4 # Copyright 2004-2006 Colin Percival
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted providing that the following conditions
10 # 1. Redistributions of source code must retain the above copyright
11 # notice, this list of conditions and the following disclaimer.
12 # 2. Redistributions in binary form must reproduce the above copyright
13 # notice, this list of conditions and the following disclaimer in the
14 # documentation and/or other materials provided with the distribution.
16 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
20 # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 # POSSIBILITY OF SUCH DAMAGE.
30 #### Usage function -- called from command-line handling code.
32 # Usage instructions. Options not listed:
33 # --debug -- don't filter output from utilities
34 # --no-stats -- don't show progress statistics while fetching files
37 usage: `basename $0` [options] command ... [path]
40 -b basedir -- Operate on a system mounted at basedir
42 -d workdir -- Store working files in workdir
43 (default: /var/db/freebsd-update/)
44 -f conffile -- Read configuration options from conffile
45 (default: /etc/freebsd-update.conf)
46 -k KEY -- Trust an RSA key with SHA256 hash of KEY
47 -s server -- Server from which to fetch updates
48 (default: update.FreeBSD.org)
49 -t address -- Mail output of cron command, if any, to address
52 fetch -- Fetch updates from server
53 cron -- Sleep rand(3600) seconds, fetch updates, and send an
54 email if updates were found
55 install -- Install downloaded updates
56 rollback -- Uninstall most recently installed updates
61 #### Configuration processing functions
64 # Configuration options are set in the following order of priority:
65 # 1. Command line options
66 # 2. Configuration file options
68 # In addition, certain options (e.g., IgnorePaths) can be specified multiple
69 # times and (as long as these are all in the same place, e.g., inside the
70 # configuration file) they will accumulate. Finally, because the path to the
71 # configuration file can be specified at the command line, the entire command
72 # line must be processed before we start reading the configuration file.
74 # Sound like a mess? It is. Here's how we handle this:
75 # 1. Initialize CONFFILE and all the options to "".
76 # 2. Process the command line. Throw an error if a non-accumulating option
78 # 3. If CONFFILE is "", set CONFFILE to /etc/freebsd-update.conf .
79 # 4. For all the configuration options X, set X_saved to X.
80 # 5. Initialize all the options to "".
81 # 6. Read CONFFILE line by line, parsing options.
82 # 7. For each configuration option X, set X to X_saved iff X_saved is not "".
83 # 8. Repeat steps 4-7, except setting options to their default values at (6).
85 CONFIGOPTIONS="KEYPRINT WORKDIR SERVERNAME MAILTO ALLOWADD ALLOWDELETE
86 KEEPMODIFIEDMETADATA COMPONENTS IGNOREPATHS UPDATEIFUNMODIFIED
89 # Set all the configuration options to "".
91 for X in ${CONFIGOPTIONS}; do
96 # For each configuration option X, set X_saved to X.
98 for X in ${CONFIGOPTIONS}; do
99 eval ${X}_saved=\$${X}
103 # For each configuration option X, set X to X_saved if X_saved is not "".
105 for X in ${CONFIGOPTIONS}; do
107 if ! [ -z "${_}" ]; then
108 eval ${X}=\$${X}_saved
113 # Set the trusted keyprint.
115 if [ -z ${KEYPRINT} ]; then
122 # Set the working directory.
124 if [ -z ${WORKDIR} ]; then
131 # Set the name of the server (pool) from which to fetch updates
132 config_ServerName () {
133 if [ -z ${SERVERNAME} ]; then
140 # Set the address to which 'cron' output will be mailed.
142 if [ -z ${MAILTO} ]; then
149 # Set whether FreeBSD Update is allowed to add files (or directories, or
150 # symlinks) which did not previously exist.
152 if [ -z ${ALLOWADD} ]; then
169 # Set whether FreeBSD Update is allowed to remove files/directories/symlinks.
170 config_AllowDelete () {
171 if [ -z ${ALLOWDELETE} ]; then
188 # Set whether FreeBSD Update should keep existing inode ownership,
189 # permissions, and flags, in the event that they have been modified locally
191 config_KeepModifiedMetadata () {
192 if [ -z ${KEEPMODIFIEDMETADATA} ]; then
195 KEEPMODIFIEDMETADATA=yes
198 KEEPMODIFIEDMETADATA=no
209 # Add to the list of components which should be kept updated.
210 config_Components () {
212 COMPONENTS="${COMPONENTS} ${C}"
216 # Add to the list of paths under which updates will be ignored.
217 config_IgnorePaths () {
219 IGNOREPATHS="${IGNOREPATHS} ${C}"
223 # Add to the list of paths within which updates will be performed only if the
224 # file on disk has not been modified locally.
225 config_UpdateIfUnmodified () {
227 UPDATEIFUNMODIFIED="${UPDATEIFUNMODIFIED} ${C}"
231 # Work on a FreeBSD installation mounted under $1
233 if [ -z ${BASEDIR} ]; then
240 # Define what happens to output of utilities
241 config_VerboseLevel () {
242 if [ -z ${VERBOSELEVEL} ]; then
244 [Dd][Ee][Bb][Uu][Gg])
247 [Nn][Oo][Ss][Tt][Aa][Tt][Ss])
250 [Ss][Tt][Aa][Tt][Ss])
262 # Handle one line of configuration
264 if [ $# -eq 0 ]; then
273 #### Parameter handling functions.
275 # Initialize parameters to null, just in case they're
276 # set in the environment.
278 # Configration settings
281 # No configuration file set yet
284 # No commands specified yet
288 # Parse the command line
290 while [ $# -gt 0 ]; do
292 # Location of configuration file
294 if [ $# -eq 1 ]; then usage; fi
295 if [ ! -z "${CONFFILE}" ]; then usage; fi
299 # Configuration file equivalents
301 if [ $# -eq 1 ]; then usage; fi; shift
302 config_BaseDir $1 || usage
305 if [ $# -eq 1 ]; then usage; fi; shift
306 config_WorkDir $1 || usage
309 if [ $# -eq 1 ]; then usage; fi; shift
310 config_KeyPrint $1 || usage
313 if [ $# -eq 1 ]; then usage; fi; shift
314 config_ServerName $1 || usage
317 if [ $# -eq 1 ]; then usage; fi; shift
318 config_MailTo $1 || usage
321 if [ $# -eq 1 ]; then usage; fi; shift
322 config_VerboseLevel $1 || usage
325 # Aliases for "-v debug" and "-v nostats"
327 config_VerboseLevel debug || usage
330 config_VerboseLevel nostats || usage
334 cron | fetch | install | rollback)
335 COMMANDS="${COMMANDS} $1"
338 # Anything else is an error
346 # Make sure we have at least one command
347 if [ -z "${COMMANDS}" ]; then
352 # Parse the configuration file
354 # If a configuration file was specified on the command line, check
355 # that it exists and is readable.
