384 lines
11 KiB
Plaintext
384 lines
11 KiB
Plaintext
|
#!/bin/sh
|
||
|
#
|
||
|
# Copyright (c) 2013 - 2017 M:tier Ltd.
|
||
|
#
|
||
|
# Permission to use, copy, modify, and distribute this software for any
|
||
|
# purpose with or without fee is hereby granted, provided that the above
|
||
|
# copyright notice and this permission notice appear in all copies.
|
||
|
#
|
||
|
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||
|
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||
|
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||
|
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||
|
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||
|
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||
|
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||
|
#
|
||
|
# Author: Antoine Jacoutot <antoine@mtier.org>
|
||
|
# Maintainer: M:Tier Ltd. <info@mtier.org>
|
||
|
|
||
|
# ChangeLog
|
||
|
# https://gitlab.com/mtier/openup/commits/master
|
||
|
|
||
|
########################################################################
|
||
|
### DO NOT EDIT THIS FILE!!! ###
|
||
|
### User defined variables: overrides are read from /etc/openup.conf ###
|
||
|
########################################################################
|
||
|
|
||
|
# URL to the latest openup version
|
||
|
OPENUP_URL="https://stable.mtier.org/openup"
|
||
|
|
||
|
# signify(1) public key
|
||
|
PKG_PUBKEY_URL="https://stable.mtier.org/mtier-$(uname -r | tr -d '.')-pkg.pub"
|
||
|
|
||
|
# PKG_PATH for currently running OpenBSD release
|
||
|
PKG_PATH_MAIN="https://ftp.fr.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(arch -s)"
|
||
|
|
||
|
# ERRATA_PATH
|
||
|
ERRATA_PATH="https://ftp.fr.openbsd.org/pub/OpenBSD/patches/$(uname -r)/common"
|
||
|
|
||
|
# PKG_PATH for the corresponding release stable service
|
||
|
PKG_PATH_UPDATE="https://stable.mtier.org/updates/$(uname -r)/$(arch -s)"
|
||
|
|
||
|
# PKG_PATH addition for the corresponding LTS release stable service
|
||
|
#PKG_PATH_UPDATE_LTS="https://user%domain.tld:password@stable.mtier.org/updates-lts/$(uname -r)/$(arch -s)"
|
||
|
|
||
|
# URL to the latest vuxml (vulnerabilities database)
|
||
|
VUXML_URL="https://stable.mtier.org/vuxml/$(uname -r | tr -d '.').xml"
|
||
|
|
||
|
# fetch command (must behave like "ftp -o"); e.g. "wget -qO"
|
||
|
FETCH="ftp -MVo"
|
||
|
|
||
|
# exclusion list: pkg names without version/flavor, separated by space
|
||
|
EXCLUDE_PKG=""
|
||
|
|
||
|
########################################################################
|
||
|
### End of user defined variables ###
|
||
|
########################################################################
|
||
|
|
||
|
usage() {
|
||
|
echo
|
||
|
echo "Usage: ${0##*/} [-K][-Se|c]" >&2
|
||
|
echo
|
||
|
echo "Options:"
|
||
|
echo " -K do not check for kernel binpatches (when running non GENERIC)"
|
||
|
echo " -N do not check for syspatches"
|
||
|
echo " -S ignore binpatch/package signatures"
|
||
|
echo " -c check/cron mode, report only (cannot be used with -S)"
|
||
|
echo " -e echo the PKG_PATH that ${0##*/} would use"
|
||
|
echo
|
||
|
exit 1
|
||
|
}
|
||
|
|
||
|
pr_err() {
|
||
|
echo "!!! ${@}"
|
||
|
}
|
||
|
|
||
|
bye_bye() {
|
||
|
rm -rf ${_TMPDIR} ${_PID}
|
||
|
exit 1
|
||
|
}
|
||
|
|
||
|
pr() {
|
||
|
if [ -z "${checkrun}" ]; then
|
||
|
echo "===> ${@}"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
get_key() {
|
||
|
[ -r /etc/signify/mtier-${_REL_INT}-pkg.pub ] && return
|
||
|
|
||
|
pr "Downloading and installing public key"
|
||
|
${FETCH} ${_TMPKEY} ${PKG_PUBKEY_URL} || bye_bye
|
||
|
install -m0644 ${_TMPKEY} /etc/signify/mtier-${_REL_INT}-pkg.pub || bye_bye
|
||
|
}
|
||
|
|
||
|
show_env() {
|
||
|
echo PKG_PATH=${PKG_PATH_UPDATE_LTS}:${PKG_PATH_UPDATE}:${PKG_PATH_MAIN}
|
||
|
exit 0
|
||
|
}
|
||
|
|
||
|
check_openupd() {
|
||
|
local _U
|
||
|
|
||
|
pr "Checking for openup update"
|
||
|
_U="${FETCH} - ${OPENUP_URL} | awk -F '=' '/^_OPENUP_VERSION/ { print \$2 }'"
|
||
|
_U=$(eval $_U)
|
||
|
if [ -z "${_U}" ]; then
|
||
|
pr_err "Cannot retrieve ${OPENUP_URL}"
|
||
|
pr_err "Please verify your Internet connection, proxy settings and firewall."
