Index: stable/11/etc/mtree/BSD.usr.dist =================================================================== --- stable/11/etc/mtree/BSD.usr.dist (revision 357081) +++ stable/11/etc/mtree/BSD.usr.dist (revision 357082) @@ -1,1502 +1,1508 @@ # $FreeBSD$ # # Please see the file src/etc/mtree/README before making changes to this file. # /set type=dir uname=root gname=wheel mode=0755 . bin .. include private bsdstat .. ucl .. .. .. lib aout .. clang 8.0.1 include sanitizer .. .. lib freebsd .. .. .. .. compat aout .. .. dtrace .. engines .. i18n .. libxo encoder .. .. .. libdata gcc .. ldscripts .. lint .. pkgconfig .. .. libexec bsdconfig 020.docsinstall include .. .. 030.packages include .. .. 040.password include .. .. 050.diskmgmt include .. .. 070.usermgmt include .. .. 080.console include .. .. 090.timezone include .. .. 110.mouse include .. .. 120.networking include .. .. 130.security include .. .. 140.startup include .. .. 150.ttys include .. .. dot include .. .. include .. includes include .. .. .. bsdinstall .. dwatch .. hyperv .. lpr ru .. .. sendmail .. sm.bin .. .. local .. obj nochange .. sbin .. share atf .. bsdconfig media .. networking .. packages .. password .. startup .. timezone .. usermgmt .. .. calendar de_AT.ISO_8859-15 .. de_DE.ISO8859-1 .. fr_FR.ISO8859-1 .. hr_HR.ISO8859-2 .. hu_HU.ISO8859-2 .. pt_BR.ISO8859-1 .. pt_BR.UTF-8 .. ru_RU.KOI8-R .. ru_RU.UTF-8 .. uk_UA.KOI8-U .. .. + certs + blacklisted + .. + trusted + .. + .. dict .. doc IPv6 .. atf .. atm .. legal .. llvm clang .. .. ncurses .. ntp drivers icons .. scripts .. .. hints .. icons .. pic .. scripts .. .. papers .. pjdfstest .. psd 01.cacm .. 02.implement .. 03.iosys .. 04.uprog .. 05.sysman .. 06.Clang .. 12.make .. 13.rcs .. 15.yacc .. 16.lex .. 17.m4 .. 18.gprof .. 20.ipctut .. 21.ipc .. 22.rpcgen .. 23.rpc .. 24.xdr .. 25.xdrrfc .. 26.rpcrfc .. 27.nfsrfc .. .. smm 01.setup .. 02.config .. 03.fsck .. 04.quotas .. 05.fastfs .. 06.nfs .. 07.lpd .. 08.sendmailop .. 11.timedop .. 12.timed .. 18.net .. .. usd 04.csh .. 05.dc .. 06.bc .. 07.mail .. 10.exref .. 11.edit .. 12.vi .. 13.viref .. 18.msdiffs .. 19.memacros .. 20.meref .. 21.troff .. 22.trofftut .. .. .. dtrace .. examples BSD_daemon .. FreeBSD_version .. IPv6 .. bhyve .. bootforth .. bsdconfig .. csh .. diskless .. dma .. drivers .. dwatch .. etc defaults .. .. find_interface .. hast .. hostapd .. ibcs2 .. indent .. ipfilter .. ipfw .. jails .. kld cdev module .. test .. .. dyn_sysctl .. firmware fwconsumer .. fwimage .. .. khelp .. syscall module .. test .. .. .. libusb20 .. libvgl .. mdoc .. netgraph .. pc-sysinstall .. perfmon .. pf .. ppi .. ppp .. printing .. scsi_target .. ses getencstat .. sesd .. setencstat .. setobjstat .. srcs .. .. smbfs print .. .. sunrpc dir .. msg .. sort .. .. tcsh .. uefisign .. ypldap .. .. firmware .. games fortune .. .. i18n csmapper APPLE .. AST .. BIG5 .. CNS .. CP .. EBCDIC .. GB .. GEORGIAN .. ISO-8859 .. ISO646 .. JIS .. KAZAKH .. KOI .. KS .. MISC .. TCVN .. .. esdb APPLE .. AST .. BIG5 .. CP .. DEC .. EBCDIC .. EUC .. GB .. GEORGIAN .. ISO-2022 .. ISO-8859 .. ISO646 .. KAZAKH .. KOI .. MISC .. TCVN .. UTF .. .. .. keys pkg revoked .. trusted .. .. .. locale af_ZA.ISO8859-1 .. af_ZA.ISO8859-15 .. af_ZA.UTF-8 .. ar_AE.UTF-8 .. ar_EG.UTF-8 .. ar_JO.UTF-8 .. ar_MA.UTF-8 .. ar_QA.UTF-8 .. ar_SA.UTF-8 .. am_ET.UTF-8 .. be_BY.CP1131 .. be_BY.CP1251 .. be_BY.ISO8859-5 .. be_BY.UTF-8 .. bg_BG.CP1251 .. bg_BG.UTF-8 .. ca_AD.ISO8859-1 .. ca_AD.ISO8859-15 .. ca_ES.ISO8859-1 .. ca_ES.ISO8859-15 .. ca_FR.ISO8859-1 .. ca_FR.ISO8859-15 .. ca_IT.ISO8859-1 .. ca_IT.ISO8859-15 .. ca_AD.UTF-8 .. ca_ES.UTF-8 .. ca_FR.UTF-8 .. ca_IT.UTF-8 .. cs_CZ.ISO8859-2 .. cs_CZ.UTF-8 .. da_DK.ISO8859-1 .. da_DK.ISO8859-15 .. da_DK.UTF-8 .. de_AT.ISO8859-1 .. de_AT.ISO8859-15 .. de_AT.UTF-8 .. de_CH.ISO8859-1 .. de_CH.ISO8859-15 .. de_CH.UTF-8 .. de_DE.ISO8859-1 .. de_DE.ISO8859-15 .. de_DE.UTF-8 .. el_GR.ISO8859-7 .. el_GR.UTF-8 .. en_AU.ISO8859-1 .. en_AU.ISO8859-15 .. en_AU.US-ASCII .. en_AU.UTF-8 .. en_CA.ISO8859-1 .. en_CA.ISO8859-15 .. en_CA.US-ASCII .. en_CA.UTF-8 .. en_GB.ISO8859-1 .. en_GB.ISO8859-15 .. en_GB.US-ASCII .. en_GB.UTF-8 .. en_HK.ISO8859-1 .. en_HK.UTF-8 .. en_IE.ISO8859-1 .. en_IE.ISO8859-15 .. en_IE.UTF-8 .. en_NZ.ISO8859-1 .. en_NZ.ISO8859-15 .. en_NZ.US-ASCII .. en_NZ.UTF-8 .. en_PH.UTF-8 .. en_SG.ISO8859-1 .. en_SG.UTF-8 .. en_US.ISO8859-1 .. en_US.ISO8859-15 .. en_US.US-ASCII .. en_US.UTF-8 .. en_ZA.ISO8859-1 .. en_ZA.ISO8859-15 .. en_ZA.US-ASCII .. en_ZA.UTF-8 .. es_AR.ISO8859-1 .. es_AR.UTF-8 .. es_CR.UTF-8 .. es_ES.ISO8859-1 .. es_ES.ISO8859-15 .. es_ES.UTF-8 .. es_MX.ISO8859-1 .. es_MX.UTF-8 .. et_EE.ISO8859-1 .. et_EE.ISO8859-15 .. et_EE.UTF-8 .. eu_ES.ISO8859-1 .. eu_ES.ISO8859-15 .. eu_ES.UTF-8 .. fi_FI.ISO8859-1 .. fi_FI.ISO8859-15 .. fi_FI.UTF-8 .. fr_BE.ISO8859-1 .. fr_BE.ISO8859-15 .. fr_BE.UTF-8 .. fr_CA.ISO8859-1 .. fr_CA.ISO8859-15 .. fr_CA.UTF-8 .. fr_CH.ISO8859-1 .. fr_CH.ISO8859-15 .. fr_CH.UTF-8 .. fr_FR.ISO8859-1 .. fr_FR.ISO8859-15 .. fr_FR.UTF-8 .. he_IL.UTF-8 .. hi_IN.ISCII-DEV .. hi_IN.UTF-8 .. hr_HR.ISO8859-2 .. hr_HR.UTF-8 .. hu_HU.ISO8859-2 .. hu_HU.UTF-8 .. hy_AM.ARMSCII-8 .. hy_AM.UTF-8 .. is_IS.ISO8859-1 .. is_IS.ISO8859-15 .. is_IS.UTF-8 .. it_CH.ISO8859-1 .. it_CH.ISO8859-15 .. it_CH.UTF-8 .. it_IT.ISO8859-1 .. it_IT.ISO8859-15 .. it_IT.UTF-8 .. ja_JP.SJIS .. ja_JP.UTF-8 .. ja_JP.eucJP .. kk_KZ.UTF-8 .. ko_KR.CP949 .. ko_KR.UTF-8 .. ko_KR.eucKR .. lt_LT.ISO8859-13 .. lt_LT.UTF-8 .. lv_LV.ISO8859-13 .. lv_LV.UTF-8 .. mn_MN.UTF-8 .. nb_NO.ISO8859-1 .. nb_NO.ISO8859-15 .. nb_NO.UTF-8 .. nl_BE.ISO8859-1 .. nl_BE.ISO8859-15 .. nl_BE.UTF-8 .. nl_NL.ISO8859-1 .. nl_NL.ISO8859-15 .. nl_NL.UTF-8 .. nn_NO.ISO8859-1 .. nn_NO.ISO8859-15 .. nn_NO.UTF-8 .. pl_PL.ISO8859-2 .. pl_PL.UTF-8 .. pt_BR.ISO8859-1 .. pt_BR.UTF-8 .. pt_PT.ISO8859-1 .. pt_PT.ISO8859-15 .. pt_PT.UTF-8 .. ro_RO.ISO8859-2 .. ro_RO.UTF-8 .. ru_RU.CP1251 .. ru_RU.CP866 .. ru_RU.ISO8859-5 .. ru_RU.KOI8-R .. ru_RU.UTF-8 .. se_FI.UTF-8 .. se_NO.UTF-8 .. sk_SK.ISO8859-2 .. sk_SK.UTF-8 .. sl_SI.ISO8859-2 .. sl_SI.UTF-8 .. sr_RS.ISO8859-5 .. sr_RS.UTF-8 .. sr_RS.ISO8859-2 .. sr_RS.UTF-8@latin .. sv_FI.ISO8859-1 .. sv_FI.ISO8859-15 .. sv_FI.UTF-8 .. sv_SE.ISO8859-1 .. sv_SE.ISO8859-15 .. sv_SE.UTF-8 .. tr_TR.ISO8859-9 .. tr_TR.UTF-8 .. uk_UA.CP1251 .. uk_UA.ISO8859-5 .. uk_UA.KOI8-U .. uk_UA.UTF-8 .. zh_CN.GB18030 .. zh_CN.GB2312 .. zh_CN.GBK .. zh_CN.eucCN .. zh_CN.UTF-8 .. zh_HK.UTF-8 .. zh_TW.Big5 .. zh_TW.UTF-8 .. .. man /set uname=man cat1 .. cat2 .. cat3 .. cat4 amd64 .. arm .. i386 .. powerpc .. sparc64 .. .. cat5 .. cat6 .. cat7 .. cat8 amd64 .. i386 .. powerpc .. sparc64 .. .. cat9 .. en.ISO8859-1 uname=root cat1 .. cat2 .. cat3 .. cat4 amd64 .. arm .. i386 .. powerpc .. sparc64 .. .. cat5 .. cat6 .. cat7 .. cat8 amd64 .. i386 .. powerpc .. sparc64 .. .. cat9 .. .. en.UTF-8 uname=root cat1 .. cat2 .. cat3 .. cat4 amd64 .. arm .. i386 .. powerpc .. sparc64 .. .. cat5 .. cat6 .. cat7 .. cat8 amd64 .. i386 .. powerpc .. sparc64 .. .. cat9 .. .. ja uname=root cat1 .. cat2 .. cat3 .. cat4 .. cat5 .. cat6 .. cat7 .. cat8 .. cat9 .. /set uname=root man1 .. man2 .. man3 .. man4 .. man5 .. man6 .. man7 .. man8 .. man9 .. .. man1 .. man2 .. man3 .. man4 amd64 .. arm .. i386 .. powerpc .. sparc64 .. .. man5 .. man6 .. man7 .. man8 amd64 .. i386 .. powerpc .. sparc64 .. .. man9 .. .. misc fonts .. .. mk .. nls C .. af_ZA.ISO8859-1 .. af_ZA.ISO8859-15 .. af_ZA.UTF-8 .. am_ET.UTF-8 .. be_BY.CP1131 .. be_BY.CP1251 .. be_BY.ISO8859-5 .. be_BY.UTF-8 .. bg_BG.CP1251 .. bg_BG.UTF-8 .. ca_ES.ISO8859-1 .. ca_ES.ISO8859-15 .. ca_ES.UTF-8 .. cs_CZ.ISO8859-2 .. cs_CZ.UTF-8 .. da_DK.ISO8859-1 .. da_DK.ISO8859-15 .. da_DK.UTF-8 .. de_AT.ISO8859-1 .. de_AT.ISO8859-15 .. de_AT.UTF-8 .. de_CH.ISO8859-1 .. de_CH.ISO8859-15 .. de_CH.UTF-8 .. de_DE.ISO8859-1 .. de_DE.ISO8859-15 .. de_DE.UTF-8 .. el_GR.ISO8859-7 .. el_GR.UTF-8 .. en_AU.ISO8859-1 .. en_AU.ISO8859-15 .. en_AU.US-ASCII .. en_AU.UTF-8 .. en_CA.ISO8859-1 .. en_CA.ISO8859-15 .. en_CA.US-ASCII .. en_CA.UTF-8 .. en_GB.ISO8859-1 .. en_GB.ISO8859-15 .. en_GB.US-ASCII .. en_GB.UTF-8 .. en_IE.UTF-8 .. en_NZ.ISO8859-1 .. en_NZ.ISO8859-15 .. en_NZ.US-ASCII .. en_NZ.UTF-8 .. en_US.ISO8859-1 .. en_US.ISO8859-15 .. en_US.UTF-8 .. es_ES.ISO8859-1 .. es_ES.ISO8859-15 .. es_ES.UTF-8 .. et_EE.ISO8859-15 .. et_EE.UTF-8 .. fi_FI.ISO8859-1 .. fi_FI.ISO8859-15 .. fi_FI.UTF-8 .. fr_BE.ISO8859-1 .. fr_BE.ISO8859-15 .. fr_BE.UTF-8 .. fr_CA.ISO8859-1 .. fr_CA.ISO8859-15 .. fr_CA.UTF-8 .. fr_CH.ISO8859-1 .. fr_CH.ISO8859-15 .. fr_CH.UTF-8 .. fr_FR.ISO8859-1 .. fr_FR.ISO8859-15 .. fr_FR.UTF-8 .. gl_ES.ISO8859-1 .. he_IL.UTF-8 .. hi_IN.ISCII-DEV .. hr_HR.ISO8859-2 .. hr_HR.UTF-8 .. hu_HU.ISO8859-2 .. hu_HU.UTF-8 .. hy_AM.ARMSCII-8 .. hy_AM.UTF-8 .. is_IS.ISO8859-1 .. is_IS.ISO8859-15 .. is_IS.UTF-8 .. it_CH.ISO8859-1 .. it_CH.ISO8859-15 .. it_CH.UTF-8 .. it_IT.ISO8859-1 .. it_IT.ISO8859-15 .. it_IT.UTF-8 .. ja_JP.SJIS .. ja_JP.UTF-8 .. ja_JP.eucJP .. kk_KZ.PT154 .. kk_KZ.UTF-8 .. ko_KR.CP949 .. ko_KR.UTF-8 .. ko_KR.eucKR .. lt_LT.ISO8859-13 .. lt_LT.UTF-8 .. lv_LV.ISO8859-13 .. lv_LV.UTF-8 .. mn_MN.UTF-8 .. nl_BE.ISO8859-1 .. nl_BE.ISO8859-15 .. nl_BE.UTF-8 .. nl_NL.ISO8859-1 .. nl_NL.ISO8859-15 .. nl_NL.UTF-8 .. no_NO.ISO8859-1 .. no_NO.ISO8859-15 .. no_NO.UTF-8 .. pl_PL.ISO8859-2 .. pl_PL.UTF-8 .. pt_BR.ISO8859-1 .. pt_BR.UTF-8 .. pt_PT.ISO8859-1 .. pt_PT.ISO8859-15 .. pt_PT.UTF-8 .. ro_RO.ISO8859-2 .. ro_RO.UTF-8 .. ru_RU.CP1251 .. ru_RU.CP866 .. ru_RU.ISO8859-5 .. ru_RU.KOI8-R .. ru_RU.UTF-8 .. sk_SK.ISO8859-2 .. sk_SK.UTF-8 .. sl_SI.ISO8859-2 .. sl_SI.UTF-8 .. sr_YU.ISO8859-2 .. sr_YU.ISO8859-5 .. sr_YU.UTF-8 .. sv_SE.ISO8859-1 .. sv_SE.ISO8859-15 .. sv_SE.UTF-8 .. tr_TR.ISO8859-9 .. tr_TR.UTF-8 .. uk_UA.ISO8859-5 .. uk_UA.KOI8-U .. uk_UA.UTF-8 .. zh_CN.GB18030 .. zh_CN.GB2312 .. zh_CN.GBK .. zh_CN.UTF-8 .. zh_CN.eucCN .. zh_HK.Big5HKSCS .. zh_HK.UTF-8 .. zh_TW.Big5 .. zh_TW.UTF-8 .. .. openssl man /set uname=man cat1 .. cat3 .. en.ISO8859-1 uname=root cat1 .. cat3 .. .. /set uname=root man1 .. man3 .. .. .. pc-sysinstall backend .. backend-partmanager .. backend-query .. conf license .. .. doc .. .. security .. sendmail .. skel .. snmp defs .. mibs .. .. syscons fonts .. keymaps .. scrnmaps .. .. tabset .. vi catalog .. .. vt fonts .. keymaps .. .. zoneinfo Africa .. America Argentina .. Indiana .. Kentucky .. North_Dakota .. .. Antarctica .. Arctic .. Asia .. Atlantic .. Australia .. Etc .. Europe .. Indian .. Pacific .. SystemV .. .. .. src nochange .. .. Index: stable/11/secure/Makefile =================================================================== --- stable/11/secure/Makefile (revision 357081) +++ stable/11/secure/Makefile (revision 357082) @@ -1,41 +1,43 @@ # $FreeBSD$ .include SUBDIR= lib .WAIT \ libexec ${_tests} usr.bin usr.sbin SUBDIR_PARALLEL= .if ${MK_TESTS} != "no" _tests= tests .endif +SUBDIR.${MK_CAROOT}+= caroot + # These are the programs which depend on crypto, but not Kerberos. SPROGS= lib/libfetch lib/libpam lib/libradius lib/libtelnet \ bin/ed libexec/telnetd usr.bin/fetch usr.bin/telnet \ usr.sbin/pkg_install usr.sbin/ppp usr.sbin/tcpdump/tcpdump .if ${MK_SENDMAIL} != "no" SPROGS+=usr.sbin/sendmail .endif # This target is used to rebuild these programs with crypto. secure: .MAKE .PHONY .for entry in ${SPROGS} cd ${.CURDIR:H}/${entry}; \ ${MAKE} cleandir; \ ${MAKE} obj; \ ${MAKE} all; \ ${MAKE} install .endfor # This target is used to rebuild these programs without crypto. insecure: .MAKE .PHONY .for entry in ${SPROGS} cd ${.CURDIR:H}/${entry}; \ ${MAKE} MK_CRYPT=no cleandir; \ ${MAKE} MK_CRYPT=no obj; \ ${MAKE} MK_CRYPT=no all; \ ${MAKE} MK_CRYPT=no install .endfor .include Index: stable/11/secure/caroot/MAca-bundle.pl =================================================================== --- stable/11/secure/caroot/MAca-bundle.pl (nonexistent) +++ stable/11/secure/caroot/MAca-bundle.pl (revision 357082) @@ -0,0 +1,277 @@ +#!/usr/bin/env perl +## +## MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt +## +## Rewritten in September 2011 by Matthias Andree to heed untrust +## + +## Copyright (c) 2011, 2013 Matthias Andree +## All rights reserved. +## Copyright (c) 2018, Allan Jude +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted provided that the following conditions are +## met: +## +## * Redistributions of source code must retain the above copyright +## notice, this list of conditions and the following disclaimer. +## +## * Redistributions in binary form must reproduce the above copyright +## notice, this list of conditions and the following disclaimer in the +## documentation and/or other materials provided with the distribution. +## +## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +## INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +## BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +## ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +## POSSIBILITY OF SUCH DAMAGE. + +use strict; +use Carp; +use MIME::Base64; +use Getopt::Long; + +my $VERSION = '$FreeBSD$'; +my $generated = '@' . 'generated'; +my $inputfh = *STDIN; +my $debug = 0; +my $infile; +my $outputdir; +my %labels; +my %certs; +my %trusts; + +$debug++ + if defined $ENV{'WITH_DEBUG'} + and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/; + +GetOptions ( + "debug+" => \$debug, + "infile:s" => \$infile, + "outputdir:s" => \$outputdir) + or die("Error in command line arguments\n$0 [-d] [-i input-file] [-o output-dir]\n"); + +if ($infile) { + open($inputfh, "<", $infile) or die "Failed to open $infile"; +} + +sub print_header($$) +{ + my $dstfile = shift; + my $label = shift; + + if ($outputdir) { + print $dstfile <) { + last if /^END/; + my (undef,@oct) = split /\\/; + my @bin = map(chr(oct), @oct); + $data .= join('', @bin); + } + + return $data; +} + + +sub grabcert($) +{ + my $ifh = shift; + my $certdata; + my $cka_label; + my $serial; + + while (<$ifh>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_VALUE MULTILINE_OCTAL/) { + $certdata = graboct($ifh); + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct($ifh); + } + } + return ($serial, $cka_label, $certdata); +} + +sub grabtrust($) { + my $ifh = shift; + my $cka_label; + my $serial; + my $maytrust = 0; + my $distrust = 0; + + while (<$ifh>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct($ifh); + } + + if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/) + { + if ($2 eq 'CKT_NSS_NOT_TRUSTED') { + $distrust = 1; + } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') { + $maytrust = 1; + } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') { + confess "Unknown trust setting on line $.:\n" + . "$_\n" + . "Script must be updated:"; + } + } + } + + if (!$maytrust && !$distrust && $debug) { + print STDERR "line $.: no explicit trust/distrust found for $cka_label\n"; + } + + my $trust = ($maytrust and not $distrust); + return ($serial, $cka_label, $trust); +} + +if (!$outputdir) { + print_header(*STDOUT, ""); +} + +while (<$inputfh>) { + if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { + my ($serial, $label, $certdata) = grabcert($inputfh); + if (defined $certs{$label."\0".$serial}) { + warn "Certificate $label duplicated!\n"; + } + $certs{$label."\0".$serial} = $certdata; + # We store the label in a separate hash because truncating the key + # with \0 was causing garbage data after the end of the text. + $labels{$label."\0".$serial} = $label; + } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { + my ($serial, $label, $trust) = grabtrust($inputfh); + if (defined $trusts{$label."\0".$serial}) { + warn "Trust for $label duplicated!\n"; + } + $trusts{$label."\0".$serial} = $trust; + $labels{$label."\0".