356 if [ ! -z "${CONFFILE}" ] && [ ! -r "${CONFFILE}" ]; then
357 echo -n "File does not exist "
358 echo -n "or is not readable: "
363 # If a configuration file was not specified on the command line,
364 # use the default configuration file path. If that default does
365 # not exist, give up looking for any configuration.
366 if [ -z "${CONFFILE}" ]; then
367 CONFFILE="/etc/freebsd-update.conf"
368 if [ ! -r "${CONFFILE}" ]; then
373 # Save the configuration options specified on the command line, and
374 # clear all the options in preparation for reading the config file.
378 # Read the configuration file. Anything after the first '#' is
379 # ignored, and any blank lines are ignored.
383 LINEX=`echo "${LINE}" | cut -f 1 -d '#'`
384 if ! configline ${LINEX}; then
385 echo "Error processing configuration file, line $L:"
391 # Merge the settings read from the configuration file with those
392 # provided at the command line.
396 # Provide some default parameters
398 # Save any parameters already configured, and clear the slate
402 # Default configurations
403 config_WorkDir /var/db/freebsd-update
406 config_AllowDelete yes
407 config_KeepModifiedMetadata yes
409 config_VerboseLevel stats
411 # Merge these defaults into the earlier-configured settings
415 # Set utility output filtering options, based on ${VERBOSELEVEL}
416 fetch_setup_verboselevel () {
417 case ${VERBOSELEVEL} in
419 QUIETREDIR="/dev/stderr"
421 STATSREDIR="/dev/stderr"
429 STATSREDIR="/dev/null"
435 QUIETREDIR="/dev/null"
437 STATSREDIR="/dev/stdout"
445 # Perform sanity checks and set some final parameters
446 # in preparation for fetching files. Figure out which
447 # set of updates should be downloaded: If the user is
448 # running *-p[0-9]+, strip off the last part; if the
449 # user is running -SECURITY, call it -RELEASE. Chdir
450 # into the working directory.
451 fetch_check_params () {
452 export HTTP_USER_AGENT="freebsd-update (${COMMAND}, `uname -r`)"
455 "SERVERNAME must be given via command line or configuration file."
456 _KEYPRINT_z="Key must be given via -k option or configuration file."
457 _KEYPRINT_bad="Invalid key fingerprint: "
458 _WORKDIR_bad="Directory does not exist or is not writable: "
460 if [ -z "${SERVERNAME}" ]; then
461 echo -n "`basename $0`: "
462 echo "${_SERVERNAME_z}"
465 if [ -z "${KEYPRINT}" ]; then
466 echo -n "`basename $0`: "
467 echo "${_KEYPRINT_z}"
470 if ! echo "${KEYPRINT}" | grep -qE "^[0-9a-f]{64}$"; then
471 echo -n "`basename $0`: "
472 echo -n "${_KEYPRINT_bad}"
476 if ! [ -d "${WORKDIR}" -a -w "${WORKDIR}" ]; then
477 echo -n "`basename $0`: "
478 echo -n "${_WORKDIR_bad}"
482 cd ${WORKDIR} || exit 1
484 # Generate release number. The s/SECURITY/RELEASE/ bit exists
485 # to provide an upgrade path for FreeBSD Update 1.x users, since
486 # the kernels provided by FreeBSD Update 1.x are always labelled
489 sed -E 's,-p[0-9]+,,' |
490 sed -E 's,-SECURITY,-RELEASE,'`
492 FETCHDIR=${RELNUM}/${ARCH}
494 # Figure out what directory contains the running kernel
495 BOOTFILE=`sysctl -n kern.bootfile`
496 KERNELDIR=${BOOTFILE%/kernel}
497 if ! [ -d ${KERNELDIR} ]; then
498 echo "Cannot identify running kernel"
502 # Figure out what kernel configuration is running. We start with
503 # the output of `uname -i`, and then make the following adjustments:
504 # 1. Replace "SMP-GENERIC" with "SMP". Why the SMP kernel config
505 # file says "ident SMP-GENERIC", I don't know...
506 # 2. If the kernel claims to be GENERIC _and_ ${ARCH} is "amd64"
507 # _and_ `sysctl kern.version` contains a line which ends "/SMP", then
508 # we're running an SMP kernel. This mis-identification is a bug
509 # which was fixed in 6.2-STABLE.
511 if [ ${KERNCONF} = "SMP-GENERIC" ]; then
514 if [ ${KERNCONF} = "GENERIC" ] && [ ${ARCH} = "amd64" ]; then
515 if sysctl kern.version | grep -qE '/SMP$'; then
521 BSPATCH=/usr/bin/bspatch
523 PHTTPGET=/usr/libexec/phttpget
525 # Set up variables relating to VERBOSELEVEL
526 fetch_setup_verboselevel
528 # Construct a unique name from ${BASEDIR}
529 BDHASH=`echo ${BASEDIR} | sha256 -q`
532 # Perform sanity checks and set some final parameters in
533 # preparation for installing updates.
534 install_check_params () {
535 # Check that we are root. All sorts of things won't work otherwise.
536 if [ `id -u` != 0 ]; then
537 echo "You must be root to run this."
541 # Check that we have a working directory
542 _WORKDIR_bad="Directory does not exist or is not writable: "
543 if ! [ -d "${WORKDIR}" -a -w "${WORKDIR}" ]; then
544 echo -n "`basename $0`: "
545 echo -n "${_WORKDIR_bad}"
549 cd ${WORKDIR} || exit 1
551 # Construct a unique name from ${BASEDIR}
552 BDHASH=`echo ${BASEDIR} | sha256 -q`
554 # Check that we have updates ready to install
555 if ! [ -L ${BDHASH}-install ]; then
556 echo "No updates are available to install."
557 echo "Run '$0 fetch' first."
560 if ! [ -f ${BDHASH}-install/INDEX-OLD ] ||
561 ! [ -f ${BDHASH}-install/INDEX-NEW ]; then
562 echo "Update manifest is corrupt -- this should never happen."
563 echo "Re-run '$0 fetch'."
568 # Perform sanity checks and set some final parameters in
569 # preparation for UNinstalling updates.
570 rollback_check_params () {
571 # Check that we are root. All sorts of things won't work otherwise.
572 if [ `id -u` != 0 ]; then
573 echo "You must be root to run this."
577 # Check that we have a working directory
578 _WORKDIR_bad="Directory does not exist or is not writable: "
579 if ! [ -d "${WORKDIR}" -a -w "${WORKDIR}" ]; then
580 echo -n "`basename $0`: "
581 echo -n "${_WORKDIR_bad}"
585 cd ${WORKDIR} || exit 1
587 # Construct a unique name from ${BASEDIR}
588 BDHASH=`echo ${BASEDIR} | sha256 -q`
590 # Check that we have updates ready to rollback
591 if ! [ -L ${BDHASH}-rollback ]; then
592 echo "No rollback directory found."
