Re: sysupgrade should check for downgrades

Marc Espie Thu, 30 Jan 2020 03:29:45 -0800
On Thu, Jan 30, 2020 at 11:14:37AM +0000, Stuart Henderson wrote:
> Putting this here for discussion... good idea? bad idea? does it need
> more checks for expected file contents?
> 
> Index: sysupgrade.sh
> ===================================================================
> RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
> retrieving revision 1.37
> diff -u -p -r1.37 sysupgrade.sh
> --- sysupgrade.sh     26 Jan 2020 22:08:36 -0000      1.37
> +++ sysupgrade.sh     30 Jan 2020 10:56:52 -0000
> @@ -131,6 +131,7 @@ cd ${SETSDIR}
>  
>  echo "Fetching from ${URL}"
>  unpriv -f SHA256.sig ftp -N sysupgrade -Vmo SHA256.sig ${URL}SHA256.sig
> +unpriv -f BUILDINFO ftp -N sysupgrade -Vmo BUILDINFO ${URL}BUILDINFO
>  
>  _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
>  _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub
> @@ -147,11 +148,26 @@ esac
>  unpriv -f SHA256 signify -Ve -p "${SIGNIFY_KEY}" -x SHA256.sig -m SHA256
>  rm SHA256.sig
>  
> +unpriv cksum -qC SHA256 BUILDINFO
> +
>  if cmp -s /var/db/installed.SHA256 SHA256 && ! $FORCE; then
>       echo "Already on latest snapshot."
>       exit 0
>  fi
>  
> +if [[ -r /var/db/installed.BUILDINFO ]] && ! $FORCE; then
> +     read _skip _skip _oldbuildtime _skip < /var/db/installed.BUILDINFO
> +     read _skip _skip _newbuildtime _skip < BUILDINFO
> +     if [[ $_newbuildtime -lt $_oldbuildtime ]]; then
> +             echo "Snapshot on mirror is older than installed version!"
> +             exit 1
> +     fi
> +     if [[ $_newbuildtime -eq $_oldbuildtime ]]; then
> +             echo "Already on latest snapshot? Mismatch between BUILDINFO 
> and SHA256?"
> +             exit 1
> +     fi
> +fi
> +
>  # INSTALL.*, bsd*, *.tgz
>  SETS=$(sed -n -e 's/^SHA256 (\(.*\)) .*/\1/' \
>      -e '/^INSTALL\./p;/^bsd/p;/\.tgz$/p' SHA256)
> @@ -187,9 +203,14 @@ Set name(s) = done
>  Directory does not contain SHA256.sig. Continue without verification = yes
>  __EOT
>  
> +# XXX should be done in bsd.rd so that this is present for a clean install 
> too
> +cat <<__EOT > /etc/rc.firsttime
> +cp /home/_sysupgrade/BUILDINFO /var/db/installed.BUILDINFO
> +__EOT
> +
>  if ! ${KEEP}; then
>       CLEAN=$(echo SHA256 ${SETS} | sed -e 's/ /,/g')
> -     cat <<__EOT > /etc/rc.firsttime
> +     cat <<__EOT >> /etc/rc.firsttime
>  rm -f /home/_sysupgrade/{${CLEAN}}
>  __EOT
>  fi
> 
> 
I think it's a good idea.  A "bad" mirror could intentionally keep
snapshots around waiting for a critical bug to hit us, and then swap back
to an older snapshot that would be vulnerable.  It would probably get
noticed reasonably quick, but not before it could make some damage.
Re: sysupgrade should check for downgrades

Reply via email to