$serial} = $label; + } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) { + print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n"; + } +} + +sub label_to_filename(@) { + my @res = @_; + map { s/\0.*//; s/[^[:alnum:]\-]/_/g; $_ = "$_.pem"; } @res; + return wantarray ? @res : $res[0]; +} + +# weed out untrusted certificates +my $untrusted = 0; +foreach my $it (keys %trusts) { + if (!$trusts{$it}) { + if (!exists($certs{$it})) { + warn "Found trust for nonexistent certificate $labels{$it}\n" if $debug; + } else { + delete $certs{$it}; + warn "Skipping untrusted $labels{$it}\n" if $debug; + $untrusted++; + } + } +} + +if (!$outputdir) { + print "## Untrusted certificates omitted from this bundle: $untrusted\n\n"; +} +print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n"; + +my $certcount = 0; +foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) { + my $fh = *STDOUT; + my $filename; + if (!exists($trusts{$it})) { + die "Found certificate without trust block,\naborting"; + } + if ($outputdir) { + $filename = label_to_filename($labels{$it}); + open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $filename"; + print_header($fh, $labels{$it}); + } + printcert($fh, $labels{$it}, $certs{$it}); + if ($outputdir) { + close($fh) or die "Unable to close: $filename"; + } else { + print $fh "\n\n\n"; + } + $certcount++; + print STDERR "Trusting $certcount: $labels{$it}\n" if $debug; +} + +if ($certcount < 25) { + die "Certificate count of $certcount is implausibly low.\nAbort"; +} + +if (!$outputdir) { + print "## Number of certificates: $certcount\n"; + print "## End of file.\n"; +} +print STDERR "## Number of certificates: $certcount\n"; Property changes on: stable/11/secure/caroot/MAca-bundle.pl ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:executable ## -0,0 +1 ## +* \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/11/secure/caroot/Makefile =================================================================== --- stable/11/secure/caroot/Makefile (nonexistent) +++ stable/11/secure/caroot/Makefile (revision 357082) @@ -0,0 +1,21 @@ +# $FreeBSD$ + +PACKAGE= caroot + +CLEANFILES+= certdata.txt + +SUBDIR+= trusted +SUBDIR+= blacklisted + +.include + +# To be used by secteam@ to update the trusted certificates + +fetchcerts: .PHONY + fetch --no-sslv3 --no-tlsv1 -o certdata.txt 'https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt' + +cleancerts: .PHONY + @${MAKE} -C ${.CURDIR}/trusted ${.TARGET} + +updatecerts: .PHONY cleancerts fetchcerts + perl ${.CURDIR}/MAca-bundle.pl -i certdata.txt -o ${.CURDIR}/trusted Property changes on: stable/11/secure/caroot/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/11/secure/caroot/README =================================================================== --- stable/11/secure/caroot/README (nonexistent) +++ stable/11/secure/caroot/README (revision 357082) @@ -0,0 +1,34 @@ +# $FreeBSD$ + +This directory contains the scripts to update the TLS CA Root Certificates +that comprise the 'root trust store'. + +The 'updatecerts' make target should be run periodically by secteam@ +specifically when there is an important change to the list of trusted root +certificates included by Mozilla. + +It will: + 1) Remove the old trusted certificates (cleancerts) + 2) Download the latest certdata.txt from Mozilla (fetchcerts) + 3) Split certdata.txt into the individual .pem files (updatecerts) + +Then the results should manually be inspected (svn status) + 1) Any no-longer-trusted certificates should be moved to the + blacklisted directory (svn mv) + 2) any newly added certificates will need to be added (svn add) + + +The following make targets exist: + +cleancerts: + Delete the old certificates, run as a dependency of updatecerts. + +fetchcerts: + Download the latest certdata.txt from the Mozilla NSS hg repo + See the changelog here: + https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt + +updatecerts: + Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt + to generate the individual certificate files (.pem) and store them + in the trusted/ directory. Property changes on: stable/11/secure/caroot/README ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Index: stable/11/secure/caroot/blacklisted/Makefile =================================================================== --- stable/11/secure/caroot/blacklisted/Makefile (nonexistent) +++ stable/11/secure/caroot/blacklisted/Makefile (revision 357082) @@ -0,0 +1,7 @@ +# $FreeBSD$ + +BINDIR= /usr/share/certs/blacklisted + +FILES= + +.include Property changes on: stable/11/secure/caroot/blacklisted/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/11/secure/caroot/trusted/Makefile =================================================================== --- stable/11/secure/caroot/trusted/Makefile (nonexistent) +++ stable/11/secure/caroot/trusted/Makefile (revision 357082) @@ -0,0 +1,12 @@ +# $FreeBSD$ + +BINDIR= /usr/share/certs/trusted + +TRUSTED_CERTS!= ls ${.CURDIR}/*.pem 2> /dev/null || true + +FILES+= ${TRUSTED_CERTS} + +cleancerts: + @[ -z "${TRUSTED_CERTS}" ] || rm ${TRUSTED_CERTS} + +.include Property changes on: stable/11/secure/caroot/trusted/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/11/share/mk/src.opts.mk =================================================================== --- stable/11/share/mk/src.opts.mk (revision 357081) +++ stable/11/share/mk/src.opts.mk (revision 357082) @@ -1,546 +1,547 @@ # $FreeBSD$ # # Option file for FreeBSD /usr/src builds. # # Users define WITH_FOO and WITHOUT_FOO on the command line or in /etc/src.conf # and /etc/make.conf files. These translate in the build system to MK_FOO={yes,no} # with sensible (usually) defaults. # # Makefiles must include bsd.opts.mk after defining specific MK_FOO options that # are applicable for that Makefile (typically there are none, but sometimes there # are exceptions). Recursive makes usually add MK_FOO=no for options that they wish # to omit from that make. # # Makefiles must include bsd.mkopt.mk before they test the value of any MK_FOO # variable. # # Makefiles may also assume that this file is included by src.opts.mk should it # need variables defined there prior to the end of the Makefile where # bsd.{subdir,lib.bin}.mk is traditionally included. # # The old-style YES_FOO and NO_FOO are being phased out. No new instances of them # should be added. Old instances should be removed since they were just to # bridge the gap between FreeBSD 4 and FreeBSD 5. # # Makefiles should never test WITH_FOO or WITHOUT_FOO directly (although an # exception is made for _WITHOUT_SRCONF which turns off this mechanism # completely inside bsd.*.mk files). # .if !target(____) ____: .include # # Define MK_* variables (which are either "yes" or "no") for users # to set via WITH_*/WITHOUT_* in /etc/src.conf and override in the # make(1) environment. # These should be tested with `== "no"' or `!= "no"' in makefiles. # The NO_* variables should only be set by makefiles for variables # that haven't been converted over. # # These options are used by src the builds __DEFAULT_YES_OPTIONS = \ ACCT \ ACPI \ AMD \ APM \ AT \ ATM \ AUDIT \ AUTHPF \ AUTOFS \ BHYVE \ BINUTILS \ BINUTILS_BOOTSTRAP \ BLACKLIST \ BLUETOOTH \ BOOT \ BOOTPARAMD \ BOOTPD \ BSD_CPIO \ BSD_GREP_FASTMATCH \ BSDINSTALL \ BSNMP \ BZIP2 \ CALENDAR \ CAPSICUM \ + CAROOT \ CASPER \ CCD \ CDDL \ CPP \ CROSS_COMPILER \ CRYPT \ CTM \ CUSE \ CXX \ DIALOG \ DICT \ DMAGENT \ DYNAMICROOT \ ED_CRYPTO \ EE \ ELFCOPY_AS_OBJCOPY \ EFI \ ELFTOOLCHAIN_BOOTSTRAP \ EXAMPLES \ FDT \ FILE \ FINGER \ FLOPPY \ FMTREE \ FORTH \ FP_LIBC \ FREEBSD_UPDATE \ FTP \ GAMES \ GCOV \ GDB \ GNU \ GNU_DIFF \ GNU_GREP \ GNU_GREP_COMPAT \ GPIO \ GPL_DTC \ GROFF \ HAST \ HTML \ HYPERV \ ICONV \ INET \ INET6 \ INETD \ IPFILTER \ IPFW \ ISCSI \ JAIL \ KDUMP \ KVM \ LDNS \ LDNS_UTILS \ LEGACY_CONSOLE \ LIB32 \ LIBPTHREAD \ LIBTHR \ LLVM_COV \ LOADER_GELI \ LOADER_LUA \ LOADER_OFW \ LOADER_UBOOT \ LOCALES \ LOCATE \ LPR \ LS_COLORS \ LZMA_SUPPORT \ MAIL \ MAILWRAPPER \ MAKE \ MANDOCDB \ NDIS \ NETCAT \ NETGRAPH \ NLS_CATALOGS \ NS_CACHING \ NTP \ OPENSSL \ PAM \ PC_SYSINSTALL \ PF \ PKGBOOTSTRAP \ PMC \ PORTSNAP \ PPP \ QUOTAS \ RADIUS_SUPPORT \ RCMDS \ RBOOTD \ RCS \ RESCUE \ ROUTED \ SENDMAIL \ SETUID_LOGIN \ SHAREDOCS \ SOURCELESS \ SOURCELESS_HOST \ SOURCELESS_UCODE \ SVNLITE \ SYSCONS \ SYSTEM_COMPILER \ TALK \ TCP_WRAPPERS \ TCSH \ TELNET \ TESTS \ TEXTPROC \ TFTP \ TIMED \ UNBOUND \ USB \ UTMPX \ VI \ VT \ WIRELESS \ WPA_SUPPLICANT_EAPOL \ ZFS \ LOADER_ZFS \ ZONEINFO __DEFAULT_NO_OPTIONS = \ BSD_GREP \ CLANG_EXTRAS \ DTRACE_TESTS \ EISA \ HESIOD \ LIBSOFT \ LINT \ LOADER_FIREWIRE \ LOADER_FORCE_LE \ LOADER_VERBOSE \ NAND \ OFED_EXTRA \ OPENLDAP \ REPRODUCIBLE_BUILD \ RPCBIND_WARMSTART_SUPPORT \ SHARED_TOOLCHAIN \ SORT_THREADS \ SVN \ ZONEINFO_LEAPSECONDS_SUPPORT \ ZONEINFO_OLD_TIMEZONES_SUPPORT \ # # Default behaviour of some options depends on the architecture. Unfortunately # this means that we have to test TARGET_ARCH (the buildworld case) as well # as MACHINE_ARCH (the non-buildworld case). Normally TARGET_ARCH is not # used at all in bsd.*.mk, but we have to make an exception here if we want # to allow defaults for some things like clang to vary by target architecture. # Additional, per-target behavior should be rarely added only after much # gnashing of teeth and grinding of gears. # .if defined(TARGET_ARCH) __T=${TARGET_ARCH} .else __T=${MACHINE_ARCH} .endif .if defined(TARGET) __TT=${TARGET} .else __TT=${MACHINE} .endif __DEFAULT_NO_OPTIONS+=LLVM_TARGET_BPF __DEFAULT_NO_OPTIONS+=LLVM_TARGET_RISCV .include # If the compiler is not C++11 capable, disable Clang and use GCC instead. # This means that architectures that have GCC 4.2 as default can not # build Clang without using an external compiler. .if ${COMPILER_FEATURES:Mc++11} && (${__T} == "aarch64" || \ ${__T} == "amd64" || ${__TT} == "arm" || ${__T} == "i386") # Clang is enabled, and will be installed as the default /usr/bin/cc. __DEFAULT_YES_OPTIONS+=CLANG CLANG_BOOTSTRAP CLANG_FULL CLANG_IS_CC LLD __DEFAULT_YES_OPTIONS+=LLVM_TARGET_AARCH64 LLVM_TARGET_ARM LLVM_TARGET_MIPS __DEFAULT_YES_OPTIONS+=LLVM_TARGET_POWERPC LLVM_TARGET_SPARC LLVM_TARGET_X86 __DEFAULT_NO_OPTIONS+=GCC GCC_BOOTSTRAP GNUCXX .elif ${COMPILER_FEATURES:Mc++11} && ${__T} != "riscv64" && ${__T} != "sparc64" # If an external compiler that supports C++11 is used as ${CC} and Clang # supports the target, then Clang is enabled but GCC is installed as the # default /usr/bin/cc. __DEFAULT_YES_OPTIONS+=CLANG CLANG_FULL GCC GCC_BOOTSTRAP GNUCXX __DEFAULT_YES_OPTIONS+=LLVM_TARGET_AARCH64 LLVM_TARGET_ARM LLVM_TARGET_MIPS __DEFAULT_YES_OPTIONS+=LLVM_TARGET_POWERPC LLVM_TARGET_SPARC LLVM_TARGET_X86 __DEFAULT_NO_OPTIONS+=CLANG_BOOTSTRAP CLANG_IS_CC LLD .else # Everything else disables Clang, and uses GCC instead. __DEFAULT_YES_OPTIONS+=GCC GCC_BOOTSTRAP GNUCXX __DEFAULT_NO_OPTIONS+=CLANG CLANG_BOOTSTRAP CLANG_FULL CLANG_IS_CC LLD __DEFAULT_NO_OPTIONS+=LLVM_TARGET_AARCH64 LLVM_TARGET_ARM LLVM_TARGET_MIPS __DEFAULT_NO_OPTIONS+=LLVM_TARGET_POWERPC LLVM_TARGET_SPARC LLVM_TARGET_X86 .endif __DEFAULT_NO_OPTIONS+=LLVM_TARGET_BPF # In-tree binutils/gcc are older versions without modern architecture support. .if ${__T} == "aarch64" || ${__T} == "riscv64" BROKEN_OPTIONS+=BINUTILS BINUTILS_BOOTSTRAP GCC GCC_BOOTSTRAP GDB .endif .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" || \ ${__T:Mriscv*} != "" || ${__TT} == "mips" __DEFAULT_YES_OPTIONS+=LLVM_LIBUNWIND .else __DEFAULT_NO_OPTIONS+=LLVM_LIBUNWIND .endif .if ${__T} == "riscv64" BROKEN_OPTIONS+=PROFILE # "sorry, unimplemented: profiler support for RISC-V" BROKEN_OPTIONS+=TESTS # "undefined reference to `_Unwind_Resume'" BROKEN_OPTIONS+=CXX # "libcxxrt.so: undefined reference to `_Unwind_Resume_or_Rethrow'" .endif .if ${__T} == "aarch64" __DEFAULT_YES_OPTIONS+=LLD_BOOTSTRAP LLD_IS_LD .else __DEFAULT_NO_OPTIONS+=LLD_BOOTSTRAP LLD_IS_LD .endif .if ${__T} == "aarch64" || ${__T} == "amd64" __DEFAULT_YES_OPTIONS+=LLDB .else __DEFAULT_NO_OPTIONS+=LLDB .endif # LLVM lacks support for FreeBSD 64-bit atomic operations for ARMv4/ARMv5 .if ${__T} == "arm" || ${__T} == "armeb" BROKEN_OPTIONS+=LLDB .endif # Only doing soft float API stuff on armv6 .if ${__T} != "armv6" BROKEN_OPTIONS+=LIBSOFT .endif # EFI doesn't exist on mips, pc98, powerpc, sparc or riscv. .if ${__T:Mmips*} || ${__TT:Mpc98*} || ${__T:Mpowerpc*} || ${__T:Msparc64} || \ ${__T:Mriscv*} BROKEN_OPTIONS+=EFI .endif # OFW is only for powerpc and sparc64, exclude others .if ${__T:Mpowerpc*} == "" && ${__T:Msparc64} == "" BROKEN_OPTIONS+=LOADER_OFW .endif # UBOOT is only for arm, mips and powerpc, exclude others .if ${__T:Marm*} == "" && ${__T:Mmips*} == "" && ${__T:Mpowerpc*} == "" BROKEN_OPTIONS+=LOADER_UBOOT .endif # GELI and Lua in loader currently cause boot failures on sparc64 and powerpc. # Further debugging is required -- probably they are just broken on big # endian systems generically (they jump to null pointers or try to read # crazy high addresses, which is typical of endianness problems). .if ${__T} == "sparc64" || ${__T:Mpowerpc*} BROKEN_OPTIONS+=LOADER_GELI LOADER_LUA .endif # Both features are untested on pc98, so we'll mark them as disabled just to # be safe and make sure we keep pc98 stable. .if ${__TT:Mpc98*} BROKEN_OPTIONS+=LOADER_GELI LOADER_LUA .endif .if ${__T:Mmips64*} # profiling won't work on MIPS64 because there is only assembly for o32 BROKEN_OPTIONS+=PROFILE .endif .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" || \ ${__T} == "powerpc64" || ${__T} == "sparc64" __DEFAULT_YES_OPTIONS+=CXGBETOOL __DEFAULT_YES_OPTIONS+=MLX5TOOL .else __DEFAULT_NO_OPTIONS+=CXGBETOOL __DEFAULT_NO_OPTIONS+=MLX5TOOL .endif .if ${__T} == "amd64" __DEFAULT_YES_OPTIONS+=OFED .else __DEFAULT_NO_OPTIONS+=OFED .endif .if ${COMPILER_FEATURES:Mc++11} && (${__T} == "amd64" || ${__T} == "i386") __DEFAULT_YES_OPTIONS+=OPENMP .else __DEFAULT_NO_OPTIONS+=OPENMP .endif .include # # MK_* options that default to "yes" if the compiler is a C++11 compiler. # .for var in \ LIBCPLUSPLUS .if !defined(MK_${var}) .if ${COMPILER_FEATURES:Mc++11} .if defined(WITHOUT_${var}) MK_${var}:= no .else MK_${var}:= yes .endif .else .if defined(WITH_${var}) MK_${var}:= yes .else MK_${var}:= no .endif .endif .endif .endfor # # Force some options off if their dependencies are off. # Order is somewhat important. # .if !${COMPILER_FEATURES:Mc++11} MK_LLVM_LIBUNWIND:= no .endif .if ${MK_CAPSICUM} == "no" MK_CASPER:= no .endif .if ${MK_LIBPTHREAD} == "no" MK_LIBTHR:= no .endif .if ${MK_LDNS} == "no" MK_LDNS_UTILS:= no MK_UNBOUND:= no .endif .if ${MK_SOURCELESS} == "no" MK_SOURCELESS_HOST:= no MK_SOURCELESS_UCODE:= no .endif .if ${MK_CDDL} == "no" MK_ZFS:= no MK_LOADER_ZFS:= no MK_CTF:= no .endif .if ${MK_CRYPT} == "no" MK_OPENSSL:= no MK_OPENSSH:= no MK_KERBEROS:= no .endif .if ${MK_CXX} == "no" MK_CLANG:= no MK_GROFF:= no MK_GNUCXX:= no .endif .if ${MK_DIALOG} == "no" MK_BSDINSTALL:= no .endif .if ${MK_MAIL} == "no" MK_MAILWRAPPER:= no MK_SENDMAIL:= no MK_DMAGENT:= no .endif .if ${MK_NETGRAPH} == "no" MK_ATM:= no MK_BLUETOOTH:= no .endif .if ${MK_NLS} == "no" MK_NLS_CATALOGS:= no .endif .if ${MK_OPENSSL} == "no" MK_OPENSSH:= no MK_KERBEROS:= no .endif .if ${MK_OFED} == "no" MK_OFED_EXTRA:= no .endif .if ${MK_PF} == "no" MK_AUTHPF:= no .endif .if ${MK_TESTS} == "no" MK_DTRACE_TESTS:= no .endif .if ${MK_TEXTPROC} == "no" MK_GROFF:= no .endif .if ${MK_ZONEINFO} == "no" MK_ZONEINFO_LEAPSECONDS_SUPPORT:= no MK_ZONEINFO_OLD_TIMEZONES_SUPPORT:= no .endif .if ${MK_CROSS_COMPILER} == "no" MK_BINUTILS_BOOTSTRAP:= no MK_CLANG_BOOTSTRAP:= no MK_ELFTOOLCHAIN_BOOTSTRAP:= no MK_GCC_BOOTSTRAP:= no MK_LLD_BOOTSTRAP:= no .endif .if ${MK_META_MODE} == "yes" MK_SYSTEM_COMPILER:= no .endif .if ${MK_TOOLCHAIN} == "no" MK_BINUTILS:= no MK_CLANG:= no MK_GCC:= no MK_GDB:= no MK_INCLUDES:= no MK_LLD:= no MK_LLDB:= no .endif .if ${MK_CLANG} == "no" MK_CLANG_EXTRAS:= no MK_CLANG_FULL:= no MK_LLVM_COV:= no .endif # # MK_* options whose default value depends on another option. # .for vv in \ GSSAPI/KERBEROS \ MAN_UTILS/MAN .if defined(WITH_${vv:H}) MK_${vv:H}:= yes .elif defined(WITHOUT_${vv:H}) MK_${vv:H}:= no .else MK_${vv:H}:= ${MK_${vv:T}} .endif .endfor # # Set defaults for the MK_*_SUPPORT variables. # # # MK_*_SUPPORT options which default to "yes" unless their corresponding # MK_* variable is set to "no". # .for var in \ BLACKLIST \ BZIP2 \ GNU \ INET \ INET6 \ KERBEROS \ KVM \ NETGRAPH \ PAM \ TESTS \ WIRELESS .if defined(WITHOUT_${var}_SUPPORT) || ${MK_${var}} == "no" MK_${var}_SUPPORT:= no .else MK_${var}_SUPPORT:= yes .endif .endfor .if !