595 if ! [ -f ${BDHASH}-rollback/INDEX-OLD ] ||
596 ! [ -f ${BDHASH}-rollback/INDEX-NEW ]; then
597 echo "Update manifest is corrupt -- this should never happen."
602 #### Core functionality -- the actual work gets done here
604 # Use an SRV query to pick a server. If the SRV query doesn't provide
605 # a useful answer, use the server name specified by the user.
606 # Put another way... look up _http._tcp.${SERVERNAME} and pick a server
607 # from that; or if no servers are returned, use ${SERVERNAME}.
608 # This allows a user to specify "portsnap.freebsd.org" (in which case
609 # portsnap will select one of the mirrors) or "portsnap5.tld.freebsd.org"
610 # (in which case portsnap will use that particular server, since there
611 # won't be an SRV entry for that name).
613 # We ignore the Port field, since we are always going to use port 80.
615 # Fetch the mirror list, but do not pick a mirror yet. Returns 1 if
616 # no mirrors are available for any reason.
617 fetch_pick_server_init () {
620 # Check that host(1) exists (i.e., that the system wasn't built with the
621 # WITHOUT_BIND set) and don't try to find a mirror if it doesn't exist.
622 if ! which -s host; then
627 echo -n "Looking up ${SERVERNAME} mirrors... "
629 # Issue the SRV query and pull out the Priority, Weight, and Target fields.
630 # BIND 9 prints "$name has SRV record ..." while BIND 8 prints
631 # "$name server selection ..."; we allow either format.
632 MLIST="_http._tcp.${SERVERNAME}"
633 host -t srv "${MLIST}" |
634 sed -nE "s/${MLIST} (has SRV record|server selection) //p" |
635 cut -f 1,2,4 -d ' ' |
637 sort > serverlist_full
639 # If no records, give up -- we'll just use the server name we were given.
640 if [ `wc -l < serverlist_full` -eq 0 ]; then
645 # Report how many mirrors we found.
646 echo `wc -l < serverlist_full` "mirrors found."
648 # Generate a random seed for use in picking mirrors. If HTTP_PROXY
649 # is set, this will be used to generate the seed; otherwise, the seed
651 if [ -n "${HTTP_PROXY}${http_proxy}" ]; then
652 RANDVALUE=`sha256 -qs "${HTTP_PROXY}${http_proxy}" |
656 RANDVALUE=`jot -r 1 0 999999999`
660 # Pick a mirror. Returns 1 if we have run out of mirrors to try.
661 fetch_pick_server () {
662 # Generate a list of not-yet-tried mirrors
663 sort serverlist_tried |
664 comm -23 serverlist_full - > serverlist
666 # Have we run out of mirrors?
667 if [ `wc -l < serverlist` -eq 0 ]; then
668 echo "No mirrors remaining, giving up."
672 # Find the highest priority level (lowest numeric value).
673 SRV_PRIORITY=`cut -f 1 -d ' ' serverlist | sort -n | head -1`
675 # Add up the weights of the response lines at that priority level.
680 SRV_W=`echo $X | cut -f 2 -d ' '`
681 SRV_WSUM=$(($SRV_WSUM + $SRV_W))
686 # If all the weights are 0, pretend that they are all 1 instead.
687 if [ ${SRV_WSUM} -eq 0 ]; then
688 SRV_WSUM=`grep -E "^${SRV_PRIORITY} " serverlist | wc -l`
694 # Pick a value between 0 and the sum of the weights - 1
695 SRV_RND=`expr ${RANDVALUE} % ${SRV_WSUM}`
697 # Read through the list of mirrors and set SERVERNAME. Write the line
698 # corresponding to the mirror we selected into serverlist_tried so that
699 # we won't try it again.
703 SRV_W=`echo $X | cut -f 2 -d ' '`
704 SRV_W=$(($SRV_W + $SRV_W_ADD))
705 if [ $SRV_RND -lt $SRV_W ]; then
706 SERVERNAME=`echo $X | cut -f 3 -d ' '`
707 echo "$X" >> serverlist_tried
710 SRV_RND=$(($SRV_RND - $SRV_W))
717 # Take a list of ${oldhash}|${newhash} and output a list of needed patches,
718 # i.e., those for which we have ${oldhash} and don't have ${newhash}.
719 fetch_make_patchlist () {
720 grep -vE "^([0-9a-f]{64})\|\1$" |
723 if [ -f "files/${Y}.gz" ] ||
724 [ ! -f "files/${X}.gz" ]; then
731 # Print user-friendly progress statistics
736 if [ $(($LNC % 10)) = 0 ]; then
738 elif [ $(($LNC % 2)) = 0 ]; then
745 # Initialize the working directory
751 # Check that we have a public key with an appropriate hash, or
752 # fetch the key if it doesn't exist. Returns 1 if the key has
753 # not yet been fetched.
755 if [ -r pub.ssl ] && [ `${SHA256} -q pub.ssl` = ${KEYPRINT} ]; then
759 echo -n "Fetching public key from ${SERVERNAME}... "
761 fetch ${QUIETFLAG} http://${SERVERNAME}/${FETCHDIR}/pub.ssl \
762 2>${QUIETREDIR} || true
763 if ! [ -r pub.ssl ]; then
767 if ! [ `${SHA256} -q pub.ssl` = ${KEYPRINT} ]; then
768 echo "key has incorrect hash."
775 # Fetch metadata signature, aka "tag".
777 echo ${NDEBUG} "Fetching metadata signature from ${SERVERNAME}... "
779 fetch ${QUIETFLAG} http://${SERVERNAME}/${FETCHDIR}/latest.ssl \
780 2>${QUIETREDIR} || true
781 if ! [ -r latest.ssl ]; then
786 openssl rsautl -pubin -inkey pub.ssl -verify \
787 < latest.ssl > tag.new 2>${QUIETREDIR} || true
790 if ! [ `wc -l < tag.new` = 1 ] ||
792 "^freebsd-update\|${ARCH}\|${RELNUM}\|[0-9]+\|[0-9a-f]{64}\|[0-9]{10}" \
794 echo "invalid signature."
800 RELPATCHNUM=`cut -f 4 -d '|' < tag.new`
801 TINDEXHASH=`cut -f 5 -d '|' < tag.new`
802 EOLTIME=`cut -f 6 -d '|' < tag.new`
805 # Sanity-check the patch number in a tag, to make sure that we're not
806 # going to "update" backwards and to prevent replay attacks.
808 # Check that we're not going to move from -pX to -pY with Y < X.
809 RELPX=`uname -r | sed -E 's,.*-,,'`
810 if echo ${RELPX} | grep -qE '^p[0-9]+$'; then
811 RELPX=`echo ${RELPX} | cut -c 2-`
815 if [ "${RELPATCHNUM}" -lt "${RELPX}" ]; then
817 echo -n "Files on mirror (${RELNUM}-p${RELPATCHNUM})"
818 echo " appear older than what"
819 echo "we are currently running (`uname -r`)!"
820 echo "Cowardly refusing to proceed any further."