|
||
|
bye_bye
|
||
|
fi
|
||
|
|
||
|
if [ "${_OPENUP_VERSION}" -lt "${_U}" ]; then
|
||
|
pr_err "New openup release (version ${_U}) available; please update with:"
|
||
|
pr_err "${FETCH} $(readlink -f $0) ${OPENUP_URL}"
|
||
|
bye_bye
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
# check that we have no installed binpatches from a previous release and
|
||
|
# if so remove the entries manually (we don't want pkg_delete to
|
||
|
# modify nor error out on installed files from newer release/binpatch)
|
||
|
rm_old_bp() {
|
||
|
local _bp
|
||
|
local _BPDB=$(ls -d /var/db/binpatch/{binpatch-,}[0-9]* 2>/dev/null |grep -v ${_REL})
|
||
|
local _BPPKG=$(ls -d /var/db/pkg/binpatch* 2>/dev/null |grep -v binpatch${_REL_INT})
|
||
|
if [ -n "${_BPPKG}" -o -n "${_BPDB}" ]; then
|
||
|
pr "Removing old release binpatch entries"
|
||
|
fi
|
||
|
for _bp in ${_BPPKG} ${_BPDB}; do
|
||
|
rm -rf ${_bp}
|
||
|
done
|
||
|
}
|
||
|
|
||
|
update_syspatches() {
|
||
|
pr "Installing/updating syspatches"
|
||
|
syspatch
|
||
|
if [ $? -gt 0 ]; then
|
||
|
pr_err "syspatch failed; please run syspatch manually"
|
||
|
bye_bye
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
update_binpatches() {
|
||
|
local _BP _b _e
|
||
|
|
||
|
# binpatches can only be found in PKG_PATH_UPDATE{,_LTS) and we
|
||
|
# want to make sure we search in all paths and don't stop at the
|
||
|
# first match we find
|
||
|
for i in ${PKG_PATH_UPDATE_LTS} ${PKG_PATH_UPDATE}; do
|
||
|
_BP="$(pkg_info -Q binpatch${_REL_INT}-${_ARCH} | sed 's/.[^-]*$//' | sort -u)${_BP:+ ${_BP}}"
|
||
|
done
|
||
|
|
||
|
if [ -n "${_BP}" ]; then
|
||
|
for _e in ${EXCLUDE_PKG}; do
|
||
|
set -A _BP -- ${_BP}
|
||
|
_BP="$(for _b in ${_BP[@]}; do echo ${_b} | grep -v "^${_e}$"; done)"
|
||
|
done
|
||
|
_BP=$(echo "${_BP}" | tr '\n' ' ')
|
||
|
|
||
|
pr "Installing/updating binpatch(es)"
|
||
|
pkg_add ${pkgopt} ${_BP} || bye_bye
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
update_pkg() {
|
||
|
local _PKG _e _p
|
||
|
|
||
|
_PKG=$(pkg_info -q | grep -v binpatch${_REL_INT}-${_ARCH})
|
||
|
|
||
|
if [ -n "${_PKG}" ]; then
|
||
|
for _e in ${EXCLUDE_PKG}; do
|
||
|
set -A _PKG -- ${_PKG}
|
||
|
_PKG="$(for _p in ${_PKG[@]}; do echo ${_p} | grep -v "^${_e}-.*"; done)"
|
||
|
done
|
||
|
_PKG=$(echo "${_PKG}" | tr '\n' ' ')
|
||
|
|
||
|
pr "Updating package(s)"
|
||
|
pkg_add -quz ${pkgopt} ${_PKG} || bye_bye