${COMPILER_FEATURES:Mc++11} MK_LLDB:= no .endif # gcc 4.8 and newer supports libc++, so suppress gnuc++ in that case. # while in theory we could build it with that, we don't want to do # that since it creates too much confusion for too little gain. # XXX: This is incomplete and needs X_COMPILER_TYPE/VERSION checks too # to prevent Makefile.inc1 from bootstrapping unneeded dependencies # and to support 'make delete-old' when supplying an external toolchain. .if ${COMPILER_TYPE} == "gcc" && ${COMPILER_VERSION} >= 40800 MK_GNUCXX:=no MK_GCC:=no .endif .endif # !target(____) Index: stable/11/usr.sbin/Makefile =================================================================== --- stable/11/usr.sbin/Makefile (revision 357081) +++ stable/11/usr.sbin/Makefile (revision 357082) @@ -1,225 +1,228 @@ # From: @(#)Makefile 5.20 (Berkeley) 6/12/93 # $FreeBSD$ .include SUBDIR= adduser \ arp \ binmiscctl \ camdd \ cdcontrol \ chkgrp \ chown \ chroot \ ckdist \ clear_locks \ crashinfo \ cron \ ctladm \ ctld \ daemon \ dconschat \ devctl \ devinfo \ digictl \ diskinfo \ dumpcis \ etcupdate \ extattr \ extattrctl \ fifolog \ fstyp \ fwcontrol \ getfmac \ getpmac \ gstat \ i2c \ ifmcstat \ iostat \ iovctl \ kldxref \ mailwrapper \ makefs \ memcontrol \ mergemaster \ mfiutil \ mixer \ mlxcontrol \ mountd \ mount_smbfs \ mpsutil \ mptutil \ mtest \ newsyslog \ nfscbd \ nfsd \ nfsdumpstate \ nfsrevoke \ nfsuserd \ nmtree \ nologin \ pciconf \ periodic \ powerd \ procctl \ pstat \ pw \ pwd_mkdb \ quot \ rarpd \ rmt \ rpcbind \ rpc.lockd \ rpc.statd \ rpc.umntall \ rtprio \ rwhod \ service \ services_mkdb \ sesutil \ setfib \ setfmac \ setpmac \ smbmsg \ snapinfo \ spi \ spray \ syslogd \ sysrc \ tcpdrop \ tcpdump \ traceroute \ trim \ trpt \ tzsetup \ uefisign \ ugidfw \ vigr \ vipw \ wake \ watch \ watchdogd \ zic \ zonectl # NB: keep these sorted by MK_* knobs SUBDIR.${MK_ACCT}+= accton SUBDIR.${MK_ACCT}+= sa SUBDIR.${MK_AMD}+= amd SUBDIR.${MK_AUDIT}+= audit SUBDIR.${MK_AUDIT}+= auditd .if ${MK_OPENSSL} != "no" SUBDIR.${MK_AUDIT}+= auditdistd .endif SUBDIR.${MK_AUDIT}+= auditreduce SUBDIR.${MK_AUDIT}+= praudit SUBDIR.${MK_AUTHPF}+= authpf SUBDIR.${MK_AUTOFS}+= autofs .if ${MK_BLACKLIST} != "no" SUBDIR.${MK_BLACKLIST}+= blacklistctl SUBDIR.${MK_BLACKLIST}+= blacklistd .endif SUBDIR.${MK_BLUETOOTH}+= bluetooth SUBDIR.${MK_BOOTPARAMD}+= bootparamd SUBDIR.${MK_BSDINSTALL}+= bsdinstall SUBDIR.${MK_BSNMP}+= bsnmpd +.if ${MK_CAROOT} != "no" +SUBDIR.${MK_OPENSSL}+= certctl +.endif SUBDIR.${MK_CTM}+= ctm SUBDIR.${MK_CXGBETOOL}+= cxgbetool SUBDIR.${MK_MLX5TOOL}+= mlx5tool SUBDIR.${MK_DIALOG}+= bsdconfig SUBDIR.${MK_EFI}+= efivar efidp efibootmgr SUBDIR.${MK_FLOPPY}+= fdcontrol SUBDIR.${MK_FLOPPY}+= fdformat SUBDIR.${MK_FLOPPY}+= fdread SUBDIR.${MK_FLOPPY}+= fdwrite SUBDIR.${MK_FMTREE}+= fmtree SUBDIR.${MK_FREEBSD_UPDATE}+= freebsd-update SUBDIR.${MK_GSSAPI}+= gssd SUBDIR.${MK_GPIO}+= gpioctl SUBDIR.${MK_INET6}+= ip6addrctl SUBDIR.${MK_INET6}+= mld6query SUBDIR.${MK_INET6}+= ndp SUBDIR.${MK_INET6}+= rip6query SUBDIR.${MK_INET6}+= route6d SUBDIR.${MK_INET6}+= rrenumd SUBDIR.${MK_INET6}+= rtadvctl SUBDIR.${MK_INET6}+= rtadvd SUBDIR.${MK_INET6}+= rtsold SUBDIR.${MK_INET6}+= traceroute6 SUBDIR.${MK_INETD}+= inetd SUBDIR.${MK_IPFW}+= ipfwpcap SUBDIR.${MK_ISCSI}+= iscsid SUBDIR.${MK_JAIL}+= jail SUBDIR.${MK_JAIL}+= jexec SUBDIR.${MK_JAIL}+= jls # XXX MK_SYSCONS SUBDIR.${MK_LEGACY_CONSOLE}+= kbdcontrol SUBDIR.${MK_LEGACY_CONSOLE}+= kbdmap SUBDIR.${MK_LEGACY_CONSOLE}+= moused SUBDIR.${MK_LEGACY_CONSOLE}+= vidcontrol .if ${MK_LIBTHR} != "no" || ${MK_LIBPTHREAD} != "no" SUBDIR.${MK_PPP}+= pppctl SUBDIR.${MK_NS_CACHING}+= nscd .endif SUBDIR.${MK_LPR}+= lpr SUBDIR.${MK_MAN_UTILS}+= manctl SUBDIR.${MK_NAND}+= nandsim SUBDIR.${MK_NAND}+= nandtool SUBDIR.${MK_NETGRAPH}+= flowctl SUBDIR.${MK_NETGRAPH}+= lmcconfig SUBDIR.${MK_NETGRAPH}+= ngctl SUBDIR.${MK_NETGRAPH}+= nghook SUBDIR.${MK_NIS}+= rpc.yppasswdd SUBDIR.${MK_NIS}+= rpc.ypupdated SUBDIR.${MK_NIS}+= rpc.ypxfrd SUBDIR.${MK_NIS}+= ypbind SUBDIR.${MK_NIS}+= ypldap SUBDIR.${MK_NIS}+= yp_mkdb SUBDIR.${MK_NIS}+= yppoll SUBDIR.${MK_NIS}+= yppush SUBDIR.${MK_NIS}+= ypserv SUBDIR.${MK_NIS}+= ypset SUBDIR.${MK_NTP}+= ntp SUBDIR.${MK_OPENSSL}+= keyserv SUBDIR.${MK_PC_SYSINSTALL}+= pc-sysinstall SUBDIR.${MK_PF}+= ftp-proxy SUBDIR.${MK_PKGBOOTSTRAP}+= pkg SUBDIR.${MK_PMC}+= pmcannotate SUBDIR.${MK_PMC}+= pmccontrol SUBDIR.${MK_PMC}+= pmcstat SUBDIR.${MK_PMC}+= pmcstudy SUBDIR.${MK_PORTSNAP}+= portsnap SUBDIR.${MK_PPP}+= ppp SUBDIR.${MK_QUOTAS}+= edquota SUBDIR.${MK_QUOTAS}+= quotaon SUBDIR.${MK_QUOTAS}+= repquota SUBDIR.${MK_SENDMAIL}+= editmap SUBDIR.${MK_SENDMAIL}+= mailstats SUBDIR.${MK_SENDMAIL}+= makemap SUBDIR.${MK_SENDMAIL}+= praliases SUBDIR.${MK_SENDMAIL}+= sendmail SUBDIR.${MK_TCP_WRAPPERS}+= tcpdchk SUBDIR.${MK_TCP_WRAPPERS}+= tcpdmatch SUBDIR.${MK_TIMED}+= timed SUBDIR.${MK_TOOLCHAIN}+= config SUBDIR.${MK_TOOLCHAIN}+= crunch SUBDIR.${MK_UNBOUND}+= unbound SUBDIR.${MK_USB}+= uathload SUBDIR.${MK_USB}+= uhsoctl SUBDIR.${MK_USB}+= usbconfig SUBDIR.${MK_USB}+= usbdump SUBDIR.${MK_UTMPX}+= ac SUBDIR.${MK_UTMPX}+= lastlogin SUBDIR.${MK_UTMPX}+= utx SUBDIR.${MK_WIRELESS}+= ancontrol SUBDIR.${MK_WIRELESS}+= wlandebug SUBDIR.${MK_WIRELESS}+= wpa SUBDIR.${MK_TESTS}+= tests .include SUBDIR_PARALLEL= .include Index: stable/11/usr.sbin/certctl/certctl.sh =================================================================== --- stable/11/usr.sbin/certctl/certctl.sh (nonexistent) +++ stable/11/usr.sbin/certctl/certctl.sh (revision 357082) @@ -0,0 +1,240 @@ +#!/bin/sh +#- +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright 2018 Allan Jude +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted providing that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# +# $FreeBSD$ + +############################################################ CONFIGURATION + +: ${DESTDIR:=} +: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} +: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} +: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} +: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} +: ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"} +: ${VERBOSE:=0} + +############################################################ GLOBALS + +SCRIPTNAME="${0##*/}" +ERRORS=0 +NOOP=0 + +############################################################ FUNCTIONS + +do_hash() +{ + local hash + + if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then + echo "$hash" + return 0 + else + echo "Error: $1" >&2 + ERRORS=$(( $ERRORS + 1 )) + return 1 + fi +} + +create_trusted_link() +{ + local hash + + hash=$( do_hash "$1" ) || return + if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then + echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" + return 1 + fi + [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" + [ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$CERTDESTDIR/$hash.0" +} + +create_blacklisted() +{ + local hash srcfile filename + + # If it exists as a file, we'll try that; otherwise, we'll scan + if [ -e "$1" ]; then + hash=$( do_hash "$1" ) || return + srcfile=$(realpath "$1") + filename="$hash.0" + elif [ -e "${CERTDESTDIR}/$1" ]; then + srcfile=$(realpath "${CERTDESTDIR}/$1") + filename="$1" + else + return + fi + [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" + [ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename" +} + +do_scan() +{ + local CFUNC CSEARCH CPATH CFILE + local oldIFS="$IFS" + CFUNC="$1" + CSEARCH="$2" + + IFS=: + set -- $CSEARCH + IFS="$oldIFS" + for CPATH in "$@"; do + [ -d "$CPATH" ] || continue + echo "Scanning $CPATH for certificates..." + cd "$CPATH" + for CFILE in $EXTENSIONS; do + [ -e "$CFILE" ] || continue + [ $VERBOSE -gt 0 ] && echo "Reading $CFILE" + "$CFUNC" "$CPATH/$CFILE" + done + cd - + done +} + +do_list() +{ + local CFILE subject + + if [ -e "$1" ]; then + cd "$1" + for CFILE in *.0; do + if [ ! -s "$CFILE" ]; then + echo "Unable to read $CFILE" >&2 + ERRORS=$(( $ERRORS + 1 )) + continue + fi + subject= + if [ $VERBOSE -eq 0 ]; then + subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | + sed -n '/commonName/s/.*= //p' ) + fi + [ "$subject" ] || + subject=$( openssl x509 -noout -subject -in "$CFILE" ) + printf "%s\t%s\n" "$CFILE" "$subject" + done + cd - + fi +} + +cmd_rehash() +{ + + [ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR" + [ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR" + [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR" + + do_scan create_blacklisted "$BLACKLISTPATH" + do_scan create_trusted_link "$TRUSTPATH" +} + +cmd_list() +{ + echo "Listing Trusted Certificates:" + do_list "$CERTDESTDIR" +} + +cmd_blacklist() +{ + local BPATH + + shift # verb + [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR" + for BFILE in "$@"; do + echo "Adding $BFILE to blacklist" + create_blacklisted "$BFILE" + done +} + +cmd_unblacklist() +{ + local BFILE hash + + shift # verb + for BFILE in "$@"; do + if [ -s "$BFILE" ]; then + hash=$( do_hash "$BFILE" ) + echo "Removing $hash.0 from blacklist" + [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0" + elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then + echo "Removing $BFILE from blacklist" + [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" + else + echo "Cannot find $BFILE" >&2 + ERRORS=$(( $ERRORS + 1 )) + fi + done +} + +cmd_blacklisted() +{ + echo "Listing Blacklisted Certificates:" + do_list "$BLACKLISTDESTDIR" +} + +usage() +{ + exec >&2 + echo "Manage the TLS trusted certificates on the system" + echo " $SCRIPTNAME [-v] list" + echo " List trusted certificates" + echo " $SCRIPTNAME [-v] blacklisted" + echo " List blacklisted certificates" + echo " $SCRIPTNAME [-nv] rehash" + echo " Generate hash links for all certificates" + echo " $SCRIPTNAME [-nv] blacklist " + echo " Add to the list of blacklisted certificates" + echo " $SCRIPTNAME [-nv] unblacklist " + echo " Remove from the list of blacklisted certificates" + exit 64 +} + +############################################################ MAIN + +while getopts nv flag; do + case "$flag" in + n) NOOP=1 ;; + v) VERBOSE=$(( $VERBOSE + 1 )) ;; + esac +done +shift $(( $OPTIND - 1 )) + +[ $# -gt 0 ] || usage +case "$1" in +list) cmd_list ;; +rehash) cmd_rehash ;; +blacklist) cmd_blacklist "$@" ;; +unblacklist) cmd_unblacklist "$@" ;; +blacklisted) cmd_blacklisted ;; +*) usage # NOTREACHED +esac + +retval=$? +[ $ERRORS -gt 0 ] && echo "Encountered $ERRORS errors" >&2 +exit $retval + +################################################################################ +# END +################################################################################ Property changes on: stable/11/usr.sbin/certctl/certctl.sh ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:executable ## -0,0 +1 ## +* \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/11/usr.sbin/certctl/Makefile =================================================================== --- stable/11/usr.sbin/certctl/Makefile (nonexistent) +++ stable/11/usr.sbin/certctl/Makefile (revision 357082) @@ -0,0 +1,6 @@ +# $FreeBSD$ + +SCRIPTS=certctl.sh +MAN= certctl.8 + +.include Property changes on: stable/11/usr.sbin/certctl/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/11/usr.sbin/certctl/certctl.8 =================================================================== --- stable/11/usr.sbin/certctl/certctl.8 (nonexistent) +++ stable/11/usr.sbin/certctl/certctl.8 (revision 357082) @@ -0,0 +1,119 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause-FreeBSD +.\" +.\" Copyright 2018 Allan Jude +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted providing that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd February 19, 2019 +.Dt CERTCTL 8 +.Os +.Sh NAME +.Nm certctl +.Nd "tool for managing trusted and blacklist TLS certificates" +.Sh SYNOPSIS +.Nm +.Op Fl v +.Ic list +.Nm +.Op Fl v +.Ic blacklisted +.Nm +.Op Fl nv +.Ic rehash +.Nm +.Op Fl nv +.Ic blacklist Ar file +.Nm +.Op Fl nv +.Ic unblacklist Ar file +.Sh DESCRIPTION +The +.Nm +utility manages the list of TLS Certificate Authorities that are trusted by +applications that use OpenSSL. +.Pp +Flags: +.Bl -tag -width 4n +.It Fl n +No-Op mode, do not actually perform any actions. +.It Fl v +be verbose, print details about actions before performing them. +.El +.Pp +Primary command functions: +.Bl -tag -width blacklisted +.It Ic list +List all currently trusted certificate authorities. +.It Ic blacklisted +List all currently blacklisted certificates. +.It Ic rehash +Rebuild the list of trusted certificate authorities by scanning all directories +in +.Ev TRUSTPATH +and all blacklisted certificates in +.Ev BLACKLISTPATH . +A symbolic link to each trusted certificate is placed in +.Ev CERTDESTDIR +and each blacklisted certificate in +.Ev BLACKLISTDESTDIR . +.It Ic blacklist +Add the specified file to the blacklist. +.It Ic unblacklist +Remove the specified file from the blacklist. +.El +.Sh ENVIRONMENT +.Bl -tag -width BLACKLISTDESTDIR +.It Ev DESTDIR +Alternate destination directory to operate on. +.It Ev TRUSTPATH +List of paths to search for trusted certificates. +Default: +.Pa /usr/share/certs/trusted +.Pa /usr/local/share/certs /usr/local/etc/ssl/certs +.It Ev BLACKLISTPATH +List of paths to search for blacklisted certificates. +Default: +.Pa /usr/share/certs/blacklisted +.Pa /usr/local/etc/ssl/blacklisted +.It Ev CERTDESTDIR +Destination directory for symbolic links to trusted certificates. +Default: +.Pa /etc/ssl/certs +.It Ev BLACKLISTDESTDIR +Destination directory for symbolic links to blacklisted certificates. +Default: +.Pa /etc/ssl/blacklisted +.It Ev EXTENSIONS +List of file extensions to read as certificate files. +Default: *.pem *.crt *.cer *.crl *.0 +.El +.Sh SEE ALSO +.Xr openssl 1 +.Sh HISTORY +.Nm +first appeared in +.Fx 12.0 +.Sh AUTHORS +.An Allan Jude Aq Mt allanjude@freebsd.org Property changes on: stable/11/usr.sbin/certctl/certctl.8 ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/11/usr.sbin/etcupdate/etcupdate.sh =================================================================== --- stable/11/usr.sbin/etcupdate/etcupdate.sh (revision 357081) +++ stable/11/usr.sbin/etcupdate/etcupdate.sh (revision 357082) @@ -1,1801 +1,1807 @@ #!