824 # If "tag" exists and corresponds to ${RELNUM}, make sure that
825 # it contains a patch number <= RELPATCHNUM, in order to protect
826 # against rollback (replay) attacks.
829 "^freebsd-update\|${ARCH}\|${RELNUM}\|[0-9]+\|[0-9a-f]{64}\|[0-9]{10}" \
831 LASTRELPATCHNUM=`cut -f 4 -d '|' < tag`
833 if [ "${RELPATCHNUM}" -lt "${LASTRELPATCHNUM}" ]; then
835 echo -n "Files on mirror (${RELNUM}-p${RELPATCHNUM})"
836 echo " are older than the"
837 echo -n "most recently seen updates"
838 echo " (${RELNUM}-p${LASTRELPATCHNUM})."
839 echo "Cowardly refusing to proceed any further."
845 # Fetch metadata index file
846 fetch_metadata_index () {
847 echo ${NDEBUG} "Fetching metadata index... "
849 fetch ${QUIETFLAG} http://${SERVERNAME}/${FETCHDIR}/t/${TINDEXHASH}
851 if ! [ -f ${TINDEXHASH} ]; then
855 if [ `${SHA256} -q ${TINDEXHASH}` != ${TINDEXHASH} ]; then
856 echo "update metadata index corrupt."
862 # Print an error message about signed metadata being bogus.
863 fetch_metadata_bogus () {
865 echo "The update metadata$1 is correctly signed, but"
866 echo "failed an integrity check."
867 echo "Cowardly refusing to proceed any further."
871 # Construct tINDEX.new by merging the lines named in $1 from ${TINDEXHASH}
872 # with the lines not named in $@ from tINDEX.present (if that file exists).
873 fetch_metadata_index_merge () {
874 for METAFILE in $@; do
875 if [ `grep -E "^${METAFILE}\|" ${TINDEXHASH} | wc -l` \
877 fetch_metadata_bogus " index"
881 grep -E "${METAFILE}\|" ${TINDEXHASH}
885 if [ -f tINDEX.present ]; then
886 join -t '|' -v 2 tINDEX.wanted tINDEX.present |
887 sort -m - tINDEX.wanted > tINDEX.new
890 mv tINDEX.wanted tINDEX.new
894 # Sanity check all the lines of tINDEX.new. Even if more metadata lines
895 # are added by future versions of the server, this won't cause problems,
896 # since the only lines which appear in tINDEX.new are the ones which we
897 # specifically grepped out of ${TINDEXHASH}.
898 fetch_metadata_index_sanity () {
899 if grep -qvE '^[0-9A-Z.-]+\|[0-9a-f]{64}$' tINDEX.new; then
900 fetch_metadata_bogus " index"
905 # Sanity check the metadata file $1.
906 fetch_metadata_sanity () {
907 # Some aliases to save space later: ${P} is a character which can
908 # appear in a path; ${M} is the four numeric metadata fields; and
909 # ${H} is a sha256 hash.
910 P="[-+./:=_[[:alnum:]]"
911 M="[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+"
914 # Check that the first four fields make sense.
915 if gunzip -c < files/$1.gz |
916 grep -qvE "^[a-z]+\|[0-9a-z]+\|${P}+\|[fdL-]\|"; then
917 fetch_metadata_bogus ""
921 # Remove the first three fields.
922 gunzip -c < files/$1.gz |
923 cut -f 4- -d '|' > sanitycheck.tmp
925 # Sanity check entries with type 'f'
926 if grep -E '^f' sanitycheck.tmp |
927 grep -qvE "^f\|${M}\|${H}\|${P}*\$"; then
928 fetch_metadata_bogus ""
932 # Sanity check entries with type 'd'
933 if grep -E '^d' sanitycheck.tmp |
934 grep -qvE "^d\|${M}\|\|\$"; then
935 fetch_metadata_bogus ""
939 # Sanity check entries with type 'L'
940 if grep -E '^L' sanitycheck.tmp |
941 grep -qvE "^L\|${M}\|${P}*\|\$"; then
942 fetch_metadata_bogus ""
946 # Sanity check entries with type '-'
947 if grep -E '^-' sanitycheck.tmp |
948 grep -qvE "^-\|\|\|\|\|\|"; then
949 fetch_metadata_bogus ""
957 # Fetch the metadata index and metadata files listed in $@,
958 # taking advantage of metadata patches where possible.
960 fetch_metadata_index || return 1
961 fetch_metadata_index_merge $@ || return 1
962 fetch_metadata_index_sanity || return 1
964 # Generate a list of wanted metadata patches
965 join -t '|' -o 1.2,2.2 tINDEX.present tINDEX.new |
966 fetch_make_patchlist > patchlist
968 if [ -s patchlist ]; then
969 # Attempt to fetch metadata patches
970 echo -n "Fetching `wc -l < patchlist | tr -d ' '` "
971 echo ${NDEBUG} "metadata patches.${DDSTATS}"
972 tr '|' '-' < patchlist |
973 lam -s "${FETCHDIR}/tp/" - -s ".gz" |
974 xargs ${XARGST} ${PHTTPGET} ${SERVERNAME} \
975 2>${STATSREDIR} | fetch_progress
978 # Attempt to apply metadata patches
979 echo -n "Applying metadata patches... "
980 tr '|' ' ' < patchlist |
982 if [ ! -f "${X}-${Y}.gz" ]; then continue; fi
983 gunzip -c < ${X}-${Y}.gz > diff
984 gunzip -c < files/${X}.gz > diff-OLD
986 # Figure out which lines are being added and removed
989 while read PREFIX; do
990 look "${PREFIX}" diff-OLD
996 # Generate the new file
997 comm -23 diff-OLD diff-rm |
998 sort - diff-add > diff-NEW
1000 if [ `${SHA256} -q diff-NEW` = ${Y} ]; then
1001 mv diff-NEW files/${Y}
1004 mv diff-NEW ${Y}.bad
1006 rm -f ${X}-${Y}.gz diff
1007 rm -f diff-OLD diff-NEW diff-add diff-rm
1008 done 2>${QUIETREDIR}
1012 # Update metadata without patches
1013 cut -f 2 -d '|' < tINDEX.new |
1015 if [ ! -f "files/${Y}.gz" ]; then
1021 if [ -s filelist ]; then
1022 echo -n "Fetching `wc -l < filelist | tr -d ' '` "
1023 echo ${NDEBUG} "metadata files... "
1024 lam -s "${FETCHDIR}/m/" - -s ".gz" < filelist |
1025 xargs ${XARGST} ${PHTTPGET} ${SERVERNAME} \
1029 if ! [ -f ${Y}.gz ]; then
1033 if [ `gunzip -c < ${Y}.gz |
1034 ${SHA256} -q` = ${Y} ]; then
1035 mv ${Y}.gz files/${Y}.gz
1037 echo "metadata is corrupt."
1044 # Sanity-check the metadata files.