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
# this only outputs the missing syspatches on the system
|
||
|
check_syspatches() {
|
||
|
_SYSPATCHES=$(syspatch -c)
|
||
|
for _p in ${_SYSPATCHES}; do
|
||
|
${FETCH} ${_TMPERRATA} ${ERRATA_PATH}/${_p}.patch.sig
|
||
|
[ -e ${_TMPERRATA} ] || continue
|
||
|
echo "--- ${_p} ---"
|
||
|
echo -n "Available errata: "
|
||
|
awk '/OpenBSD/{f=1;next} /Apply/{f=0;next} f' ${_TMPERRATA} | grep -ve '^$'
|
||
|
done
|
||
|
}
|
||
|
|
||
|
# this only outputs the most recent vulnerability for each matching pkg
|
||
|
check_vuxml() {
|
||
|
local _BP_MATCH _OUTDATED _PKG_MATCH _b _e _p
|
||
|
|
||
|
${FETCH} ${_TMPVUXML} ${VUXML_URL} || bye_bye
|
||
|
perl -pi -e 's,\$ARCH,'"${_ARCH}"',g' ${_TMPVUXML}
|
||
|
|
||
|
if [ "${_REL_INT}" -lt 61 ]; then
|
||
|
_BP_MATCH="$(grep binpatch ${_TMPVUXML} | sed -e 's,<name>,,g;s,</name>,,g;s,\$ARCH,'"${_ARCH}"',g' | sort -u)"
|
||
|
for _e in ${EXCLUDE_PKG}; do
|
||
|
set -A _BP_MATCH -- ${_BP_MATCH}
|
||
|
_BP_MATCH="$(for _b in ${_BP_MATCH[@]}; do echo ${_b} | grep -v "^${_e}$"; done)"
|
||
|
done
|
||
|
fi
|
||
|
|
||
|
_PKG_MATCH=$(pkg_info -q | grep -v binpatch${_REL_INT}-${_ARCH})
|
||
|
|
||
|
for _e in ${EXCLUDE_PKG}; do
|
||
|
set -A _PKG_MATCH -- ${_PKG_MATCH}
|
||
|
_PKG_MATCH="$(for _p in ${_PKG_MATCH[@]}; do echo ${_p} | grep -v "^${_e}-.*"; done)"
|
||
|
done
|
||
|
|
||
|
if [ "${_REL_INT}" -lt 61 ]; then
|
||
|
# set to "quirks" if empty to prevent running pkg_add against an empty pkg list
|
||
|
_OUTDATED=$((pkg_add -Iqn -Dnosig -Dunsigned ${_BP_MATCH:=quirks}; pkg_add -Iqnuz -Dnosig -Dunsigned ${_PKG_MATCH:=quirks}) 2>&1 | \
|
||
|
grep '^NOT CHECKING DIGITAL SIGNATURE FOR ' | \
|
||
|
sed -e 's,^NOT CHECKING DIGITAL SIGNATURE FOR ,,g' | \
|
||
|
grep -v '^quirks-' | \
|
||
|
perl -ne '/^(.*)-(\d[^-]*)[-]?(\w*)(.*)$/ && print "$1\n"' | \
|
||
|
sort -u)
|
||
|
else
|
||
|
# set to "quirks" if empty to prevent running pkg_add against an empty pkg list
|
||
|
_OUTDATED=$((pkg_add -Inuvz -Dnosig -Dunsigned ${_PKG_MATCH:=quirks}) 2>&1 | \
|
||
|
grep '^Adding.*(pretending)' | sort -u | sed -e 's,Adding ,,;s,(pretending),,;s,->.*,,' | \
|
||
|
grep -v '^quirks-' | \
|
||
|
perl -ne '/^(.*)-(\d[^-]*)[-]?(\w*)(.*)$/ && print "$1\n"' | \
|
||
|
sort -u)
|
||
|
fi
|
||
|
|
||
|
for p in ${_OUTDATED}
|
||
|
do
|
||
|
echo "--- ${p} ---\n"
|
||
|
echo "Available update(s): "