/bin/sh # # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # # Copyright (c) 2010-2013 Hudson River Trading LLC # Written by: John H. Baldwin # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # This is a tool to manage updating files that are not updated as part # of 'make installworld' such as files in /etc. Unlike other tools, # this one is specifically tailored to assisting with mass upgrades. # To that end it does not require user intervention while running. # # Theory of operation: # # The most reliable way to update changes to files that have local # modifications is to perform a three-way merge between the original # unmodified file, the new version of the file, and the modified file. # This requires having all three versions of the file available when # performing an update. # # To that end, etcupdate uses a strategy where the current unmodified # tree is kept in WORKDIR/current and the previous unmodified tree is # kept in WORKDIR/old. When performing a merge, a new tree is built # if needed and then the changes are merged into DESTDIR. Any files # with unresolved conflicts after the merge are left in a tree rooted # at WORKDIR/conflicts. # # To provide extra flexibility, etcupdate can also build tarballs of # root trees that can later be used. It can also use a tarball as the # source of a new tree instead of building it from /usr/src. # Global settings. These can be adjusted by config files and in some # cases by command line options. # TODO: # - automatable conflict resolution # - a 'revert' command to make a file "stock" usage() { cat < etcupdate diff [-d workdir] [-D destdir] [-I patterns] [-L logfile] etcupdate extract [-B] [-d workdir] [-s source | -t tarball] [-L logfile] [-M options] etcupdate resolve [-p] [-d workdir] [-D destdir] [-L logfile] etcupdate status [-d workdir] [-D destdir] EOF exit 1 } # Used to write a message prepended with '>>>' to the logfile. log() { echo ">>>" "$@" >&3 } # Used for assertion conditions that should never happen. panic() { echo "PANIC:" "$@" exit 10 } # Used to write a warning message. These are saved to the WARNINGS # file with " " prepended. warn() { echo -n " " >> $WARNINGS echo "$@" >> $WARNINGS } # Output a horizontal rule using the passed-in character. Matches the # length used for Index lines in CVS and SVN diffs. # # $1 - character rule() { jot -b "$1" -s "" 67 } # Output a text description of a specified file's type. # # $1 - file pathname. file_type() { stat -f "%HT" $1 | tr "[:upper:]" "[:lower:]" } # Returns true (0) if a file exists # # $1 - file pathname. exists() { [ -e $1 -o -L $1 ] } # Returns true (0) if a file should be ignored, false otherwise. # # $1 - file pathname ignore() { local pattern - set -o noglob for pattern in $IGNORE_FILES; do set +o noglob case $1 in $pattern) return 0 ;; esac set -o noglob done # Ignore /.cshrc and /.profile if they are hardlinked to the # same file in /root. This ensures we only compare those # files once in that case. case $1 in /.cshrc|/.profile) if [ ${DESTDIR}$1 -ef ${DESTDIR}/root$1 ]; then return 0 fi ;; *) ;; esac return 1 } # Returns true (0) if the new version of a file should always be # installed rather than attempting to do a merge. # # $1 - file pathname always_install() { local pattern - set -o noglob for pattern in $ALWAYS_INSTALL; do set +o noglob case $1 in $pattern) return 0 ;; esac set -o noglob done return 1 } # Build a new tree # # $1 - directory to store new tree in build_tree() { local destdir dir file make make="make $MAKE_OPTIONS -DNO_FILEMON" log "Building tree at $1 with $make" mkdir -p $1/usr/obj >&3 2>&1 destdir=`realpath $1` if [ -n "$preworld" ]; then # Build a limited tree that only contains files that are # crucial to installworld. for file in $PREWORLD_FILES; do dir=`dirname /$file` mkdir -p $1/$dir >&3 2>&1 || return 1 cp -p $SRCDIR/$file $1/$file || return 1 done elif ! [ -n "$nobuild" ]; then (cd $SRCDIR; $make DESTDIR=$destdir distrib-dirs && MAKEOBJDIRPREFIX=$destdir/usr/obj $make _obj SUBDIR_OVERRIDE=etc && MAKEOBJDIRPREFIX=$destdir/usr/obj $make everything SUBDIR_OVERRIDE=etc && MAKEOBJDIRPREFIX=$destdir/usr/obj $make DESTDIR=$destdir distribution) \ >&3 2>&1 || return 1 else (cd $SRCDIR; $make DESTDIR=$destdir distrib-dirs && $make DESTDIR=$destdir distribution) >&3 2>&1 || return 1 fi chflags -R noschg $1 >&3 2>&1 || return 1 rm -rf $1/usr/obj >&3 2>&1 || return 1 # Purge auto-generated files. Only the source files need to # be updated after which these files are regenerated. rm -f $1/etc/*.db $1/etc/passwd $1/var/db/services.db >&3 2>&1 || \ return 1 # Remove empty files. These just clutter the output of 'diff'. find $1 -type f -size 0 -delete >&3 2>&1 || return 1 # Trim empty directories. find -d $1 -type d -empty -delete >&3 2>&1 || return 1 return 0 } # Generate a new NEWTREE tree. If tarball is set, then the tree is # extracted from the tarball. Otherwise the tree is built from a # source tree. extract_tree() { local files # If we have a tarball, extract that into the new directory. if [ -n "$tarball" ]; then files= if [ -n "$preworld" ]; then files="$PREWORLD_FILES" fi if ! (mkdir -p $NEWTREE && tar xf $tarball -C $NEWTREE $files) \ >&3 2>&1; then echo "Failed to extract new tree." remove_tree $NEWTREE exit 1 fi else if ! build_tree $NEWTREE; then echo "Failed to build new tree." remove_tree $NEWTREE exit 1 fi fi } # Forcefully remove a tree. Returns true (0) if the operation succeeds. # # $1 - path to tree remove_tree() { rm -rf $1 >&3 2>&1 if [ -e $1 ]; then chflags -R noschg $1 >&3 2>&1 rm -rf $1 >&3 2>&1 fi [ ! -e $1 ] } # Return values for compare() COMPARE_EQUAL=0 COMPARE_ONLYFIRST=1 COMPARE_ONLYSECOND=2 COMPARE_DIFFTYPE=3 COMPARE_DIFFLINKS=4 COMPARE_DIFFFILES=5 # Compare two files/directories/symlinks. Note that this does not # recurse into subdirectories. Instead, if two nodes are both # directories, they are assumed to be equivalent. # # Returns true (0) if the nodes are identical. If only one of the two # nodes are present, return one of the COMPARE_ONLY* constants. If # the nodes are different, return one of the COMPARE_DIFF* constants # to indicate the type of difference. # # $1 - first node # $2 - second node compare() { local first second # If the first node doesn't exist, then check for the second # node. Note that -e will fail for a symbolic link that # points to a missing target. if ! exists $1; then if exists $2; then return $COMPARE_ONLYSECOND else return $COMPARE_EQUAL fi elif ! exists $2; then return $COMPARE_ONLYFIRST fi # If the two nodes are different file types fail. first=`stat -f "%Hp" $1` second=`stat -f "%Hp" $2` if [ "$first" != "$second" ]; then return $COMPARE_DIFFTYPE fi # If both are symlinks, compare the link values. if [ -L $1 ]; then first=`readlink $1` second=`readlink $2` if [ "$first" = "$second" ]; then return $COMPARE_EQUAL else return $COMPARE_DIFFLINKS fi fi # If both are files, compare the file contents. if [ -f $1 ]; then if cmp -s $1 $2; then return $COMPARE_EQUAL else return $COMPARE_DIFFFILES fi fi # As long as the two nodes are the same type of file, consider # them equivalent. return $COMPARE_EQUAL } # Returns true (0) if the only difference between two regular files is a # change in the FreeBSD ID string. # # $1 - path of first file # $2 - path of second file fbsdid_only() { diff -qI '\$FreeBSD.*\$' $1 $2 >/dev/null 2>&1 } # This is a wrapper around compare that will return COMPARE_EQUAL if # the only difference between two regular files is a change in the # FreeBSD ID string. It only makes this adjustment if the -F flag has # been specified. # # $1 - first node # $2 - second node compare_fbsdid() { local cmp compare $1 $2 cmp=$? if [ -n "$FREEBSD_ID" -a "$cmp" -eq $COMPARE_DIFFFILES ] && \ fbsdid_only $1 $2; then return $COMPARE_EQUAL fi return $cmp } # Returns true (0) if a directory is empty. # # $1 - pathname of the directory to check empty_dir() { local contents contents=`ls -A $1` [ -z "$contents" ] } # Returns true (0) if one directories contents are a subset of the # other. This will recurse to handle subdirectories and compares # individual files in the trees. Its purpose is to quiet spurious # directory warnings for dryrun invocations. # # $1 - first directory (sub) # $2 - second directory (super) dir_subset() { local contents file if ! [ -d $1 -a -d $2 ]; then return 1 fi # Ignore files that are present in the second directory but not # in the first. contents=`ls -A $1` for file in $contents; do if ! compare $1/$file $2/$file; then return 1 fi if [ -d $1/$file ]; then if ! dir_subset $1/$file $2/$file; then return 1 fi fi done return 0 } # Returns true (0) if a directory in the destination tree is empty. # If this is a dryrun, then this returns true as long as the contents # of the directory are a subset of the contents in the old tree # (meaning that the directory would be empty in a non-dryrun when this # was invoked) to quiet spurious warnings. # # $1 - pathname of the directory to check relative to DESTDIR. empty_destdir() { if [ -n "$dryrun" ]; then dir_subset $DESTDIR/$1 $OLDTREE/$1 return fi empty_dir $DESTDIR/$1 } # Output a diff of two directory entries with the same relative name # in different trees. Note that as with compare(), this does not # recurse into subdirectories. If the nodes are identical, nothing is # output. # # $1 - first tree # $2 - second tree # $3 - node name # $4 - label for first tree # $5 - label for second tree diffnode() { local first second file old new diffargs if [ -n "$FREEBSD_ID" ]; then diffargs="-I \\\$FreeBSD.*\\\$" else diffargs="" fi compare_fbsdid $1/$3 $2/$3 case $? in $COMPARE_EQUAL) ;; $COMPARE_ONLYFIRST) echo echo "Removed: $3" echo ;; $COMPARE_ONLYSECOND) echo echo "Added: $3" echo ;; $COMPARE_DIFFTYPE) first=`file_type $1/$3` second=`file_type $2/$3` echo echo "Node changed from a $first to a $second: $3" echo ;; $COMPARE_DIFFLINKS) first=`readlink $1/$file` second=`readlink $2/$file` echo echo "Link changed: $file" rule "=" echo "-$first" echo "+$second" echo ;; $COMPARE_DIFFFILES) echo "Index: $3" rule "=" diff -u $diffargs -L "$3 ($4)" $1/$3 -L "$3 ($5)" $2/$3 ;; esac } # Run one-off commands after an update has completed. These commands # are not tied to a specific file, so they cannot be handled by # post_install_file(). post_update() { local args # None of these commands should be run for a pre-world update. if [ -n "$preworld" ]; then return fi # If /etc/localtime exists and is not a symlink and /var/db/zoneinfo # exists, run tzsetup -r to refresh /etc/localtime. if [ -f ${DESTDIR}/etc/localtime -a \ ! -L ${DESTDIR}/etc/localtime ]; then if [ -f ${DESTDIR}/var/db/zoneinfo ]; then if [ -n "${DESTDIR}" ]; then args="-C ${DESTDIR}" else args="" fi log "tzsetup -r ${args}" if [ -z "$dryrun" ]; then tzsetup -r ${args} >&3 2>&1 fi else warn "Needs update: /etc/localtime (required" \ "manual update via tzsetup(8))" fi fi } # Create missing parent directories of a node in a target tree # preserving the owner, group, and permissions from a specified # template tree. # # $1 - template tree # $2 - target tree # $3 - pathname of the node (relative to both trees) install_dirs() { local args dir dir=`dirname $3` # Nothing to do if the parent directory exists. This also # catches the degenerate cases when the path is just a simple # filename. if [ -d ${2}$dir ]; then return 0 fi # If non-directory file exists with the desired directory # name, then fail. if exists ${2}$dir; then # If this is a dryrun and we are installing the # directory in the DESTDIR and the file in the DESTDIR # matches the file in the old tree, then fake success # to quiet spurious warnings. if [ -n "$dryrun" -a "$2" = "$DESTDIR" ]; then if compare $OLDTREE/$dir $DESTDIR/$dir; then return 0 fi fi args=`file_type ${2}$dir` warn "Directory mismatch: ${2}$dir ($args)" return 1 fi # Ensure the parent directory of the directory is present # first. if ! install_dirs $1 "$2" $dir; then return 1 fi # Format attributes from template directory as install(1) # arguments. args=`stat -f "-o %Su -g %Sg -m %0Mp%0Lp" $1/$dir` log "install -d $args ${2}$dir" if [ -z "$dryrun" ]; then install -d $args ${2}$dir >&3 2>&1 fi return 0 } # Perform post-install fixups for a file. This largely consists of # regenerating any files that depend on the newly installed file. # # $1 - pathname of the updated file (relative to DESTDIR) post_install_file() { case $1 in /etc/mail/aliases) # Grr, newaliases only works for an empty DESTDIR. if [ -z "$DESTDIR" ]; then log "newaliases" if [ -z "$dryrun" ]; then newaliases >&3 2>&1 fi else NEWALIAS_WARN=yes fi ;; + /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + log "certctl rehash" + if [ -z "$dryrun" ]; then + env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1 + fi + ;; /etc/login.conf) log "cap_mkdb ${DESTDIR}$1" if [ -z "$dryrun" ]; then cap_mkdb ${DESTDIR}$1 >&3 2>&1 fi ;; /etc/master.passwd) log "pwd_mkdb -p -d $DESTDIR/etc ${DESTDIR}$1" if [ -z "$dryrun" ]; then pwd_mkdb -p -d $DESTDIR/etc ${DESTDIR}$1 \ >&3 2>&1 fi ;; /etc/motd) # /etc/rc.d/motd hardcodes the /etc/motd path. # Don't warn about non-empty DESTDIR's since this # change is only cosmetic anyway. if [ -z "$DESTDIR" ]; then log "sh /etc/rc.d/motd start" if [ -z "$dryrun" ]; then sh /etc/rc.d/motd start >&3 2>&1 fi fi ;; /etc/services) log "services_mkdb -q -o $DESTDIR/var/db/services.db" \ "${DESTDIR}$1" if [ -z "$dryrun" ]; then services_mkdb -q -o $DESTDIR/var/db/services.db \ ${DESTDIR}$1 >&3 2>&1 fi ;; esac } # Install the "new" version of a file. Returns true if it succeeds # and false otherwise. # # $1 - pathname of the file to install (relative to DESTDIR) install_new() { if ! install_dirs $NEWTREE "$DESTDIR" $1; then return 1 fi log "cp -Rp ${NEWTREE}$1 ${DESTDIR}$1" if [ -z "$dryrun" ]; then cp -Rp ${NEWTREE}$1 ${DESTDIR}$1 >&3 2>&1 fi post_install_file $1 return 0 } # Install the "resolved" version of a file. Returns true if it succeeds # and false otherwise. # # $1 - pathname of the file to install (relative to DESTDIR) install_resolved() { # This should always be present since the file is already # there (it caused a conflict). However, it doesn't hurt to # just be safe. if ! install_dirs $NEWTREE "$DESTDIR" $1; then return 1 fi log "cp -Rp ${CONFLICTS}$1 ${DESTDIR}$1" cp -Rp ${CONFLICTS}$1 ${DESTDIR}$1 >&3 2>&1 post_install_file $1 return 0 } # Generate a conflict file when a "new" file conflicts with an # existing file in DESTDIR. # # $1 - pathname of the file that conflicts (relative to DESTDIR) new_conflict() { if [ -n "$dryrun" ]; then return fi install_dirs $NEWTREE $CONFLICTS $1 diff --changed-group-format='<<<<<<< (local) %<======= %>>>>>>>> (stock) ' $DESTDIR/$1 $NEWTREE/$1 > $CONFLICTS/$1 } # Remove the "old" version of a file. # # $1 - pathname of the old file to remove (relative to DESTDIR) remove_old() { log "rm -f ${DESTDIR}$1" if [ -z "$dryrun" ]; then rm -f ${DESTDIR}$1 >&3 2>&1 fi echo " D $1" } # Update a file that has no local modifications. # # $1 - pathname of the file to update (relative to DESTDIR) update_unmodified() { local new old # If the old file is a directory, then remove it with rmdir # (this should only happen if the file has changed its type # from a directory to a non-directory). If the directory # isn't empty, then fail. This will be reported as a warning # later. if [ -d $DESTDIR/$1 ]; then if empty_destdir $1; then log "rmdir ${DESTDIR}$1" if [ -z "$dryrun" ]; then rmdir ${DESTDIR}$1 >&3 2>&1 fi else return 1 fi # If both the old and new files are regular files, leave the # existing file. This avoids breaking hard links for /.cshrc # and /.profile. Otherwise, explicitly remove the old file. elif ! [ -f ${DESTDIR}$1 -a -f ${NEWTREE}$1 ]; then log "rm -f ${DESTDIR}$1" if [ -z "$dryrun" ]; then rm -f ${DESTDIR}$1 >&3 2>&1 fi fi # If the new file is a directory, note that the old file has # been removed, but don't do anything else for now. The # directory will be installed if needed when new files within # that directory are installed. if [ -d $NEWTREE/$1 ]; then if empty_dir $NEWTREE/$1; then echo " D $file" else echo " U $file" fi elif install_new $1; then echo " U $file" fi return 0 } # Update the FreeBSD ID string in a locally modified file to match the # FreeBSD ID string from the "new" version of the file. # # $1 - pathname of the file to update (relative to DESTDIR) update_freebsdid() { local new dest file # If the FreeBSD ID string is removed from the local file, # there is nothing to do. In this case, treat the file as # updated. Otherwise, if either file has more than one # FreeBSD ID string, just punt and let the user handle the # conflict manually. new=`grep -c '\$FreeBSD.