1045 cut -f 2 -d '|' tINDEX.new > filelist
1047 fetch_metadata_sanity ${X} || return 1
1050 # Remove files which are no longer needed
1051 cut -f 2 -d '|' tINDEX.present |
1053 cut -f 2 -d '|' tINDEX.new |
1055 comm -13 - oldfiles |
1056 lam -s "files/" - -s ".gz" |
1058 rm patchlist filelist oldfiles
1062 mv tINDEX.new tINDEX.present
1068 # Generate a filtered version of the metadata file $1 from the downloaded
1069 # file, by fishing out the lines corresponding to components we're trying
1070 # to keep updated, and then removing lines corresponding to paths we want
1072 fetch_filter_metadata () {
1073 METAHASH=`look "$1|" tINDEX.present | cut -f 2 -d '|'`
1074 gunzip -c < files/${METAHASH}.gz > $1.all
1076 # Fish out the lines belonging to components we care about.
1077 # Canonicalize directory names by removing any trailing / in
1078 # order to avoid listing directories multiple times if they
1079 # belong to multiple components. Turning "/" into "" doesn't
1080 # matter, since we add a leading "/" when we use paths later.
1081 for C in ${COMPONENTS}; do
1082 look "`echo ${C} | tr '/' '|'`|" $1.all
1085 sed -e 's,/|d|,|d|,' |
1088 # Figure out which lines to ignore and remove them.
1089 for X in ${IGNOREPATHS}; do
1090 grep -E "^${X}" $1.tmp
1093 comm -13 - $1.tmp > $1
1095 # Remove temporary files.
1099 # Filter the metadata file $1 by adding lines with "/boot/${KERNCONF}"
1100 # replaced by ${KERNELDIR} (which is `sysctl -n kern.bootfile` minus the
1101 # trailing "/kernel"); and if "/boot/${KERNCONF}" does not exist, remove
1102 # the original lines which start with that.
1103 # Put another way: Deal with the fact that the FOO kernel is sometimes
1104 # installed in /boot/FOO/ and is sometimes installed elsewhere.
1105 fetch_filter_kernel_names () {
1107 grep ^/boot/${KERNCONF} $1 |
1108 sed -e "s,/boot/${KERNCONF},${KERNELDIR},g" |
1112 if ! [ -d /boot/${KERNCONF} ]; then
1113 grep -v ^/boot/${KERNCONF} $1 > $1.tmp
1118 # For all paths appearing in $1 or $3, inspect the system
1119 # and generate $2 describing what is currently installed.
1120 fetch_inspect_system () {
1124 # Tell the user why his disk is suddenly making lots of noise
1125 echo -n "Inspecting system... "
1127 # Generate list of files to inspect
1132 # Examine each file and output lines of the form
1133 # /path/to/file|type|device-inum|user|group|perm|flags|value
1134 # sorted by device and inode number.
1136 # If the symlink/file/directory does not exist, record this.
1137 if ! [ -e ${BASEDIR}/${F} ]; then
1141 if ! [ -r ${BASEDIR}/${F} ]; then
1142 echo "Cannot read file: ${BASEDIR}/${F}" \
1148 # Otherwise, output an index line.
1149 if [ -L ${BASEDIR}/${F} ]; then
1151 stat -n -f '%d-%i|%u|%g|%Mp%Lp|%Of|' ${BASEDIR}/${F};
1152 readlink ${BASEDIR}/${F};
1153 elif [ -f ${BASEDIR}/${F} ]; then
1155 stat -n -f '%d-%i|%u|%g|%Mp%Lp|%Of|' ${BASEDIR}/${F};
1156 sha256 -q ${BASEDIR}/${F};
1157 elif [ -d ${BASEDIR}/${F} ]; then
1159 stat -f '%d-%i|%u|%g|%Mp%Lp|%Of|' ${BASEDIR}/${F};
1161 echo "Unknown file type: ${BASEDIR}/${F}" \
1167 sort -k 3,3 -t '|' > $2.tmp
1170 # Check if an error occured during system inspection
1171 if [ -f .err ]; then
1175 # Convert to the form
1176 # /path/to/file|type|user|group|perm|flags|value|hlink
1177 # by resolving identical device and inode numbers into hard links.
1178 cut -f 1,3 -d '|' $2.tmp |
1179 sort -k 1,1 -t '|' |
1180 sort -s -u -k 2,2 -t '|' |
1181 join -1 2 -2 3 -t '|' - $2.tmp |
1182 awk -F \| -v OFS=\| \
1184 if (($2 == $3) || ($4 == "-"))
1185 print $3,$4,$5,$6,$7,$8,$9,""
1187 print $3,$4,$5,$6,$7,$8,$9,$2
1192 # We're finished looking around
1196 # For any paths matching ${UPDATEIFUNMODIFIED}, remove lines from $[123]
1197 # which correspond to lines in $2 with hashes not matching $1 or $3. For
1198 # entries in $2 marked "not present" (aka. type -), remove lines from $[123]
1199 # unless there is a corresponding entry in $1.
1200 fetch_filter_unmodified_notpresent () {
1201 # Figure out which lines of $1 and $3 correspond to bits which
1202 # should only be updated if they haven't changed, and fish out
1203 # the (path, type, value) tuples.
1204 # NOTE: We don't consider a file to be "modified" if it matches
1206 for X in ${UPDATEIFUNMODIFIED}; do
1210 cut -f 1,2,7 -d '|' |
1213 # Do the same for $2.
1214 for X in ${UPDATEIFUNMODIFIED}; do
1217 cut -f 1,2,7 -d '|' |
1220 # Any entry in $2-values which is not in $1-values corresponds to
1221 # a path which we need to remove from $1, $2, and $3.
1222 comm -13 $1-values $2-values > mlines
1223 rm $1-values $2-values
1225 # Any lines in $2 which are not in $1 AND are "not present" lines
1226 # also belong in mlines.
1228 cut -f 1,2,7 -d '|' |
1229 fgrep '|-|' >> mlines
1231 # Remove lines from $1, $2, and $3
1232 for X in $1 $2 $3; do
1233 sort -t '|' -k 1,1 ${X} > ${X}.tmp
1234 cut -f 1 -d '|' < mlines |
1236 join -v 2 -t '|' - ${X}.tmp |
1241 # Store a list of the modified files, for future reference
1242 fgrep -v '|-|' mlines |
1243 cut -f 1 -d '|' > modifiedfiles
1247 # For each entry in $1 of type -, remove any corresponding
1248 # entry from $2 if ${ALLOWADD} != "yes". Remove all entries
1249 # of type - from $1.
1250 fetch_filter_allowadd () {
1251 cut -f 1,2 -d '|' < $1 |
1253 cut -f 1 -d '|' > filesnotpresent
1255 if [ ${ALLOWADD} != "yes" ]; then
1257 join -v 1 -t '|' - filesnotpresent |
1263 join -v 1 -t '|' - filesnotpresent |
1269 # If ${ALLOWDELETE} != "yes", then remove any entries from $1
1270 # which don't correspond to entries in $2.