|
||
|
# XXX how do we print only the 1st matching range in awk?
|
||
|
awk "/<name>${p}<\/name>/,/<\/vuln>/" ${_TMPVUXML} | \
|
||
|
sed '/<\/vuln>/,$d' | \
|
||
|
sed -n -e 's/.*<range><lt>\(.*\)<\/lt><\/range>.*/\1/p' \
|
||
|
-e 's/.*<p>\(.*\)<\/p>.*/\1/p' | uniq | \
|
||
|
while read l; do echo -n "${l} "; done
|
||
|
echo "\n"
|
||
|
done | fmt | sed '/^$/d'
|
||
|
}
|
||
|
|
||
|
do_i_need_to_reboot() {
|
||
|
# XXX hardcoded PKG_DBDIR
|
||
|
local osversion=$(sysctl -n kern.osversion)
|
||
|
local kern_version=$(sysctl -n kern.version | head -1)
|
||
|
local booted_version=$(what -s /bsd | tail -1 | tr -d '\t')
|
||
|
local booted_time=$(sysctl -n kern.boottime)
|
||
|
local kern_time=$(stat -qf "%Um" /bsd)
|
||
|
local warn=0
|
||
|
|
||
|
# Check /bsd.booted first if available due to kernel relinking
|
||
|
if [ -e /bsd.booted ]; then
|
||
|
[ X"${kern_version}" != X"${booted_version}" ] && warn=1
|
||
|
else
|
||
|
[ "${booted_time}" -lt "${kern_time}" ] && warn=1
|
||
|
fi
|
||
|
|
||
|
if [ ${warn} -gt 0 ]; then
|
||
|
pr_err
|
||
|
pr_err "System must be rebooted after the last kernel update"
|
||
|
pr_err
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
patch_syspatch() {
|
||
|
pr_err
|
||
|
pr_err "Patching syspatch(8) to use syspatches signed by MTier."
|
||
|
pr_err
|
||
|
cp /usr/sbin/syspatch /usr/sbin/syspatch.pre-mtier
|
||
|
sed -i \
|
||
|
"s,openbsd-\${_OSrev}-syspatch.pub,mtier-\${_OSrev}-pkg.pub,g; \
|
||
|
s,/etc/installurl,/etc/installurl-mtier,g" \
|
||
|
/usr/sbin/syspatch
|
||
|
[ -e /etc/installurl-mtier ] || echo https://stable.mtier.org > /etc/installurl-mtier
|
||
|
}
|
||
|
|
||
|
trap "bye_bye" 1 2 3 13 15
|
||
|
|
||
|
if [ -f /etc/openup.conf ]; then
|
||
|
if [ $(stat -f "%SMp%SLp" /etc/openup.conf) != "------" ]; then
|
||
|
pr_err "Unsecure permissions on /etc/openup.conf; please run:"
|
||
|
pr_err "chmod 0600 /etc/openup.conf"
|
||
|
exit 1
|
||
|
fi
|
||
|
. /etc/openup.conf
|
||
|
fi
|
||
|
|
||
|
# regex taken from fw_update(1)
|
||
|
set -A _REL -- $(sysctl -n kern.version | sed 's/^OpenBSD \([0-9]\.[0-9]\)\([^ ]*\).*/\1 \2/;q')
|
||
|
_REL_INT="$(echo ${_REL[0]} | tr -d '.')"