*\$' ${NEWTREE}$1` dest=`grep -c '\$FreeBSD.*\$' ${DESTDIR}$1` if [ "$dest" -eq 0 ]; then return 0 fi if [ "$dest" -ne 1 -o "$dest" -ne 1 ]; then return 1 fi # If the FreeBSD ID string in the new file matches the FreeBSD ID # string in the local file, there is nothing to do. new=`grep '\$FreeBSD.*\$' ${NEWTREE}$1` dest=`grep '\$FreeBSD.*\$' ${DESTDIR}$1` if [ "$new" = "$dest" ]; then return 0 fi # Build the new file in three passes. First, copy all the # lines preceding the FreeBSD ID string from the local version # of the file. Second, append the FreeBSD ID string line from # the new version. Finally, append all the lines after the # FreeBSD ID string from the local version of the file. file=`mktemp $WORKDIR/etcupdate-XXXXXXX` awk '/\$FreeBSD.*\$/ { exit } { print }' ${DESTDIR}$1 >> $file awk '/\$FreeBSD.*\$/ { print }' ${NEWTREE}$1 >> $file awk '/\$FreeBSD.*\$/ { ok = 1; next } { if (ok) print }' \ ${DESTDIR}$1 >> $file # As an extra sanity check, fail the attempt if the updated # version of the file has any differences aside from the # FreeBSD ID string. if ! fbsdid_only ${DESTDIR}$1 $file; then rm -f $file return 1 fi log "cp $file ${DESTDIR}$1" if [ -z "$dryrun" ]; then cp $file ${DESTDIR}$1 >&3 2>&1 fi rm -f $file post_install_file $1 echo " M $1" return 0 } # Attempt to update a file that has local modifications. This routine # only handles regular files. If the 3-way merge succeeds without # conflicts, the updated file is installed. If the merge fails, the # merged version with conflict markers is left in the CONFLICTS tree. # # $1 - pathname of the file to merge (relative to DESTDIR) merge_file() { local res # Try the merge to see if there is a conflict. diff3 -E -m ${DESTDIR}$1 ${OLDTREE}$1 ${NEWTREE}$1 > /dev/null 2>&3 res=$? case $res in 0) # No conflicts, so just redo the merge to the # real file. log "diff3 -E -m ${DESTDIR}$1 ${OLDTREE}$1 ${NEWTREE}$1" if [ -z "$dryrun" ]; then temp=$(mktemp -t etcupdate) diff3 -E -m ${DESTDIR}$1 ${OLDTREE}$1 ${NEWTREE}$1 > ${temp} # Use "cat >" to preserve metadata. cat ${temp} > ${DESTDIR}$1 rm -f ${temp} fi post_install_file $1 echo " M $1" ;; 1) # Conflicts, save a version with conflict markers in # the conflicts directory. if [ -z "$dryrun" ]; then install_dirs $NEWTREE $CONFLICTS $1 log "diff3 -m -A ${DESTDIR}$1 ${CONFLICTS}$1" diff3 -m -A -L "yours" -L "original" -L "new" \ ${DESTDIR}$1 ${OLDTREE}$1 ${NEWTREE}$1 > \ ${CONFLICTS}$1 fi echo " C $1" ;; *) panic "merge failed with status $res" ;; esac } # Returns true if a file contains conflict markers from a merge conflict. # # $1 - pathname of the file to resolve (relative to DESTDIR) has_conflicts() { egrep -q '^(<{7}|\|{7}|={7}|>{7}) ' $CONFLICTS/$1 } # Attempt to resolve a conflict. The user is prompted to choose an # action for each conflict. If the user edits the file, they are # prompted again for an action. The process is very similar to # resolving conflicts after an update or merge with Perforce or # Subversion. The prompts are modelled on a subset of the available # commands for resolving conflicts with Subversion. # # $1 - pathname of the file to resolve (relative to DESTDIR) resolve_conflict() { local command junk echo "Resolving conflict in '$1':" edit= while true; do # Only display the resolved command if the file # doesn't contain any conflicts. echo -n "Select: (p) postpone, (df) diff-full, (e) edit," if ! has_conflicts $1; then echo -n " (r) resolved," fi echo echo -n " (h) help for more options: " read command case $command in df) diff -u ${DESTDIR}$1 ${CONFLICTS}$1 ;; e) $EDITOR ${CONFLICTS}$1 ;; h) cat </dev/null 2>&1 fi echo " D $dir" else warn "Non-empty directory remains: $dir" fi fi } # Handle a file that exists in both the old and new trees. If the # file has not changed in the old and new trees, there is nothing to # do. If the file in the destination directory matches the new file, # there is nothing to do. If the file in the destination directory # matches the old file, then the new file should be installed. # Everything else becomes some sort of conflict with more detailed # handling. # # $1 - pathname of the file (relative to DESTDIR) handle_modified_file() { local cmp dest file new newdestcmp old file=$1 if ignore $file; then log "IGNORE: modified file $file" return fi compare $OLDTREE/$file $NEWTREE/$file cmp=$? if [ $cmp -eq $COMPARE_EQUAL ]; then return fi if [ $cmp -eq $COMPARE_ONLYFIRST -o $cmp -eq $COMPARE_ONLYSECOND ]; then panic "Changed file now missing" fi compare $NEWTREE/$file $DESTDIR/$file newdestcmp=$? if [ $newdestcmp -eq $COMPARE_EQUAL ]; then return fi # If the only change in the new file versus the destination # file is a change in the FreeBSD ID string and -F is # specified, just install the new file. if [ -n "$FREEBSD_ID" -a $newdestcmp -eq $COMPARE_DIFFFILES ] && \ fbsdid_only $NEWTREE/$file $DESTDIR/$file; then if update_unmodified $file; then return else panic "Updating FreeBSD ID string failed" fi fi # If the local file is the same as the old file, install the # new file. If -F is specified and the only local change is # in the FreeBSD ID string, then install the new file as well. if compare_fbsdid $OLDTREE/$file $DESTDIR/$file; then if update_unmodified $file; then return fi fi # If the file was removed from the dest tree, just whine. if [ $newdestcmp -eq $COMPARE_ONLYFIRST ]; then # If the removed file matches an ALWAYS_INSTALL glob, # then just install the new version of the file. if always_install $file; then log "ALWAYS: adding $file" if ! [ -d $NEWTREE/$file ]; then if install_new $file; then echo " A $file" fi fi return fi # If the only change in the new file versus the old # file is a change in the FreeBSD ID string and -F is # specified, don't warn. if [ -n "$FREEBSD_ID" -a $cmp -eq $COMPARE_DIFFFILES ] && \ fbsdid_only $OLDTREE/$file $NEWTREE/$file; then return fi case $cmp in $COMPARE_DIFFTYPE) old=`file_type $OLDTREE/$file` new=`file_type $NEWTREE/$file` warn "Remove mismatch: $file ($old became $new)" ;; $COMPARE_DIFFLINKS) old=`readlink $OLDTREE/$file` new=`readlink $NEWTREE/$file` warn \ "Removed link changed: $file (\"$old\" became \"$new\")" ;; $COMPARE_DIFFFILES) warn "Removed file changed: $file" ;; esac return fi # Treat the file as unmodified and force install of the new # file if it matches an ALWAYS_INSTALL glob. If the update # attempt fails, then fall through to the normal case so a # warning is generated. if always_install $file; then log "ALWAYS: updating $file" if update_unmodified $file; then return fi fi # If the only change in the new file versus the old file is a # change in the FreeBSD ID string and -F is specified, just # update the FreeBSD ID string in the local file. if [ -n "$FREEBSD_ID" -a $cmp -eq $COMPARE_DIFFFILES ] && \ fbsdid_only $OLDTREE/$file $NEWTREE/$file; then if update_freebsdid $file; then continue fi fi # If the file changed types between the old and new trees but # the files in the new and dest tree are both of the same # type, treat it like an added file just comparing the new and # dest files. if [ $cmp -eq $COMPARE_DIFFTYPE ]; then case $newdestcmp in $COMPARE_DIFFLINKS) new=`readlink $NEWTREE/$file` dest=`readlink $DESTDIR/$file` warn \ "New link conflict: $file (\"$new\" vs \"$dest\")" return ;; $COMPARE_DIFFFILES) new_conflict $file echo " C $file" return ;; esac else # If the file has not changed types between the old # and new trees, but it is a different type in # DESTDIR, then just warn. if [ $newdestcmp -eq $COMPARE_DIFFTYPE ]; then new=`file_type $NEWTREE/$file` dest=`file_type $DESTDIR/$file` warn "Modified mismatch: $file ($new vs $dest)" return fi fi case $cmp in $COMPARE_DIFFTYPE) old=`file_type $OLDTREE/$file` new=`file_type $NEWTREE/$file` dest=`file_type $DESTDIR/$file` warn "Modified $dest changed: $file ($old became $new)" ;; $COMPARE_DIFFLINKS) old=`readlink $OLDTREE/$file` new=`readlink $NEWTREE/$file` warn \ "Modified link changed: $file (\"$old\" became \"$new\")" ;; $COMPARE_DIFFFILES) merge_file $file ;; esac } # Handle a file that has been added in the new tree. If the file does # not exist in DESTDIR, simply copy the file into DESTDIR. If the # file exists in the DESTDIR and is identical to the new version, do # nothing. Otherwise, generate a diff of the two versions of the file # and mark it as a conflict. # # $1 - pathname of the file (relative to DESTDIR) handle_added_file() { local cmp dest file new file=$1 if ignore $file; then log "IGNORE: added file $file" return fi compare $DESTDIR/$file $NEWTREE/$file cmp=$? case $cmp in $COMPARE_EQUAL) return ;; $COMPARE_ONLYFIRST) panic "Added file now missing" ;; $COMPARE_ONLYSECOND) # Ignore new directories. They will be # created as needed when non-directory nodes # are installed. if ! [ -d $NEWTREE/$file ]; then if install_new $file; then echo " A $file" fi fi return ;; esac # Treat the file as unmodified and force install of the new # file if it matches an ALWAYS_INSTALL glob. If the update # attempt fails, then fall through to the normal case so a # warning is generated. if always_install $file; then log "ALWAYS: updating $file" if update_unmodified $file; then return fi fi case $cmp in $COMPARE_DIFFTYPE) new=`file_type $NEWTREE/$file` dest=`file_type $DESTDIR/$file` warn "New file mismatch: $file ($new vs $dest)" ;; $COMPARE_DIFFLINKS) new=`readlink $NEWTREE/$file` dest=`readlink $DESTDIR/$file` warn "New link conflict: $file (\"$new\" vs \"$dest\")" ;; $COMPARE_DIFFFILES) # If the only change in the new file versus # the destination file is a change in the # FreeBSD ID string and -F is specified, just # install the new file. if [ -n "$FREEBSD_ID" ] && \ fbsdid_only $NEWTREE/$file $DESTDIR/$file; then if update_unmodified $file; then return else panic \ "Updating FreeBSD ID string failed" fi fi new_conflict $file echo " C $file" ;; esac } # Main routines for each command # Build a new tree and save it in a tarball. build_cmd() { local dir if [ $# -ne 1 ]; then echo "Missing required tarball." echo usage fi log "build command: $1" # Create a temporary directory to hold the tree dir=`mktemp -d $WORKDIR/etcupdate-XXXXXXX` if [ $? -ne 0 ]; then echo "Unable to create temporary directory." exit 1 fi if ! build_tree $dir; then echo "Failed to build tree." remove_tree $dir exit 1 fi if ! tar cfj $1 -C $dir . >&3 2>&1; then echo "Failed to create tarball." remove_tree $dir exit 1 fi remove_tree $dir } # Output a diff comparing the tree at DESTDIR to the current # unmodified tree. Note that this diff does not include files that # are present in DESTDIR but not in the unmodified tree. diff_cmd() { local file if [ $# -ne 0 ]; then usage fi # Requires an unmodified tree to diff against. if ! [ -d $NEWTREE ]; then echo "Reference tree to diff against unavailable." exit 1 fi # Unfortunately, diff alone does not quite provide the right # level of options that we want, so improvise. for file in `(cd $NEWTREE; find .) | sed -e 's/^\.//'`; do if ignore $file; then continue fi diffnode $NEWTREE "$DESTDIR" $file "stock" "local" done } # Just extract a new tree into NEWTREE either by building a tree or # extracting a tarball. This can be used to bootstrap updates by # initializing the current "stock" tree to match the currently # installed system. # # Unlike 'update', this command does not rotate or preserve an # existing NEWTREE, it just replaces any existing tree. extract_cmd() { if [ $# -ne 0 ]; then usage fi log "extract command: tarball=$tarball" if [ -d $NEWTREE ]; then if ! remove_tree $NEWTREE; then echo "Unable to remove current tree." exit 1 fi fi extract_tree } # Resolve conflicts left from an earlier merge. resolve_cmd() { local conflicts if [ $# -ne 0 ]; then usage fi if ! [ -d $CONFLICTS ]; then return fi if ! [ -d $NEWTREE ]; then echo "The current tree is not present to resolve conflicts." exit 1 fi conflicts=`(cd $CONFLICTS; find . ! -type d) | sed -e 's/^\.//'` for file in $conflicts; do resolve_conflict $file done if [ -n "$NEWALIAS_WARN" ]; then warn "Needs update: /etc/mail/aliases.db" \ "(requires manual update via newaliases(1))" echo echo "Warnings:" echo " Needs update: /etc/mail/aliases.db" \ "(requires manual update via newaliases(1))" fi } # Report a summary of the previous merge. Specifically, list any # remaining conflicts followed by any warnings from the previous # update. status_cmd() { if [ $# -ne 0 ]; then usage fi if [ -d $CONFLICTS ]; then (cd $CONFLICTS; find . ! -type d) | sed -e 's/^\./ C /' fi if [ -s $WARNINGS ]; then echo "Warnings:" cat $WARNINGS fi } # Perform an actual merge. The new tree can either already exist (if # rerunning a merge), be extracted from a tarball, or generated from a # source tree. update_cmd() { local dir if [ $# -ne 0 ]; then usage fi log "update command: rerun=$rerun tarball=$tarball preworld=$preworld" if [ `id -u` -ne 0 ]; then echo "Must be root to update a tree." exit 1 fi # Enforce a sane umask umask 022 # XXX: Should existing conflicts be ignored and removed during # a rerun? # Trim the conflicts tree. Whine if there is anything left. if [ -e $CONFLICTS ]; then find -d $CONFLICTS -type d -empty -delete >&3 2>&1 rmdir $CONFLICTS >&3 2>&1 fi if [ -d $CONFLICTS ]; then echo "Conflicts remain from previous update, aborting." exit 1 fi if [ -z "$rerun" ]; then # For a dryrun that is not a rerun, do not rotate the existing # stock tree. Instead, extract a tree to a temporary directory # and use that for the comparison. if [ -n "$dryrun" ]; then dir=`mktemp -d $WORKDIR/etcupdate-XXXXXXX` if [ $? -ne 0 ]; then echo "Unable to create temporary directory." exit 1 fi # A pre-world dryrun has already set OLDTREE to # point to the current stock tree. if [ -z "$preworld" ]; then OLDTREE=$NEWTREE fi NEWTREE=$dir # For a pre-world update, blow away any pre-existing # NEWTREE. elif [ -n "$preworld" ]; then if ! remove_tree $NEWTREE; then echo "Unable to remove pre-world tree." exit 1 fi # Rotate the existing stock tree to the old tree. elif [ -d $NEWTREE ]; then # First, delete the previous old tree if it exists. if ! remove_tree $OLDTREE; then echo "Unable to remove old tree." exit 1 fi # Move the current stock tree. if ! mv $NEWTREE $OLDTREE >&3 2>&1; then echo "Unable to rename current stock tree." exit 1 fi fi if ! [ -d $OLDTREE ]; then cat < $WORKDIR/old.files (cd $NEWTREE; find .) | sed -e 's/^\.