1271 fetch_filter_allowdelete () {
1272 # Produce a lists ${PATH}|${TYPE}
1274 cut -f 1-2 -d '|' < ${X} |
1275 sort -u > ${X}.nodes
1278 # Figure out which lines need to be removed from $1.
1279 if [ ${ALLOWDELETE} != "yes" ]; then
1280 comm -23 $1.nodes $2.nodes > $1.badnodes
1285 # Remove the relevant lines from $1
1288 done < $1.badnodes |
1289 comm -13 - $1 > $1.tmp
1292 rm $1.badnodes $1.nodes $2.nodes
1295 # If ${KEEPMODIFIEDMETADATA} == "yes", then for each entry in $2
1296 # with metadata not matching any entry in $1, replace the corresponding
1297 # line of $3 with one having the same metadata as the entry in $2.
1298 fetch_filter_modified_metadata () {
1299 # Fish out the metadata from $1 and $2
1301 cut -f 1-6 -d '|' < ${X} > ${X}.metadata
1304 # Find the metadata we need to keep
1305 if [ ${KEEPMODIFIEDMETADATA} = "yes" ]; then
1306 comm -13 $1.metadata $2.metadata > keepmeta
1311 # Extract the lines which we need to remove from $3, and
1312 # construct the lines which we need to add to $3.
1316 NODE=`echo "${LINE}" | cut -f 1-2 -d '|'`
1317 look "${NODE}|" $3 >> $3.remove
1318 look "${NODE}|" $3 |
1320 lam -s "${LINE}|" - >> $3.add
1323 # Remove the specified lines and add the new lines.
1326 sort -u - $3.add > $3.tmp
1329 rm keepmeta $1.metadata $2.metadata $3.add $3.remove
1332 # Remove lines from $1 and $2 which are identical;
1333 # no need to update a file if it isn't changing.
1334 fetch_filter_uptodate () {
1335 comm -23 $1 $2 > $1.tmp
1336 comm -13 $1 $2 > $2.tmp
1342 # Prepare to fetch files: Generate a list of the files we need,
1343 # copy the unmodified files we have into /files/, and generate
1344 # a list of patches to download.
1345 fetch_files_prepare () {
1346 # Tell the user why his disk is suddenly making lots of noise
1347 echo -n "Preparing to download files... "
1349 # Reduce indices to ${PATH}|${HASH} pairs
1350 for X in $1 $2 $3; do
1351 cut -f 1,2,7 -d '|' < ${X} |
1357 # List of files wanted
1358 cut -f 2 -d '|' < $3.hashes |
1359 sort -u > files.wanted
1361 # Generate a list of unmodified files
1362 comm -12 $1.hashes $2.hashes |
1363 sort -k 1,1 -t '|' > unmodified.files
1365 # Copy all files into /files/. We only need the unmodified files
1366 # for use in patching; but we'll want all of them if the user asks
1367 # to rollback the updates later.
1368 cut -f 1 -d '|' < $2.hashes |
1370 cp "${BASEDIR}/${F}" tmpfile
1371 gzip -c < tmpfile > files/`sha256 -q tmpfile`.gz
1375 # Produce a list of patches to download
1376 sort -k 1,1 -t '|' $3.hashes |
1377 join -t '|' -o 2.2,1.2 - unmodified.files |
1378 fetch_make_patchlist > patchlist
1381 rm unmodified.files $1.hashes $2.hashes $3.hashes
1383 # We don't need the list of possible old files any more.
1386 # We're finished making noise
1392 # Attempt to fetch patches
1393 if [ -s patchlist ]; then
1394 echo -n "Fetching `wc -l < patchlist | tr -d ' '` "
1395 echo ${NDEBUG} "patches.${DDSTATS}"
1396 tr '|' '-' < patchlist |
1397 lam -s "${FETCHDIR}/bp/" - |
1398 xargs ${XARGST} ${PHTTPGET} ${SERVERNAME} \
1399 2>${STATSREDIR} | fetch_progress
1402 # Attempt to apply patches
1403 echo -n "Applying patches... "
1404 tr '|' ' ' < patchlist |
1406 if [ ! -f "${X}-${Y}" ]; then continue; fi
1407 gunzip -c < files/${X}.gz > OLD
1409 bspatch OLD NEW ${X}-${Y}
1411 if [ `${SHA256} -q NEW` = ${Y} ]; then
1415 rm -f diff OLD NEW ${X}-${Y}
1416 done 2>${QUIETREDIR}
1420 # Download files which couldn't be generate via patching
1422 if [ ! -f "files/${Y}.gz" ]; then
1425 done < files.wanted > filelist
1427 if [ -s filelist ]; then
1428 echo -n "Fetching `wc -l < filelist | tr -d ' '` "
1429 echo ${NDEBUG} "files... "
1430 lam -s "${FETCHDIR}/f/" - -s ".gz" < filelist |
1431 xargs ${XARGST} ${PHTTPGET} ${SERVERNAME} \
1435 if ! [ -f ${Y}.gz ]; then
1439 if [ `gunzip -c < ${Y}.gz |
1440 ${SHA256} -q` = ${Y} ]; then
1441 mv ${Y}.gz files/${Y}.gz
1443 echo "${Y} has incorrect hash."
1451 rm files.wanted filelist patchlist
1454 # Create and populate install manifest directory; and report what updates
1456 fetch_create_manifest () {
1457 # If we have an existing install manifest, nuke it.
1458 if [ -L "${BDHASH}-install" ]; then
1459 rm -r ${BDHASH}-install/
1460 rm ${BDHASH}-install
1463 # Report to the user if any updates were avoided due to local changes
1464 if [ -s modifiedfiles ]; then
1466 echo -n "The following files are affected by updates, "
1467 echo "but no changes have"
1468 echo -n "been downloaded because the files have been "
1469 echo "modified locally:"
1474 # If no files will be updated, tell the user and exit
1475 if ! [ -s INDEX-PRESENT ] &&
1476 ! [ -s INDEX-NEW ]; then
1477 rm INDEX-PRESENT INDEX-NEW
1479 echo -n "No updates needed to update system to "
1480 echo "${RELNUM}-p${RELPATCHNUM}."
1484 # Divide files into (a) removed files, (b) added files, and
1485 # (c) updated files.