|
||
|
_OPENUP_MINREL=60
|
||
|
_OPENUP_VERSION=33
|
||
|
if [ -n "${_REL[1]}" -a "${_REL[1]}" != "-stable" ]; then _badrel=1; fi
|
||
|
if [ "${_REL_INT}" -lt "${_OPENUP_MINREL}" ]; then _badrel=1; fi
|
||
|
if [ -n "${_badrel}" ]; then
|
||
|
pr_err "${_REL[0]}${_REL[1]} is not a supported release"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
while getopts 'KNSce' arg; do
|
||
|
case ${arg} in
|
||
|
K) if [ "${_REL_INT}" -lt 61 ]; then nokrn=1; fi ;;
|
||
|
N) nosyspatch=1 ;;
|
||
|
S) nosig=1; pkgopt="${pkgopt} -Dnosig -Dunsigned" ;;
|
||
|
c) checkrun=1 ;;
|
||
|
e) showenv=1 ;;
|
||
|
*) usage ;;
|
||
|
esac
|
||
|
done
|
||
|
[ $# = $(($OPTIND-1)) ] || usage
|
||
|
|
||
|
[ -n "${showenv}" ] && show_env
|
||
|
|
||
|
if [ "$(id -u)" -ne 0 ]; then
|
||
|
pr_err "Need root privileges to run this script"
|
||
|
usage
|
||
|
fi
|
||
|
|
||
|
[ -n "${checkrun}" -a -n "${nosig}" -a -n "${showenv}" ] && usage
|
||
|
|
||
|
_ARCH=$(arch -s)
|
||
|
_PID="/var/run/${0##*/}.pid"
|
||
|
_TMP="${TMPDIR:=/tmp}"
|
||
|
_TMPDIR=$(mktemp -dp ${_TMP} .openup-XXXXXXXXXX) || exit 1
|
||
|
_TMPKEY="${_TMPDIR}/key"
|
||
|
_TMPVUXML="${_TMPDIR}/vuxml"
|
||
|
_TMPERRATA="${_TMPDIR}/errata"
|
||
|
|
||
|
export PKG_PATH=${PKG_PATH_UPDATE_LTS}:${PKG_PATH_UPDATE}:${PKG_PATH_MAIN}
|
||
|
|
||
|
if [ -f ${_PID} ]; then
|
||
|
pr_err "openup is already running ($(cat ${_PID})):"
|
||
|
pr_err "${_PID}"
|
||
|
exit 1
|
||
|
fi
|
||
|
echo $$ >${_PID}
|
||
|
|
||
|
if [ -n "${nokrn}" ]; then
|
||
|
EXCLUDE_PKG="binpatch${_REL_INT}-${_ARCH}-kernel ${EXCLUDE_PKG}"
|
||
|
fi
|
||
|
if [ -n "${EXCLUDE_PKG}" ]; then
|
||
|
pr "Excluded package(s)/binpatch(es): ${EXCLUDE_PKG}"
|
||
|
fi
|
||
|
|
||
|
check_openupd
|
||
|
|
||
|
if [ -z "${nosyspatch}" -a -e /usr/sbin/syspatch ]; then
|
||
|
_sum=$(sha256 -q /usr/sbin/syspatch)
|
||
|
case "${_sum}"
|
||
|
in
|
||
|
# 6.1 syspatch
|
||
|
b8b9c4bec128884498b5c3e77a350f42079f7987ef862a1ec452f489403dfbe6)
|
||
|
patch_syspatch
|
||
|
;;
|
||
|
esac
|
||
|
fi
|
||
|
|
||
|
if [ "${checkrun}" ]; then
|
||
|
if [ "${_REL_INT}" -ge 61 -a -z "${nosyspatch}" ]; then
|
||
|
check_syspatches
|
||
|
fi
|
||
|
check_vuxml
|
||
|
else
|
||
|
[ -z "${nosig}" ] && get_key
|
||
|
rm_old_bp
|
||
|
if [ "${_REL_INT}" -lt 61 -a -z "${nosyspatch}" ]; then
|
||
|
update_binpatches
|
||
|
else
|
||
|
[ -z "${nosyspatch}" ] && update_syspatches
|
||
|
fi
|
||
|
update_pkg
|
||
|
fi
|
||
|
|
||
|
do_i_need_to_reboot
|
||
|
|
||
|
rm -rf ${_TMPDIR}
|
||
|
rm ${_PID}
|