//' | sort > $WORKDIR/new.files # Split the files up into three groups using comm. comm -23 $WORKDIR/old.files $WORKDIR/new.files > $WORKDIR/removed.files comm -13 $WORKDIR/old.files $WORKDIR/new.files > $WORKDIR/added.files comm -12 $WORKDIR/old.files $WORKDIR/new.files > $WORKDIR/both.files # Initialize conflicts and warnings handling. rm -f $WARNINGS mkdir -p $CONFLICTS # Ignore removed files for the pre-world case. A pre-world # update uses a stripped-down tree. if [ -n "$preworld" ]; then > $WORKDIR/removed.files fi # The order for the following sections is important. In the # odd case that a directory is converted into a file, the # existing subfiles need to be removed if possible before the # file is converted. Similarly, in the case that a file is # converted into a directory, the file needs to be converted # into a directory if possible before the new files are added. # First, handle removed files. for file in `cat $WORKDIR/removed.files`; do handle_removed_file $file done # For the directory pass, reverse sort the list to effect a # depth-first traversal. This is needed to ensure that if a # directory with subdirectories is removed, the entire # directory is removed if there are no local modifications. for file in `sort -r $WORKDIR/removed.files`; do handle_removed_directory $file done # Second, handle files that exist in both the old and new # trees. for file in `cat $WORKDIR/both.files`; do handle_modified_file $file done # Finally, handle newly added files. for file in `cat $WORKDIR/added.files`; do handle_added_file $file done if [ -n "$NEWALIAS_WARN" ]; then warn "Needs update: /etc/mail/aliases.db" \ "(requires manual update via newaliases(1))" fi # Run any special one-off commands after an update has completed. post_update if [ -s $WARNINGS ]; then echo "Warnings:" cat $WARNINGS fi if [ -n "$dir" ]; then if [ -z "$dryrun" -o -n "$rerun" ]; then panic "Should not have a temporary directory" fi remove_tree $dir fi } # Determine which command we are executing. A command may be # specified as the first word. If one is not specified then 'update' # is assumed as the default command. command="update" if [ $# -gt 0 ]; then case "$1" in build|diff|extract|status|resolve) command="$1" shift ;; -*) # If first arg is an option, assume the # default command. ;; *) usage ;; esac fi # Set default variable values. # The path to the source tree used to build trees. SRCDIR=/usr/src # The destination directory where the modified files live. DESTDIR= # Ignore changes in the FreeBSD ID string. FREEBSD_ID= # Files that should always have the new version of the file installed. ALWAYS_INSTALL= # Files to ignore and never update during a merge. IGNORE_FILES= # Flags to pass to 'make' when building a tree. MAKE_OPTIONS= # Include a config file if it exists. Note that command line options # override any settings in the config file. More details are in the # manual, but in general the following variables can be set: # - ALWAYS_INSTALL # - DESTDIR # - EDITOR # - FREEBSD_ID # - IGNORE_FILES # - LOGFILE # - MAKE_OPTIONS # - SRCDIR # - WORKDIR if [ -r /etc/etcupdate.conf ]; then . /etc/etcupdate.conf fi # Parse command line options tarball= rerun= always= dryrun= ignore= nobuild= preworld= while getopts "d:nprs:t:A:BD:FI:L:M:" option; do case "$option" in d) WORKDIR=$OPTARG ;; n) dryrun=YES ;; p) preworld=YES ;; r) rerun=YES ;; s) SRCDIR=$OPTARG ;; t) tarball=$OPTARG ;; A) # To allow this option to be specified # multiple times, accumulate command-line # specified patterns in an 'always' variable # and use that to overwrite ALWAYS_INSTALL # after parsing all options. Need to be # careful here with globbing expansion. set -o noglob always="$always $OPTARG" set +o noglob ;; B) nobuild=YES ;; D) DESTDIR=$OPTARG ;; F) FREEBSD_ID=YES ;; I) # To allow this option to be specified # multiple times, accumulate command-line # specified patterns in an 'ignore' variable # and use that to overwrite IGNORE_FILES after # parsing all options. Need to be careful # here with globbing expansion. set -o noglob ignore="$ignore $OPTARG" set +o noglob ;; L) LOGFILE=$OPTARG ;; M) MAKE_OPTIONS="$OPTARG" ;; *) echo usage ;; esac done shift $((OPTIND - 1)) # Allow -A command line options to override ALWAYS_INSTALL set from # the config file. set -o noglob if [ -n "$always" ]; then ALWAYS_INSTALL="$always" fi # Allow -I command line options to override IGNORE_FILES set from the # config file. if [ -n "$ignore" ]; then IGNORE_FILES="$ignore" fi set +o noglob # Where the "old" and "new" trees are stored. WORKDIR=${WORKDIR:-$DESTDIR/var/db/etcupdate} # Log file for verbose output from program that are run. The log file # is opened on fd '3'. LOGFILE=${LOGFILE:-$WORKDIR/log} # The path of the "old" tree OLDTREE=$WORKDIR/old # The path of the "new" tree NEWTREE=$WORKDIR/current # The path of the "conflicts" tree where files with merge conflicts are saved. CONFLICTS=$WORKDIR/conflicts # The path of the "warnings" file that accumulates warning notes from an update. WARNINGS=$WORKDIR/warnings # Use $EDITOR for resolving conflicts. If it is not set, default to vi. EDITOR=${EDITOR:-/usr/bin/vi} # Files that need to be updated before installworld. PREWORLD_FILES="etc/master.passwd etc/group" # Handle command-specific argument processing such as complaining # about unsupported options. Since the configuration file is always # included, do not complain about extra command line arguments that # may have been set via the config file rather than the command line. case $command in update) if [ -n "$rerun" -a -n "$tarball" ]; then echo "Only one of -r or -t can be specified." echo usage fi if [ -n "$rerun" -a -n "$preworld" ]; then echo "Only one of -p or -r can be specified." echo usage fi ;; build|diff|status) if [ -n "$dryrun" -o -n "$rerun" -o -n "$tarball" -o \ -n "$preworld" ]; then usage fi ;; resolve) if [ -n "$dryrun" -o -n "$rerun" -o -n "$tarball" ]; then usage fi ;; extract) if [ -n "$dryrun" -o -n "$rerun" -o -n "$preworld" ]; then usage fi ;; esac # Pre-world mode uses a different set of trees. It leaves the current # tree as-is so it is still present for a full etcupdate run after the # world install is complete. Instead, it installs a few critical files # into a separate tree. if [ -n "$preworld" ]; then OLDTREE=$NEWTREE NEWTREE=$WORKDIR/preworld fi # Open the log file. Don't truncate it if doing a minor operation so # that a minor operation doesn't lose log info from a major operation. if ! mkdir -p $WORKDIR 2>/dev/null; then echo "Failed to create work directory $WORKDIR" fi case $command in diff|resolve|status) exec 3>>$LOGFILE ;; *) exec 3>$LOGFILE ;; esac ${command}_cmd "$@" Index: stable/11/usr.sbin/mergemaster/mergemaster.sh =================================================================== --- stable/11/usr.sbin/mergemaster/mergemaster.sh (revision 357081) +++ stable/11/usr.sbin/mergemaster/mergemaster.sh (revision 357082) @@ -1,1415 +1,1435 @@ #!/bin/sh # mergemaster # Compare files created by /usr/src/etc/Makefile (or the directory # the user specifies) with the currently installed copies. # Copyright (c) 1998-2012 Douglas Barton, All rights reserved # Please see detailed copyright below # $FreeBSD$ PATH=/bin:/usr/bin:/usr/sbin display_usage () { VERSION_NUMBER=`grep "[$]FreeBSD:" $0 | cut -d ' ' -f 4` echo "mergemaster version ${VERSION_NUMBER}" echo 'Usage: mergemaster [-scrvhpCP] [-a|[-iFU]] [--run-updates=always|never]' echo ' [-m /path] [-t /path] [-d] [-u N] [-w N] [-A arch] [-D /path]' echo "Options:" echo " -s Strict comparison (diff every pair of files)" echo " -c Use context diff instead of unified diff" echo " -r Re-run on a previously cleaned directory (skip temproot creation)" echo " -v Be more verbose about the process, include additional checks" echo " -a Leave all files that differ to merge by hand" echo " -h Display more complete help" echo ' -i Automatically install files that do not exist in destination directory' echo ' -p Pre-buildworld mode, only compares crucial files' echo ' -F Install files that differ only by revision control Id ($FreeBSD)' echo ' -C Compare local rc.conf variables to the defaults' echo ' -P Preserve files that are overwritten' echo " -U Attempt to auto upgrade files that have not been user modified" echo ' ***DANGEROUS***' echo ' --run-updates= Specify always or never to run newalises, pwd_mkdb, etc.' echo '' echo " -m /path/directory Specify location of source to do the make in" echo " -t /path/directory Specify temp root directory" echo " -d Add date and time to directory name (e.g., /var/tmp/temproot.`date +%m%d.%H.%M`)" echo " -u N Specify a numeric umask" echo " -w N Specify a screen width in columns to sdiff" echo " -A architecture Alternative architecture name to pass to make" echo ' -D /path/directory Specify the destination directory to install files to' echo '' } display_help () { echo "* To specify a directory other than /var/tmp/temproot for the" echo " temporary root environment, use -t /path/to/temp/root" echo "* The -w option takes a number as an argument for the column width" echo " of the screen. The default is 80." echo '* The -a option causes mergemaster to run without prompting.' } # Loop allowing the user to use sdiff to merge files and display the merged # file. merge_loop () { case "${VERBOSE}" in '') ;; *) echo " *** Type h at the sdiff prompt (%) to get usage help" ;; esac echo '' MERGE_AGAIN=yes while [ "${MERGE_AGAIN}" = "yes" ]; do # Prime file.merged so we don't blat the owner/group id's cp -p "${COMPFILE}" "${COMPFILE}.merged" sdiff -o "${COMPFILE}.merged" --text --suppress-common-lines \ --width=${SCREEN_WIDTH:-80} "${DESTDIR}${COMPFILE#.}" "${COMPFILE}" INSTALL_MERGED=V while [ "${INSTALL_MERGED}" = "v" -o "${INSTALL_MERGED}" = "V" ]; do echo '' echo " Use 'i' to install merged file" echo " Use 'r' to re-do the merge" echo " Use 'v' to view the merged file" echo " Default is to leave the temporary file to deal with by hand" echo '' echo -n " *** How should I deal with the merged file? [Leave it for later] " read INSTALL_MERGED case "${INSTALL_MERGED}" in [iI]) mv "${COMPFILE}.merged" "${COMPFILE}" echo '' if mm_install "${COMPFILE}"; then echo " *** Merged version of ${COMPFILE} installed successfully" else echo " *** Problem installing ${COMPFILE}, it will remain to merge by hand later" fi unset MERGE_AGAIN ;; [rR]) rm "${COMPFILE}.merged" ;; [vV]) ${PAGER} "${COMPFILE}.merged" ;; '') echo " *** ${COMPFILE} will remain for your consideration" unset MERGE_AGAIN ;; *) echo "invalid choice: ${INSTALL_MERGED}" INSTALL_MERGED=V ;; esac done done } # Loop showing user differences between files, allow merge, skip or install # options diff_loop () { HANDLE_COMPFILE=v while [ "${HANDLE_COMPFILE}" = "v" -o "${HANDLE_COMPFILE}" = "V" -o \ "${HANDLE_COMPFILE}" = "NOT V" ]; do if [ -f "${DESTDIR}${COMPFILE#.}" -a -f "${COMPFILE}" ]; then if [ -n "${AUTO_UPGRADE}" -a -n "${CHANGED}" ]; then case "${CHANGED}" in *:${DESTDIR}${COMPFILE#.}:*) ;; # File has been modified *) echo '' echo " *** ${COMPFILE} has not been user modified." echo '' if mm_install "${COMPFILE}"; then echo " *** ${COMPFILE} upgraded successfully" echo '' # Make the list print one file per line AUTO_UPGRADED_FILES="${AUTO_UPGRADED_FILES} ${DESTDIR}${COMPFILE#.} " else echo " *** Problem upgrading ${COMPFILE}, it will remain to merge by hand" fi return ;; esac fi if [ "${HANDLE_COMPFILE}" = "v" -o "${HANDLE_COMPFILE}" = "V" ]; then echo '' echo ' ====================================================================== ' echo '' ( echo " *** Displaying differences between ${COMPFILE} and installed version:" echo '' diff ${DIFF_FLAG} ${DIFF_OPTIONS} "${DESTDIR}${COMPFILE#.}" "${COMPFILE}" ) | ${PAGER} echo '' fi else echo '' echo " *** There is no installed version of ${COMPFILE}" echo '' case "${AUTO_INSTALL}" in [Yy][Ee][Ss]) echo '' if mm_install "${COMPFILE}"; then echo " *** ${COMPFILE} installed successfully" echo '' # Make the list print one file per line AUTO_INSTALLED_FILES="${AUTO_INSTALLED_FILES} ${DESTDIR}${COMPFILE#.} " else echo " *** Problem installing ${COMPFILE}, it will remain to merge by hand" fi return ;; *) NO_INSTALLED=yes ;; esac fi echo " Use 'd' to delete the temporary ${COMPFILE}" echo " Use 'i' to install the temporary ${COMPFILE}" case "${NO_INSTALLED}" in '') echo " Use 'm' to merge the temporary and installed versions" echo " Use 'v' to view the diff results again" ;; esac echo '' echo " Default is to leave the temporary file to deal with by hand" echo '' echo -n "How should I deal with this? [Leave it for later] " read HANDLE_COMPFILE case "${HANDLE_COMPFILE}" in [dD]) rm "${COMPFILE}" echo '' echo " *** Deleting ${COMPFILE}" ;; [iI]) echo '' if mm_install "${COMPFILE}"; then echo " *** ${COMPFILE} installed successfully" else echo " *** Problem installing ${COMPFILE}, it will remain to merge by hand" fi ;; [mM]) case "${NO_INSTALLED}" in '') # interact with user to merge files merge_loop ;; *) echo '' echo " *** There is no installed version of ${COMPFILE}" echo '' HANDLE_COMPFILE="NOT V" ;; esac # End of "No installed version of file but user selected merge" test ;; [vV]) continue ;; '') echo '' echo " *** ${COMPFILE} will remain for your consideration" ;; *) # invalid choice, show menu again. echo "invalid choice: ${HANDLE_COMPFILE}" echo '' HANDLE_COMPFILE="NOT V" continue ;; esac # End of "How to handle files that are different" done unset NO_INSTALLED echo '' case "${VERBOSE}" in '') ;; *) sleep 3 ;; esac } press_to_continue () { local DISCARD echo -n ' *** Press the [Enter] or [Return] key to continue ' read DISCARD } # Set the default path for the temporary root environment # TEMPROOT='/var/tmp/temproot' # Read /etc/mergemaster.rc first so the one in $HOME can override # if [ -r /etc/mergemaster.rc ]; then . /etc/mergemaster.rc fi # Read .mergemasterrc before command line so CLI can override # if [ -r "$HOME/.mergemasterrc" ]; then . "$HOME/.mergemasterrc" fi for var in "$@" ; do case "$var" in --run-updates*) RUN_UPDATES=`echo ${var#--run-updates=} | tr [:upper:] [:lower:]` ;; *) newopts="$newopts $var" ;; esac done set -- $newopts unset var newopts # Check the command line options # while getopts ":ascrvhipCPm:t:du:w:D:A:FU" COMMAND_LINE_ARGUMENT ; do case "${COMMAND_LINE_ARGUMENT}" in A) ARCHSTRING='TARGET_ARCH='${OPTARG} ;; F) FREEBSD_ID=yes ;; U) AUTO_UPGRADE=yes ;; s) STRICT=yes unset DIFF_OPTIONS ;; c) DIFF_FLAG='-c' ;; r) RERUN=yes ;; v) case "${AUTO_RUN}" in '') VERBOSE=yes ;; esac ;; a) AUTO_RUN=yes unset VERBOSE ;; h) display_usage display_help exit 0 ;; i) AUTO_INSTALL=yes ;; C) COMP_CONFS=yes ;; P) PRESERVE_FILES=yes ;; p) PRE_WORLD=yes unset COMP_CONFS unset AUTO_RUN ;; m) SOURCEDIR=${OPTARG} ;; t) TEMPROOT=${OPTARG} ;; d) TEMPROOT=${TEMPROOT}.`date +%m%d.%H.