1486 cut -f 1 -d '|' < INDEX-PRESENT |
1487 sort > INDEX-PRESENT.flist
1488 cut -f 1 -d '|' < INDEX-NEW |
1489 sort > INDEX-NEW.flist
1490 comm -23 INDEX-PRESENT.flist INDEX-NEW.flist > files.removed
1491 comm -13 INDEX-PRESENT.flist INDEX-NEW.flist > files.added
1492 comm -12 INDEX-PRESENT.flist INDEX-NEW.flist > files.updated
1493 rm INDEX-PRESENT.flist INDEX-NEW.flist
1495 # Report removed files, if any
1496 if [ -s files.removed ]; then
1498 echo -n "The following files will be removed "
1499 echo "as part of updating to ${RELNUM}-p${RELPATCHNUM}:"
1504 # Report added files, if any
1505 if [ -s files.added ]; then
1507 echo -n "The following files will be added "
1508 echo "as part of updating to ${RELNUM}-p${RELPATCHNUM}:"
1513 # Report updated files, if any
1514 if [ -s files.updated ]; then
1516 echo -n "The following files will be updated "
1517 echo "as part of updating to ${RELNUM}-p${RELPATCHNUM}:"
1523 # Create a directory for the install manifest.
1524 MDIR=`mktemp -d install.XXXXXX` || return 1
1527 mv INDEX-PRESENT ${MDIR}/INDEX-OLD
1528 mv INDEX-NEW ${MDIR}/INDEX-NEW
1530 # Link it into place
1531 ln -s ${MDIR} ${BDHASH}-install
1534 # Warn about any upcoming EoL
1536 # What's the current time?
1537 NOWTIME=`date "+%s"`
1539 # When did we last warn about the EoL date?
1540 if [ -f lasteolwarn ]; then
1541 LASTWARN=`cat lasteolwarn`
1543 LASTWARN=`expr ${NOWTIME} - 63072000`
1546 # If the EoL time is past, warn.
1547 if [ ${EOLTIME} -lt ${NOWTIME} ]; then
1550 WARNING: `uname -sr` HAS PASSED ITS END-OF-LIFE DATE.
1551 Any security issues discovered after `date -r ${EOLTIME}`
1552 will not have been corrected.
1557 # Figure out how long it has been since we last warned about the
1558 # upcoming EoL, and how much longer we have left.
1559 SINCEWARN=`expr ${NOWTIME} - ${LASTWARN}`
1560 TIMELEFT=`expr ${EOLTIME} - ${NOWTIME}`
1562 # Don't warn if the EoL is more than 6 months away
1563 if [ ${TIMELEFT} -gt 15768000 ]; then
1567 # Don't warn if the time remaining is more than 3 times the time
1568 # since the last warning.
1569 if [ ${TIMELEFT} -gt `expr ${SINCEWARN} \* 3` ]; then
1573 # Figure out what time units to use.
1574 if [ ${TIMELEFT} -lt 604800 ]; then
1577 elif [ ${TIMELEFT} -lt 2678400 ]; then
1585 # Compute the right number of units
1586 NUM=`expr ${TIMELEFT} / ${SIZE}`
1587 if [ ${NUM} != 1 ]; then
1594 WARNING: `uname -sr` is approaching its End-of-Life date.
1595 It is strongly recommended that you upgrade to a newer
1596 release within the next ${NUM} ${UNIT}.
1599 # Update the stored time of last warning
1600 echo ${NOWTIME} > lasteolwarn
1603 # Do the actual work involved in "fetch" / "cron".
1605 workdir_init || return 1
1607 # Prepare the mirror list.
1608 fetch_pick_server_init && fetch_pick_server
1610 # Try to fetch the public key until we run out of servers.
1611 while ! fetch_key; do
1612 fetch_pick_server || return 1
1615 # Try to fetch the metadata index signature ("tag") until we run
1616 # out of available servers; and sanity check the downloaded tag.
1617 while ! fetch_tag; do
1618 fetch_pick_server || return 1
1620 fetch_tagsanity || return 1
1622 # Fetch the latest INDEX-NEW and INDEX-OLD files.
1623 fetch_metadata INDEX-NEW INDEX-OLD || return 1
1625 # Generate filtered INDEX-NEW and INDEX-OLD files containing only
1626 # the lines which (a) belong to components we care about, and (b)
1627 # don't correspond to paths we're explicitly ignoring.
1628 fetch_filter_metadata INDEX-NEW || return 1
1629 fetch_filter_metadata INDEX-OLD || return 1
1631 # Translate /boot/`uname -i` into ${KERNELDIR}
1632 fetch_filter_kernel_names INDEX-NEW
1633 fetch_filter_kernel_names INDEX-OLD
1635 # For all paths appearing in INDEX-OLD or INDEX-NEW, inspect the
1636 # system and generate an INDEX-PRESENT file.
1637 fetch_inspect_system INDEX-OLD INDEX-PRESENT INDEX-NEW || return 1
1639 # Based on ${UPDATEIFUNMODIFIED}, remove lines from INDEX-* which
1640 # correspond to lines in INDEX-PRESENT with hashes not appearing
1641 # in INDEX-OLD or INDEX-NEW. Also remove lines where the entry in
1642 # INDEX-PRESENT has type - and there isn't a corresponding entry in
1643 # INDEX-OLD with type -.
1644 fetch_filter_unmodified_notpresent INDEX-OLD INDEX-PRESENT INDEX-NEW
1646 # For each entry in INDEX-PRESENT of type -, remove any corresponding
1647 # entry from INDEX-NEW if ${ALLOWADD} != "yes". Remove all entries
1648 # of type - from INDEX-PRESENT.
1649 fetch_filter_allowadd INDEX-PRESENT INDEX-NEW
1651 # If ${ALLOWDELETE} != "yes", then remove any entries from
1652 # INDEX-PRESENT which don't correspond to entries in INDEX-NEW.
1653 fetch_filter_allowdelete INDEX-PRESENT INDEX-NEW
1655 # If ${KEEPMODIFIEDMETADATA} == "yes", then for each entry in
1656 # INDEX-PRESENT with metadata not matching any entry in INDEX-OLD,
1657 # replace the corresponding line of INDEX-NEW with one having the
1658 # same metadata as the entry in INDEX-PRESENT.
1659 fetch_filter_modified_metadata INDEX-OLD INDEX-PRESENT INDEX-NEW
1661 # Remove lines from INDEX-PRESENT and INDEX-NEW which are identical;
1662 # no need to update a file if it isn't changing.
1663 fetch_filter_uptodate INDEX-PRESENT INDEX-NEW
1665 # Prepare to fetch files: Generate a list of the files we need,
1666 # copy the unmodified files we have into /files/, and generate
1667 # a list of patches to download.
1668 fetch_files_prepare INDEX-OLD INDEX-PRESENT INDEX-NEW
1671 fetch_files || return 1
1673 # Create and populate install manifest directory; and report what
1674 # updates are available.
1675 fetch_create_manifest || return 1
1677 # Warn about any upcoming EoL
1678 fetch_warn_eol || return 1
1681 # Make sure that all the file hashes mentioned in $@ have corresponding
1682 # gzipped files stored in /files/.
1684 # Generate a list of hashes
1691 # Make sure all the hashes exist
1693 if ! [ -f files/${HASH}.gz ]; then
1694 echo -n "Update files missing -- "
1695 echo "this should never happen."
1696 echo "Re-run '$0 fetch'."
