print "[*] Applying base" + debug_print "\n[*] Applying base" fi for dir in ${dirs}; do if [ -d ${mountpoint}/${dir} ]; then - ${CHFLAGS} -R noschg ${mountpoint}/${dir} + #FIX-ME: empty: flags ("schg" is not "none" + ${CHFLAGS} -R noschg ${mountpoint}/${dir} 2> /dev/null res=${?} if [ ${res} -gt 0 ]; then return ${res} @@ -901,7 +902,7 @@ remove_obsolete() { for file in $(cat ${tmpdir}/ObsoleteFiles.txt); do if [ -f ${mountpoint}/${file} ]; then if [ ${interactive} -gt 0 ]; then - read -p "Remove ${mountpoint}/${file} (Y/n)? " val + read -p "Remove ${mountpoint}${file} (Y/n)? " val case "${val}" in [Nn]*) continue @@ -910,7 +911,7 @@ remove_obsolete() { fi if [ ${verbose} -gt 0 ]; then - debug_print " [+] Removing ${mountpoint}/${file}" + debug_print " [+] Removing ${mountpoint}${file}" fi rm -f ${mountpoint}/${file} @@ -922,7 +923,7 @@ remove_obsolete() { for file in $(cat ${tmpdir}/ObsoleteDirs.txt); do if [ -e ${mountpoint}/${file} ]; then if [ ${verbose} -gt 0 ]; then - debug_print " [+] Removing ${mountpoint}/${file}" + debug_print " [+] Removing ${mountpoint}${file}" fi rm -rf ${mountpoint}/${file} From 370a7de4aa153694c1e7132f123aaf41b1ae4fee Mon Sep 17 00:00:00 2001 From: Loic F Date: Fri, 18 Mar 2022 13:54:40 +0100 Subject: [PATCH 7/7] HBSD: Fix the Remote Hash display Signed-off-by: Loic Reviewed-by: Shawn Webb (cherry picked from commit d1a32942bada9ed2745cbc88d73f1d57f9d2ecf9) --- usr.sbin/hbsd-update/hbsd-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.sbin/hbsd-update/hbsd-update b/usr.sbin/hbsd-update/hbsd-update index 12dde8175d88..6871ffd490e0 100755 --- a/usr.sbin/hbsd-update/hbsd-update +++ b/usr.sbin/hbsd-update/hbsd-update @@ -402,7 +402,7 @@ fetch_update() { fi if [ ${verbose} -gt 0 ]; then - debug_print "[*] Verified hash: ${filehash}\n[*] ↳ Remote Hash: ${pubhash}" + debug_print "[*] Verified hash: ${filehash}\n [+] Remote hash: ${pubhash}" fi fi