%M` ;; u) NEW_UMASK=${OPTARG} ;; w) SCREEN_WIDTH=${OPTARG} ;; D) DESTDIR=${OPTARG} ;; *) display_usage exit 1 ;; esac done if [ -n "$AUTO_RUN" ]; then if [ -n "$FREEBSD_ID" -o -n "$AUTO_UPGRADE" -o -n "$AUTO_INSTALL" ]; then echo '' echo "*** You have included the -a option along with one or more options" echo ' that indicate that you wish mergemaster to actually make updates' echo ' (-F, -U, or -i), however these options are not compatible.' echo ' Please read mergemaster(8) for more information.' echo '' exit 1 fi fi # Assign the location of the mtree database # MTREEDB=${MTREEDB:-${DESTDIR}/var/db} MTREEFILE="${MTREEDB}/mergemaster.mtree" # Don't force the user to set this in the mergemaster rc file if [ -n "${PRESERVE_FILES}" -a -z "${PRESERVE_FILES_DIR}" ]; then PRESERVE_FILES_DIR=/var/tmp/mergemaster/preserved-files-`date +%y%m%d-%H%M%S` mkdir -p ${PRESERVE_FILES_DIR} fi # Check for the mtree database in DESTDIR case "${AUTO_UPGRADE}" in '') ;; # If the option is not set no need to run the test or warn the user *) if [ ! -s "${MTREEFILE}" ]; then echo '' echo "*** Unable to find mtree database (${MTREEFILE})." echo " Skipping auto-upgrade on this run." echo " It will be created for the next run when this one is complete." echo '' case "${AUTO_RUN}" in '') press_to_continue ;; esac unset AUTO_UPGRADE fi ;; esac if [ -e "${DESTDIR}/etc/fstab" ]; then if grep -q nodev ${DESTDIR}/etc/fstab; then echo '' echo "*** You have the deprecated 'nodev' option in ${DESTDIR}/etc/fstab." echo " This can prevent the filesystem from being mounted on reboot." echo " Please update your fstab before continuing." echo " See fstab(5) for more information." echo '' exit 1 fi fi echo '' # If the user has a pager defined, make sure we can run it # case "${DONT_CHECK_PAGER}" in '') check_pager () { while ! type "${PAGER%% *}" >/dev/null; do echo " *** Your PAGER environment variable specifies '${PAGER}', but" echo " due to the limited PATH that I use for security reasons," echo " I cannot execute it. So, what would you like to do?" echo '' echo " Use 'e' to exit mergemaster and fix your PAGER variable" echo " Use 'l' to set PAGER to 'less' for this run" echo " Use 'm' to use plain old 'more' as your PAGER for this run" echo '' echo " or you may type an absolute path to PAGER for this run" echo '' echo " Default is to use plain old 'more' " echo '' echo -n "What should I do? [Use 'more'] " read FIXPAGER case "${FIXPAGER}" in [eE]) exit 0 ;; [lL]) PAGER=less ;; [mM]|'') PAGER=more ;; /*) PAGER="$FIXPAGER" ;; *) echo '' echo "invalid choice: ${FIXPAGER}" esac echo '' done } if [ -n "${PAGER}" ]; then check_pager fi ;; esac # If user has a pager defined, or got assigned one above, use it. # If not, use more. # PAGER=${PAGER:-more} if [ -n "${VERBOSE}" -a ! "${PAGER}" = "more" ]; then echo " *** You have ${PAGER} defined as your pager so we will use that" echo '' sleep 3 fi # Assign the diff flag once so we will not have to keep testing it # DIFF_FLAG=${DIFF_FLAG:--u} # Assign the source directory # SOURCEDIR=${SOURCEDIR:-/usr/src} if [ ! -f ${SOURCEDIR}/Makefile.inc1 -a \ -f ${SOURCEDIR}/../Makefile.inc1 ]; then echo " *** The source directory you specified (${SOURCEDIR})" echo " will be reset to ${SOURCEDIR}/.." echo '' sleep 3 SOURCEDIR=${SOURCEDIR}/.. fi SOURCEDIR=$(realpath "$SOURCEDIR") # Setup make to use system files from SOURCEDIR MM_MAKE="make ${ARCHSTRING} -m ${SOURCEDIR}/share/mk -DNO_FILEMON" MM_MAKE="${MM_MAKE} -j$(/sbin/sysctl -n hw.ncpu)" # Check DESTDIR against the mergemaster mtree database to see what # files the user changed from the reference files. # if [ -n "${AUTO_UPGRADE}" -a -s "${MTREEFILE}" ]; then # Force FreeBSD 9 compatible output when available. if mtree -F freebsd9 -c -p /var/empty/ > /dev/null 2>&1; then MTREE_FLAVOR="-F freebsd9" else MTREE_FLAVOR= fi CHANGED=: for file in `mtree -eqL ${MTREE_FLAVOR} -f ${MTREEFILE} -p ${DESTDIR}/ \ 2>/dev/null | awk '($2 == "changed") {print $1}'`; do if [ -f "${DESTDIR}/$file" ]; then CHANGED="${CHANGED}${DESTDIR}/${file}:" fi done [ "$CHANGED" = ':' ] && unset CHANGED fi # Check the width of the user's terminal # if [ -t 0 ]; then w=`tput columns` case "${w}" in 0|'') ;; # No-op, since the input is not valid *) case "${SCREEN_WIDTH}" in '') SCREEN_WIDTH="${w}" ;; "${w}") ;; # No-op, since they are the same *) echo -n "*** You entered ${SCREEN_WIDTH} as your screen width, but stty " echo "thinks it is ${w}." echo '' echo -n "What would you like to use? [${w}] " read SCREEN_WIDTH case "${SCREEN_WIDTH}" in '') SCREEN_WIDTH="${w}" ;; esac ;; esac esac fi # Define what $Id tag to look for to aid portability. # ID_TAG=FreeBSD delete_temproot () { rm -rf "${TEMPROOT}" 2>/dev/null chflags -R 0 "${TEMPROOT}" 2>/dev/null rm -rf "${TEMPROOT}" || { echo "*** Unable to delete ${TEMPROOT}"; exit 1; } } case "${RERUN}" in '') # Set up the loop to test for the existence of the # temp root directory. # TEST_TEMP_ROOT=yes while [ "${TEST_TEMP_ROOT}" = "yes" ]; do if [ -d "${TEMPROOT}" ]; then echo "*** The directory specified for the temporary root environment," echo " ${TEMPROOT}, exists. This can be a security risk if untrusted" echo " users have access to the system." echo '' case "${AUTO_RUN}" in '') echo " Use 'd' to delete the old ${TEMPROOT} and continue" echo " Use 't' to select a new temporary root directory" echo " Use 'e' to exit mergemaster" echo '' echo " Default is to use ${TEMPROOT} as is" echo '' echo -n "How should I deal with this? [Use the existing ${TEMPROOT}] " read DELORNOT case "${DELORNOT}" in [dD]) echo '' echo " *** Deleting the old ${TEMPROOT}" echo '' delete_temproot unset TEST_TEMP_ROOT ;; [tT]) echo " *** Enter new directory name for temporary root environment" read TEMPROOT ;; [eE]) exit 0 ;; '') echo '' echo " *** Leaving ${TEMPROOT} intact" echo '' unset TEST_TEMP_ROOT ;; *) echo '' echo "invalid choice: ${DELORNOT}" echo '' ;; esac ;; *) # If this is an auto-run, try a hopefully safe alternative then # re-test anyway. TEMPROOT=/var/tmp/temproot.`date +%m%d.%H.%M.%S` ;; esac else unset TEST_TEMP_ROOT fi done echo "*** Creating the temporary root environment in ${TEMPROOT}" if mkdir -p "${TEMPROOT}"; then echo " *** ${TEMPROOT} ready for use" fi if [ ! -d "${TEMPROOT}" ]; then echo '' echo " *** FATAL ERROR: Cannot create ${TEMPROOT}" echo '' exit 1 fi echo " *** Creating and populating directory structure in ${TEMPROOT}" echo '' case "${VERBOSE}" in '') ;; *) press_to_continue ;; esac case "${PRE_WORLD}" in '') { cd ${SOURCEDIR} && case "${DESTDIR}" in '') ;; *) ${MM_MAKE} DESTDIR=${DESTDIR} distrib-dirs >/dev/null ;; esac ${MM_MAKE} DESTDIR=${TEMPROOT} distrib-dirs >/dev/null && ${MM_MAKE} _obj SUBDIR_OVERRIDE=etc >/dev/null && ${MM_MAKE} everything SUBDIR_OVERRIDE=etc >/dev/null && ${MM_MAKE} DESTDIR=${TEMPROOT} distribution >/dev/null;} || { echo ''; echo " *** FATAL ERROR: Cannot 'cd' to ${SOURCEDIR} and install files to"; echo " the temproot environment"; echo ''; exit 1;} ;; *) # Only set up files that are crucial to {build|install}world { mkdir -p ${TEMPROOT}/etc && cp -p ${SOURCEDIR}/etc/master.passwd ${TEMPROOT}/etc && install -p -o root -g wheel -m 0644 ${SOURCEDIR}/etc/group ${TEMPROOT}/etc;} || { echo ''; echo ' *** FATAL ERROR: Cannot copy files to the temproot environment'; echo ''; exit 1;} ;; esac # Doing the inventory and removing files that we don't want to compare only # makes sense if we are not doing a rerun, since we have no way of knowing # what happened to the files during previous incarnations. case "${VERBOSE}" in '') ;; *) echo '' echo ' *** The following files exist only in the installed version of' echo " ${DESTDIR}/etc. In the vast majority of cases these files" echo ' are necessary parts of the system and should not be deleted.' echo ' However because these files are not updated by this process you' echo ' might want to verify their status before rebooting your system.' echo '' press_to_continue diff -qr ${DESTDIR}/etc ${TEMPROOT}/etc | grep "^Only in ${DESTDIR}/etc" | ${PAGER} echo '' press_to_continue ;; esac case "${IGNORE_MOTD}" in '') ;; *) echo '' echo "*** You have the IGNORE_MOTD option set in your mergemaster rc file." echo " This option is deprecated in favor of the IGNORE_FILES option." echo " Please update your rc file accordingly." echo '' exit 1 ;; esac # Avoid comparing the following user specified files for file in ${IGNORE_FILES}; do test -e ${TEMPROOT}/${file} && unlink ${TEMPROOT}/${file} done # We really don't want to have to deal with files like login.conf.db, pwd.db, # or spwd.db. Instead, we want to compare the text versions, and run *_mkdb. # Prompt the user to do so below, as needed. # rm -f ${TEMPROOT}/etc/*.db ${TEMPROOT}/etc/passwd \ ${TEMPROOT}/var/db/services.db # We only need to compare things like freebsd.cf once find ${TEMPROOT}/usr/obj -type f -delete 2>/dev/null # Delete stuff we do not need to keep the mtree database small, # and to make the actual comparison faster. find ${TEMPROOT}/usr -type l -delete 2>/dev/null find ${TEMPROOT} -type f -size 0 -delete 2>/dev/null find -d ${TEMPROOT} -type d -empty -mindepth 1 -delete 2>/dev/null # Build the mtree database in a temporary location. case "${PRE_WORLD}" in '') MTREENEW=`mktemp -t mergemaster.mtree` mtree -nci -p ${TEMPROOT} -k size,md5digest > ${MTREENEW} 2>/dev/null ;; *) # We don't want to mess with the mtree database on a pre-world run or # when re-scanning a previously-built tree. ;; esac ;; # End of the "RERUN" test esac # Get ready to start comparing files # Check umask if not specified on the command line, # and we are not doing an autorun # if [ -z "${NEW_UMASK}" -a -z "${AUTO_RUN}" ]; then USER_UMASK=`umask` case "${USER_UMASK}" in 0022|022) ;; *) echo '' echo " *** Your umask is currently set to ${USER_UMASK}. By default, this script" echo " installs all files with the same user, group and modes that" echo " they are created with by ${SOURCEDIR}/etc/Makefile, compared to" echo " a umask of 022. This umask allows world read permission when" echo " the file's default permissions have it." echo '' echo " No world permissions can sometimes cause problems. A umask of" echo " 022 will restore the default behavior, but is not mandatory." echo " /etc/master.passwd is a special case. Its file permissions" echo " will be 600 (rw-------) if installed." echo '' echo -n "What umask should I use? [${USER_UMASK}] " read NEW_UMASK NEW_UMASK="${NEW_UMASK:-$USER_UMASK}" ;; esac echo '' fi CONFIRMED_UMASK=${NEW_UMASK:-0022} # # Warn users who still have old rc files # for file in atm devfs diskless1 diskless2 network network6 pccard \ serial syscons sysctl alpha amd64 i386 sparc64; do if [ -f "${DESTDIR}/etc/rc.${file}" ]; then OLD_RC_PRESENT=1 break fi done case "${OLD_RC_PRESENT}" in 1) echo '' echo " *** There are elements of the old rc system in ${DESTDIR}/etc/." echo '' echo ' While these scripts will not hurt anything, they are not' echo ' functional on an up to date system, and can be removed.' echo '' case "${AUTO_RUN}" in '') echo -n 'Move these files to /var/tmp/mergemaster/old_rc? [yes] ' read MOVE_OLD_RC case "${MOVE_OLD_RC}" in [nN]*) ;; *) mkdir -p /var/tmp/mergemaster/old_rc for file in atm devfs diskless1 diskless2 network network6 pccard \ serial syscons sysctl alpha amd64 i386 sparc64; do if [ -f "${DESTDIR}/etc/rc.${file}" ]; then mv ${DESTDIR}/etc/rc.${file} /var/tmp/mergemaster/old_rc/ fi done echo ' The files have been moved' press_to_continue ;; esac ;; *) ;; esac esac # Use the umask/mode information to install the files # Create directories as needed # install_error () { echo "*** FATAL ERROR: Unable to install ${1} to ${2}" echo '' exit 1 } do_install_and_rm () { case "${PRESERVE_FILES}" in [Yy][Ee][Ss]) if [ -f "${3}/${2##*/}" ]; then mkdir -p ${PRESERVE_FILES_DIR}/${2%/*} cp ${3}/${2##*/} ${PRESERVE_FILES_DIR}/${2%/*} fi ;; esac if [ ! -d "${3}/${2##*/}" ]; then if install -m ${1} ${2} ${3}; then unlink ${2} else install_error ${2} ${3} fi else install_error ${2} ${3} fi } # 4095 = "obase=10;ibase=8;07777" | bc find_mode () { local OCTAL OCTAL=$(( ~$(echo "obase=10; ibase=8; ${CONFIRMED_UMASK}" | bc) & 4095 & $(echo "obase=10; ibase=8; $(stat -f "%OMp%OLp" ${1})" | bc) )) printf "%04o\n" ${OCTAL} } mm_install () { local INSTALL_DIR INSTALL_DIR=${1#.} INSTALL_DIR=${INSTALL_DIR%/*} case "${INSTALL_DIR}" in '') INSTALL_DIR=/ ;; esac if [ -n "${DESTDIR}${INSTALL_DIR}" -a ! -d "${DESTDIR}${INSTALL_DIR}" ]; then DIR_MODE=`find_mode "${TEMPROOT}/${INSTALL_DIR}"` install -d -o root -g wheel -m "${DIR_MODE}" "${DESTDIR}${INSTALL_DIR}" || install_error $1 ${DESTDIR}${INSTALL_DIR} fi FILE_MODE=`find_mode "${1}"` if [ ! -x "${1}" ]; then case "${1#.}" in /etc/mail/aliases) NEED_NEWALIASES=yes ;; + /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + NEED_CERTCTL=yes + ;; /etc/login.conf) NEED_CAP_MKDB=yes ;; /etc/services) NEED_SERVICES_MKDB=yes ;; /etc/master.passwd) do_install_and_rm 600 "${1}" "${DESTDIR}${INSTALL_DIR}" NEED_PWD_MKDB=yes DONT_INSTALL=yes ;; /.cshrc | /.profile) local st_nlink # install will unlink the file before it installs the new one, # so we have to restore/create the link afterwards. # st_nlink=0 # In case the file does not yet exist eval $(stat -s ${DESTDIR}${COMPFILE#.} 2>/dev/null) do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}" if [ -n "${AUTO_INSTALL}" -a $st_nlink -gt 1 ]; then HANDLE_LINK=l else case "${LINK_EXPLAINED}" in '') echo " *** Historically BSD derived systems have had a" echo " hard link from /.cshrc and /.profile to" echo " their namesakes in /root. Please indicate" echo " your preference below for bringing your" echo " installed files up to date." echo '' LINK_EXPLAINED=yes ;; esac echo " Use 'd' to delete the temporary ${COMPFILE}" echo " Use 'l' to delete the existing ${DESTDIR}/root/${COMPFILE##*/} and create the link" echo '' echo " Default is to leave the temporary file to deal with by hand" echo '' echo -n " How should I handle ${COMPFILE}? [Leave it to install later] " read HANDLE_LINK fi case "${HANDLE_LINK}" in [dD]*) rm "${COMPFILE}" echo '' echo " *** Deleting ${COMPFILE}" ;; [lL]*) echo '' unlink ${DESTDIR}/root/${COMPFILE##*/} if ln ${DESTDIR}${COMPFILE#.} ${DESTDIR}/root/${COMPFILE##*/}; then echo " *** Link from ${DESTDIR}${COMPFILE#.} to ${DESTDIR}/root/${COMPFILE##*/} installed successfully" else echo " *** Error linking ${DESTDIR}${COMPFILE#.} to ${DESTDIR}/root/${COMPFILE##*/}" echo " *** ${COMPFILE} will remain for your consideration" fi ;; *) echo " *** ${COMPFILE} will remain for your consideration" ;; esac return ;; esac case "${DONT_INSTALL}" in '') do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}" ;; *) unset DONT_INSTALL ;; esac else # File matched -x do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}" fi return $? } if [ ! -d "${TEMPROOT}" ]; then echo "*** FATAL ERROR: The temproot directory (${TEMPROOT})" echo ' has disappeared!' echo '' exit 1 fi echo '' echo "*** Beginning comparison" echo '' # Pre-world does not populate /etc/rc.d. # It is very possible that a previous run would have deleted files in # ${TEMPROOT}/etc/rc.d, thus creating a lot of false positives. if [ -z "${PRE_WORLD}" -a -z "${RERUN}" ]; then echo " *** Checking ${DESTDIR}/etc/rc.d for stale files" echo '' cd "${DESTDIR}/etc/rc.d" && for file in *; do if [ ! -e "${TEMPROOT}/etc/rc.d/${file}" ]; then STALE_RC_FILES="${STALE_RC_FILES} ${file}" fi done case "${STALE_RC_FILES}" in ''|' *') echo ' *** No stale files found' ;; *) echo " *** The following files exist in ${DESTDIR}/etc/rc.d but not in" echo " ${TEMPROOT}/etc/rc.d/:" echo '' echo "${STALE_RC_FILES}" echo '' echo ' The presence of stale files in this directory can cause the' echo ' dreaded unpredictable results, and therefore it is highly' echo ' recommended that you delete them.' case "${AUTO_RUN}" in '') echo '' echo -n ' *** Delete them now? [n] ' read DELETE_STALE_RC_FILES case "${DELETE_STALE_RC_FILES}" in [yY]) echo ' *** Deleting ... ' rm ${STALE_RC_FILES} echo ' done.' ;; *) echo ' *** Files will not be deleted' ;; esac sleep 2 ;; *) if [ -n "${DELETE_STALE_RC_FILES}" ]; then echo ' *** Deleting ... ' rm ${STALE_RC_FILES} echo ' done.' fi esac ;; esac echo '' fi cd "${TEMPROOT}" if [ -r "${MM_PRE_COMPARE_SCRIPT}" ]; then . "${MM_PRE_COMPARE_SCRIPT}" fi # Things that were files/directories/links in one version can sometimes # change to something else in a newer version. So we need to explicitly # test for this, and warn the user if what we find does not match. # for COMPFILE in `find . | sort` ; do if [ -e "${DESTDIR}${COMPFILE#.}" ]; then INSTALLED_TYPE=`stat -f '%HT' ${DESTDIR}${COMPFILE#.}` else continue fi TEMPROOT_TYPE=`stat -f '%HT' $COMPFILE` if [ ! "$TEMPROOT_TYPE" = "$INSTALLED_TYPE" ]; then [ "$COMPFILE" = '.' ] && continue TEMPROOT_TYPE=`echo $TEMPROOT_TYPE | tr [:upper:] [:lower:]` INSTALLED_TYPE=`echo $INSTALLED_TYPE | tr [:upper:] [:lower:]` echo "*** The installed file ${DESTDIR}${COMPFILE#.} has the type \"$INSTALLED_TYPE\"" echo " but the new version has the type \"$TEMPROOT_TYPE\"" echo '' echo " How would you like to handle this?" echo '' echo " Use 'r' to remove ${DESTDIR}${COMPFILE#.}" case "$TEMPROOT_TYPE" in 'symbolic link') TARGET=`readlink $COMPFILE` echo " and create a link to $TARGET in its place" ;; *) echo " You will be able to install it as a \"$TEMPROOT_TYPE\"" ;; esac echo '' echo " Use 'i' to ignore this" echo '' echo -n " How to proceed? [i] " read ANSWER case "$ANSWER" in [rR]) case "${PRESERVE_FILES}" in [Yy][Ee][Ss]) mv ${DESTDIR}${COMPFILE#.