1705 # Remove the system immutable flag from files
1707 # Generate file list
1709 cut -f 1 -d '|' > filelist
1713 if ! [ -e ${F} ]; then
1717 chflags noschg ${F} || return 1
1725 install_from_index () {
1726 # First pass: Do everything apart from setting file flags. We
1727 # can't set flags yet, because schg inhibits hard linking.
1728 sort -k 1,1 -t '|' $1 |
1730 while read FPATH TYPE OWNER GROUP PERM FLAGS HASH LINK; do
1733 # Create a directory
1734 install -d -o ${OWNER} -g ${GROUP} \
1735 -m ${PERM} ${BASEDIR}/${FPATH}
1738 if [ -z "${LINK}" ]; then
1739 # Create a file, without setting flags.
1740 gunzip < files/${HASH}.gz > ${HASH}
1741 install -S -o ${OWNER} -g ${GROUP} \
1742 -m ${PERM} ${HASH} ${BASEDIR}/${FPATH}
1745 # Create a hard link.
1746 ln -f ${LINK} ${BASEDIR}/${FPATH}
1751 ln -sfh ${HASH} ${BASEDIR}/${FPATH}
1756 # Perform a second pass, adding file flags.
1758 while read FPATH TYPE OWNER GROUP PERM FLAGS HASH LINK; do
1759 if [ ${TYPE} = "f" ] &&
1760 ! [ ${FLAGS} = "0" ]; then
1761 chflags ${FLAGS} ${BASEDIR}/${FPATH}
1766 # Remove files which we want to delete
1768 # Generate list of new files
1769 cut -f 1 -d '|' < $2 |
1772 # Generate subindex of old files we want to nuke
1773 sort -k 1,1 -t '|' $1 |
1774 join -t '|' -v 1 - newfiles |
1775 sort -r -k 1,1 -t '|' |
1777 tr '|' ' ' > killfiles
1779 # Remove the offending bits
1780 while read FPATH TYPE; do
1783 rmdir ${BASEDIR}/${FPATH}
1786 rm ${BASEDIR}/${FPATH}
1789 rm ${BASEDIR}/${FPATH}
1795 rm newfiles killfiles
1798 # Update linker.hints if anything in /boot/ was touched
1799 install_kldxref () {
1801 grep -qE '^/boot/'; then
1806 # Rearrange bits to allow the installed updates to be rolled back
1807 install_setup_rollback () {
1808 if [ -L ${BDHASH}-rollback ]; then
1809 mv ${BDHASH}-rollback ${BDHASH}-install/rollback
1812 mv ${BDHASH}-install ${BDHASH}-rollback
1815 # Actually install updates
1817 echo -n "Installing updates..."
1819 # Make sure we have all the files we should have
1820 install_verify ${BDHASH}-install/INDEX-OLD \
1821 ${BDHASH}-install/INDEX-NEW || return 1
1823 # Remove system immutable flag from files
1824 install_unschg ${BDHASH}-install/INDEX-OLD \
1825 ${BDHASH}-install/INDEX-NEW || return 1
1828 install_from_index \
1829 ${BDHASH}-install/INDEX-NEW || return 1
1831 # Remove files which we want to delete
1832 install_delete ${BDHASH}-install/INDEX-OLD \
1833 ${BDHASH}-install/INDEX-NEW || return 1
1835 # Update linker.hints if anything in /boot/ was touched
1836 install_kldxref ${BDHASH}-install/INDEX-OLD \
1837 ${BDHASH}-install/INDEX-NEW
1839 # Rearrange bits to allow the installed updates to be rolled back
1840 install_setup_rollback
1845 # Rearrange bits to allow the previous set of updates to be rolled back next.
1846 rollback_setup_rollback () {
1847 if [ -L ${BDHASH}-rollback/rollback ]; then
1848 mv ${BDHASH}-rollback/rollback rollback-tmp
1849 rm -r ${BDHASH}-rollback/
1850 rm ${BDHASH}-rollback
1851 mv rollback-tmp ${BDHASH}-rollback
1853 rm -r ${BDHASH}-rollback/
1854 rm ${BDHASH}-rollback
1858 # Actually rollback updates
1860 echo -n "Uninstalling updates..."
1862 # If there are updates waiting to be installed, remove them; we
1863 # want the user to re-run 'fetch' after rolling back updates.
1864 if [ -L ${BDHASH}-install ]; then
1865 rm -r ${BDHASH}-install/
1866 rm ${BDHASH}-install
1869 # Make sure we have all the files we should have
1870 install_verify ${BDHASH}-rollback/INDEX-NEW \
1871 ${BDHASH}-rollback/INDEX-OLD || return 1
1873 # Remove system immutable flag from files
1874 install_unschg ${BDHASH}-rollback/INDEX-NEW \
1875 ${BDHASH}-rollback/INDEX-OLD || return 1
1878 install_from_index \
1879 ${BDHASH}-rollback/INDEX-OLD || return 1
1881 # Remove files which we want to delete
1882 install_delete ${BDHASH}-rollback/INDEX-NEW \
1883 ${BDHASH}-rollback/INDEX-OLD || return 1
1885 # Update linker.hints if anything in /boot/ was touched
1886 install_kldxref ${BDHASH}-rollback/INDEX-NEW \
1887 ${BDHASH}-rollback/INDEX-OLD
1889 # Remove the rollback directory and the symlink pointing to it; and
1890 # rearrange bits to allow the previous set of updates to be rolled
1892 rollback_setup_rollback
1897 #### Main functions -- call parameter-handling and core functions
1899 # Using the command line, configuration file, and defaults,
1900 # set all the parameters which are needed later.
1908 # Fetch command. Make sure that we're being called
1909 # interactively, then run fetch_check_params and fetch_run
1912 echo -n "`basename $0` fetch should not "
1913 echo "be run non-interactively."
1914 echo "Run `basename $0` cron instead."
1921 # Cron command. Make sure the parameters are sensible; wait
1922 # rand(3600) seconds; then fetch updates. While fetching updates,
1923 # send output to a temporary file; only print that file if the
1927 sleep `jot -r 1 0 3600`
1929 TMPFILE=`mktemp /tmp/freebsd-update.XXXXXX` || exit 1
1930 if ! fetch_run >> ${TMPFILE} ||
1931 ! grep -q "No updates needed" ${TMPFILE} ||
1932 [ ${VERBOSELEVEL} = "debug" ]; then
1933 mail -s "`hostname` security updates" ${MAILTO} < ${TMPFILE}
1939 # Install downloaded updates.
1941 install_check_params
1942 install_run || exit 1
1945 # Rollback most recently installed updates.
1947 rollback_check_params
1948 rollback_run || exit 1
1953 # Make sure we find utilities from the base system
1954 export PATH=/sbin:/bin:/usr/sbin:/usr/bin:${PATH}
1956 # Set LC_ALL in order to avoid problems with character ranges like [A-Z].
1960 for COMMAND in ${COMMANDS}; do