} ${PRESERVE_FILES_DIR}/ || exit 1 ;; *) rm -rf ${DESTDIR}${COMPFILE#.} ;; esac case "$TEMPROOT_TYPE" in 'symbolic link') ln -sf $TARGET ${DESTDIR}${COMPFILE#.} ;; esac ;; *) echo '' echo "*** See the man page about adding ${COMPFILE#.} to the list of IGNORE_FILES" press_to_continue ;; esac echo '' fi done for COMPFILE in `find . -type f | sort`; do # First, check to see if the file exists in DESTDIR. If not, the # diff_loop function knows how to handle it. # if [ ! -e "${DESTDIR}${COMPFILE#.}" ]; then case "${AUTO_RUN}" in '') diff_loop ;; *) case "${AUTO_INSTALL}" in '') # If this is an auto run, make it official echo " *** ${COMPFILE} will remain for your consideration" ;; *) diff_loop ;; esac ;; esac # Auto run test continue fi case "${STRICT}" in '' | [Nn][Oo]) # Compare $Id's first so if the file hasn't been modified # local changes will be ignored. # If the files have the same $Id, delete the one in temproot so the # user will have less to wade through if files are left to merge by hand. # ID1=`grep "[$]${ID_TAG}:" ${DESTDIR}${COMPFILE#.} 2>/dev/null` ID2=`grep "[$]${ID_TAG}:" ${COMPFILE} 2>/dev/null` || ID2=none case "${ID2}" in "${ID1}") echo " *** Temp ${COMPFILE} and installed have the same Id, deleting" rm "${COMPFILE}" ;; esac ;; esac # If the file is still here either because the $Ids are different, the # file doesn't have an $Id, or we're using STRICT mode; look at the diff. # if [ -f "${COMPFILE}" ]; then # Do an absolute diff first to see if the files are actually different. # If they're not different, delete the one in temproot. # if diff -q ${DIFF_OPTIONS} "${DESTDIR}${COMPFILE#.}" "${COMPFILE}" > \ /dev/null 2>&1; then echo " *** Temp ${COMPFILE} and installed are the same, deleting" rm "${COMPFILE}" else # Ok, the files are different, so show the user where they differ. # Use user's choice of diff methods; and user's pager if they have one. # Use more if not. # Use unified diffs by default. Context diffs give me a headache. :) # # If the user chose the -F option, test for that before proceeding # if [ -n "$FREEBSD_ID" ]; then if diff -q -I'[$]FreeBSD.*[$]' "${DESTDIR}${COMPFILE#.}" "${COMPFILE}" > \ /dev/null 2>&1; then if mm_install "${COMPFILE}"; then echo "*** Updated revision control Id for ${DESTDIR}${COMPFILE#.}" else echo "*** Problem installing ${COMPFILE}, it will remain to merge by hand later" fi continue fi fi case "${AUTO_RUN}" in '') # prompt user to install/delete/merge changes diff_loop ;; *) # If this is an auto run, make it official echo " *** ${COMPFILE} will remain for your consideration" ;; esac # Auto run test fi # Yes, the files are different fi # Yes, the file still remains to be checked done # This is for the for way up there at the beginning of the comparison echo '' echo "*** Comparison complete" if [ -s "${MTREENEW}" ]; then echo "*** Saving mtree database for future upgrades" test -e "${MTREEFILE}" && unlink ${MTREEFILE} mv ${MTREENEW} ${MTREEFILE} fi echo '' TEST_FOR_FILES=`find ${TEMPROOT} -type f -size +0 2>/dev/null` if [ -n "${TEST_FOR_FILES}" ]; then echo "*** Files that remain for you to merge by hand:" find "${TEMPROOT}" -type f -size +0 | sort echo '' case "${AUTO_RUN}" in '') echo -n "Do you wish to delete what is left of ${TEMPROOT}? [no] " read DEL_TEMPROOT case "${DEL_TEMPROOT}" in [yY]*) delete_temproot ;; *) echo " *** ${TEMPROOT} will remain" ;; esac ;; *) ;; esac else echo "*** ${TEMPROOT} is empty, deleting" delete_temproot fi case "${AUTO_INSTALLED_FILES}" in '') ;; *) case "${AUTO_RUN}" in '') ( echo '' echo '*** You chose the automatic install option for files that did not' echo ' exist on your system. The following were installed for you:' echo "${AUTO_INSTALLED_FILES}" ) | ${PAGER} ;; *) echo '' echo '*** You chose the automatic install option for files that did not' echo ' exist on your system. The following were installed for you:' echo "${AUTO_INSTALLED_FILES}" ;; esac ;; esac case "${AUTO_UPGRADED_FILES}" in '') ;; *) case "${AUTO_RUN}" in '') ( echo '' echo '*** You chose the automatic upgrade option for files that you did' echo ' not alter on your system. The following were upgraded for you:' echo "${AUTO_UPGRADED_FILES}" ) | ${PAGER} ;; *) echo '' echo '*** You chose the automatic upgrade option for files that you did' echo ' not alter on your system. The following were upgraded for you:' echo "${AUTO_UPGRADED_FILES}" ;; esac ;; esac run_it_now () { [ -n "$AUTO_RUN" ] && return local answer echo '' while : ; do if [ "$RUN_UPDATES" = always ]; then answer=y elif [ "$RUN_UPDATES" = never ]; then answer=n else echo -n ' Would you like to run it now? y or n [n] ' read answer fi case "$answer" in y) echo " Running ${1}" echo '' eval "${1}" return ;; ''|n) if [ ! "$RUN_UPDATES" = never ]; then echo '' echo " *** Cancelled" echo '' fi echo " Make sure to run ${1} yourself" return ;; *) echo '' echo " *** Sorry, I do not understand your answer (${answer})" echo '' esac done } case "${NEED_NEWALIASES}" in '') ;; *) echo '' if [ -n "${DESTDIR}" ]; then echo "*** You installed a new aliases file into ${DESTDIR}/etc/mail, but" echo " the newaliases command is limited to the directories configured" echo " in sendmail.cf. Make sure to create your aliases database by" echo " hand when your sendmail configuration is done." else echo "*** You installed a new aliases file, so make sure that you run" echo " '/usr/bin/newaliases' to rebuild your aliases database" run_it_now '/usr/bin/newaliases' fi ;; esac case "${NEED_CAP_MKDB}" in '') ;; *) echo '' echo "*** You installed a login.conf file, so make sure that you run" echo " '/usr/bin/cap_mkdb ${DESTDIR}/etc/login.conf'" echo " to rebuild your login.conf database" run_it_now "/usr/bin/cap_mkdb ${DESTDIR}/etc/login.conf" ;; esac case "${NEED_SERVICES_MKDB}" in '') ;; *) echo '' echo "*** You installed a services file, so make sure that you run" echo " '/usr/sbin/services_mkdb -q -o ${DESTDIR}/var/db/services.db ${DESTDIR}/etc/services'" echo " to rebuild your services database" run_it_now "/usr/sbin/services_mkdb -q -o ${DESTDIR}/var/db/services.db ${DESTDIR}/etc/services" ;; esac case "${NEED_PWD_MKDB}" in '') ;; *) echo '' echo "*** You installed a new master.passwd file, so make sure that you run" if [ -n "${DESTDIR}" ]; then echo " '/usr/sbin/pwd_mkdb -d ${DESTDIR}/etc -p ${DESTDIR}/etc/master.passwd'" echo " to rebuild your password files" run_it_now "/usr/sbin/pwd_mkdb -d ${DESTDIR}/etc -p ${DESTDIR}/etc/master.passwd" else echo " '/usr/sbin/pwd_mkdb -p /etc/master.passwd'" echo " to rebuild your password files" run_it_now '/usr/sbin/pwd_mkdb -p /etc/master.passwd' + fi + ;; +esac + +case "${NEED_CERTCTL}" in +'') ;; +*) + echo '' + echo "*** You installed files in /etc/ssl/certs, so make sure that you run" + if [ -n "${DESTDIR}" ]; then + echo " 'env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash'" + echo " to rebuild your certificate authority database" + run_it_now "env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash" + else + echo " '/usr/sbin/certctl rehash'" + echo " to rebuild your certificate authority database" + run_it_now "/usr/sbin/certctl rehash" fi ;; esac if [ -e "${DESTDIR}/etc/localtime" -a ! -L "${DESTDIR}/etc/localtime" -a -z "${PRE_WORLD}" ]; then # Ignore if TZ == UTC echo '' [ -n "${DESTDIR}" ] && tzs_args="-C ${DESTDIR}" if [ -f "${DESTDIR}/var/db/zoneinfo" ]; then echo "*** Reinstalling `cat ${DESTDIR}/var/db/zoneinfo` as ${DESTDIR}/etc/localtime" tzsetup $tzs_args -r else echo "*** There is no ${DESTDIR}/var/db/zoneinfo file to update ${DESTDIR}/etc/localtime." echo ' You should run tzsetup' run_it_now "tzsetup $tzs_args" fi fi echo '' if [ -r "${MM_EXIT_SCRIPT}" ]; then . "${MM_EXIT_SCRIPT}" fi case "${COMP_CONFS}" in '') ;; *) . ${DESTDIR}/etc/defaults/rc.conf (echo '' echo "*** Comparing conf files: ${rc_conf_files}" for CONF_FILE in ${rc_conf_files}; do if [ -r "${DESTDIR}${CONF_FILE}" ]; then echo '' echo "*** From ${DESTDIR}${CONF_FILE}" echo "*** From ${DESTDIR}/etc/defaults/rc.conf" for RC_CONF_VAR in `grep -i ^[a-z] ${DESTDIR}${CONF_FILE} | cut -d '=' -f 1`; do echo '' grep -w ^${RC_CONF_VAR} ${DESTDIR}${CONF_FILE} grep -w ^${RC_CONF_VAR} ${DESTDIR}/etc/defaults/rc.conf || echo ' * No default variable with this name' done fi done) | ${PAGER} echo '' ;; esac if [ -n "${PRESERVE_FILES}" ]; then find -d $PRESERVE_FILES_DIR -type d -empty -delete 2>/dev/null rmdir $PRESERVE_FILES_DIR 2>/dev/null fi exit 0 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Copyright (c) 1998-2012 Douglas Barton # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. Index: stable/11 =================================================================== --- stable/11 (revision 357081) +++ stable/11 (revision 357082) Property changes on: stable/11 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r352948-352951,353002,353066,353070 Index: stable/12/etc/mtree/BSD.usr.dist =================================================================== --- stable/12/etc/mtree/BSD.usr.dist (revision 357081) +++ stable/12/etc/mtree/BSD.usr.dist (revision 357082) @@ -1,1260 +1,1266 @@ # $FreeBSD$ # # Please see the file src/etc/mtree/README before making changes to this file. # /set type=dir uname=root gname=wheel mode=0755 . bin .. include private bsdstat .. event .. gmock internal custom .. .. .. gtest internal custom .. .. .. sqlite3 .. ucl .. zstd .. .. .. lib aout .. clang 9.0.1 include cuda_wrappers .. openmp_wrappers .. ppc_wrappers .. sanitizer .. .. lib freebsd .. .. .. .. compat aout .. .. dtrace .. engines .. i18n .. libxo encoder .. .. .. libdata gcc .. ldscripts .. pkgconfig .. .. libexec bsdconfig 020.docsinstall include .. .. 030.packages include .. .. 040.password include .. .. 050.diskmgmt include .. .. 070.usermgmt include .. .. 080.console include .. .. 090.timezone include .. .. 110.mouse include .. .. 120.networking include .. .. 130.security include .. .. 140.startup include .. .. 150.ttys include .. .. dot include .. .. include .. includes include .. .. .. bsdinstall .. dwatch .. hyperv .. lpr ru .. .. sendmail .. sm.bin .. .. local .. obj nochange .. sbin .. share atf .. bsdconfig media .. networking .. packages .. password .. startup .. timezone .. usermgmt .. .. calendar de_AT.ISO_8859-15 .. de_DE.ISO8859-1 .. fr_FR.ISO8859-1 .. hr_HR.ISO8859-2 .. hu_HU.ISO8859-2 .. pt_BR.ISO8859-1 .. pt_BR.UTF-8 .. ru_RU.KOI8-R .. ru_RU.UTF-8 .. uk_UA.KOI8-U .. .. + certs + blacklisted + .. + trusted + .. + .. dict .. doc IPv6 .. atf .. legal .. llvm clang .. .. ncurses .. ntp drivers icons .. scripts .. .. hints .. icons .. pic .. scripts .. .. pjdfstest .. .. dtrace .. examples BSD_daemon .. FreeBSD_version .. IPv6 .. bhyve .. bootforth .. bsdconfig .. csh .. diskless .. dma .. drivers .. dwatch .. etc defaults .. .. find_interface .. hast .. hostapd .. ibcs2 .. indent .. ipfilter .. ipfw .. jails .. kld cdev module .. test .. .. dyn_sysctl .. firmware fwconsumer .. fwimage .. .. khelp .. syscall module .. test .. .. .. libusb20 .. libvgl .. mdoc .. netgraph .. pc-sysinstall .. perfmon .. pf .. ppi .. ppp .. printing .. scsi_target .. ses getencstat .. sesd .. setencstat .. setobjstat .. srcs .. .. smbfs print .. .. sunrpc dir .. msg .. sort .. .. tcsh .. uefisign .. ypldap .. .. firmware .. games fortune .. .. i18n csmapper APPLE .. AST .. BIG5 .. CNS .. CP .. EBCDIC .. GB .. GEORGIAN .. ISO-8859 .. ISO646 .. JIS .. KAZAKH .. KOI .. KS .. MISC .. TCVN .. .. esdb APPLE .. AST .. BIG5 .. CP .. DEC .. EBCDIC .. EUC .. GB .. GEORGIAN .. ISO-2022 .. ISO-8859 .. ISO646 .. KAZAKH .. KOI .. MISC .. TCVN .. UTF .. .. .. keys pkg revoked .. trusted .. .. .. locale af_ZA.ISO8859-1 .. af_ZA.ISO8859-15 .. af_ZA.UTF-8 .. ar_AE.UTF-8 .. ar_EG.UTF-8 .. ar_JO.UTF-8 .. ar_MA.UTF-8 .. ar_QA.UTF-8 .. ar_SA.UTF-8 .. am_ET.UTF-8 .. be_BY.CP1131 .. be_BY.CP1251 .. be_BY.ISO8859-5 .. be_BY.UTF-8 .. bg_BG.CP1251 .. bg_BG.UTF-8 .. ca_AD.ISO8859-1 .. ca_AD.ISO8859-15 .. ca_ES.ISO8859-1 .. ca_ES.ISO8859-15 .. ca_FR.ISO8859-1 .. ca_FR.ISO8859-15 .. ca_IT.ISO8859-1 .. ca_IT.ISO8859-15 .. ca_AD.UTF-8 .. ca_ES.UTF-8 .. ca_FR.UTF-8 .. ca_IT.UTF-8 .. cs_CZ.ISO8859-2 .. cs_CZ.UTF-8 .. da_DK.ISO8859-1 .. da_DK.ISO8859-15 .. da_DK.UTF-8 .. de_AT.ISO8859-1 .. de_AT.ISO8859-15 .. de_AT.UTF-8 .. de_CH.ISO8859-1 .. de_CH.ISO8859-15 .. de_CH.UTF-8 .. de_DE.ISO8859-1 .. de_DE.ISO8859-15 .. de_DE.UTF-8 .. el_GR.ISO8859-7 .. el_GR.UTF-8 .. en_AU.ISO8859-1 .. en_AU.ISO8859-15 .. en_AU.US-ASCII .. en_AU.UTF-8 .. en_CA.ISO8859-1 .. en_CA.ISO8859-15 .. en_CA.US-ASCII .. en_CA.UTF-8 .. en_GB.ISO8859-1 .. en_GB.ISO8859-15 .. en_GB.US-ASCII .. en_GB.UTF-8 .. en_HK.ISO8859-1 .. en_HK.UTF-8 .. en_IE.ISO8859-1 .. en_IE.ISO8859-15 .. en_IE.UTF-8 .. en_NZ.ISO8859-1 .. en_NZ.ISO8859-15 .. en_NZ.US-ASCII .. en_NZ.UTF-8 .. en_PH.UTF-8 .. en_SG.ISO8859-1 .. en_SG.UTF-8 .. en_US.ISO8859-1 .. en_US.ISO8859-15 .. en_US.US-ASCII .. en_US.UTF-8 .. en_ZA.ISO8859-1 .. en_ZA.ISO8859-15 .. en_ZA.US-ASCII .. en_ZA.UTF-8 .. es_AR.ISO8859-1 .. es_AR.UTF-8 .. es_CR.UTF-8 .. es_ES.ISO8859-1 .. es_ES.ISO8859-15 .. es_ES.UTF-8 .. es_MX.ISO8859-1 .. es_MX.UTF-8 .. et_EE.ISO8859-1 .. et_EE.ISO8859-15 .. et_EE.UTF-8 .. eu_ES.ISO8859-1 .. eu_ES.ISO8859-15 .. eu_ES.UTF-8 .. fi_FI.ISO8859-1 .. fi_FI.ISO8859-15 .. fi_FI.UTF-8 .. fr_BE.ISO8859-1 .. fr_BE.ISO8859-15 .. fr_BE.UTF-8 .. fr_CA.ISO8859-1 .. fr_CA.ISO8859-15 .. fr_CA.UTF-8 .. fr_CH.ISO8859-1 .. fr_CH.ISO8859-15 .. fr_CH.UTF-8 .. fr_FR.ISO8859-1 .. fr_FR.ISO8859-15 .. fr_FR.UTF-8 .. he_IL.UTF-8 .. hi_IN.ISCII-DEV .. hi_IN.UTF-8 .. hr_HR.ISO8859-2 .. hr_HR.UTF-8 .. hu_HU.ISO8859-2 .. hu_HU.UTF-8 .. hy_AM.ARMSCII-8 .. hy_AM.UTF-8 .. is_IS.ISO8859-1 .. is_IS.ISO8859-15 .. is_IS.UTF-8 .. it_CH.ISO8859-1 .. it_CH.ISO8859-15 .. it_CH.UTF-8 .. it_IT.ISO8859-1 .. it_IT.ISO8859-15 .. it_IT.UTF-8 .. ja_JP.SJIS .. ja_JP.UTF-8 .. ja_JP.eucJP .. kk_KZ.UTF-8 .. ko_KR.CP949 .. ko_KR.UTF-8 .. ko_KR.eucKR .. lt_LT.ISO8859-13 .. lt_LT.UTF-8 .. lv_LV.ISO8859-13 .. lv_LV.UTF-8 .. mn_MN.UTF-8 .. nb_NO.ISO8859-1 .. nb_NO.ISO8859-15 .. nb_NO.UTF-8 .. nl_BE.ISO8859-1 .. nl_BE.ISO8859-15 .. nl_BE.UTF-8 .. nl_NL.ISO8859-1 .. nl_NL.ISO8859-15 .. nl_NL.UTF-8 .. nn_NO.ISO8859-1 .. nn_NO.ISO8859-15 .. nn_NO.UTF-8 .. pl_PL.ISO8859-2 .. pl_PL.UTF-8 .. pt_BR.ISO8859-1 .. pt_BR.UTF-8 .. pt_PT.ISO8859-1 .. pt_PT.ISO8859-15 .. pt_PT.UTF-8 .. ro_RO.ISO8859-2 .. ro_RO.UTF-8 .. ru_RU.CP1251 .. ru_RU.CP866 .. ru_RU.ISO8859-5 .. ru_RU.KOI8-R .. ru_RU.UTF-8 .. se_FI.UTF-8 .. se_NO.UTF-8 .. sk_SK.ISO8859-2 .. sk_SK.UTF-8 .. sl_SI.ISO8859-2 .. sl_SI.UTF-8 .. sr_RS.ISO8859-5 .. sr_RS.UTF-8 .. sr_RS.ISO8859-2 .. sr_RS.UTF-8@latin .. sv_FI.ISO8859-1 .. sv_FI.ISO8859-15 .. sv_FI.UTF-8 .. sv_SE.ISO8859-1 .. sv_SE.ISO8859-15 .. sv_SE.UTF-8 .. tr_TR.ISO8859-9 .. tr_TR.UTF-8 .. uk_UA.CP1251 .. uk_UA.ISO8859-5 .. uk_UA.KOI8-U .. uk_UA.UTF-8 .. zh_CN.GB18030 .. zh_CN.GB2312 .. zh_CN.GBK .. zh_CN.eucCN .. zh_CN.UTF-8 .. zh_HK.UTF-8 .. zh_TW.Big5 .. zh_TW.UTF-8 .. .. man man1 .. man2 .. man3 .. man4 aarch64 .. amd64 .. arm .. i386 .. powerpc .. sparc64 .. .. man5 .. man6 .. man7 .. man8 amd64 .. i386 .. powerpc .. sparc64 .. .. man9 .. .. misc fonts .. .. mk .. nls C .. af_ZA.ISO8859-1 .. af_ZA.ISO8859-15 .. af_ZA.UTF-8 .. am_ET.UTF-8 .. be_BY.CP1131 .. be_BY.CP1251 .. be_BY.ISO8859-5 .. be_BY.UTF-8 .. bg_BG.CP1251 .. bg_BG.UTF-8 .. ca_ES.ISO8859-1 .. ca_ES.ISO8859-15 .. ca_ES.UTF-8 .. cs_CZ.ISO8859-2 .. cs_CZ.UTF-8 .. da_DK.ISO8859-1 .. da_DK.ISO8859-15 .. da_DK.UTF-8 .. de_AT.ISO8859-1 .. de_AT.ISO8859-15 .. de_AT.UTF-8 .. de_CH.ISO8859-1 .. de_CH.ISO8859-15 .. de_CH.UTF-8 .. de_DE.ISO8859-1 .. de_DE.ISO8859-15 .. de_DE.UTF-8 .. el_GR.ISO8859-7 .. el_GR.UTF-8 .. en_AU.ISO8859-1 .. en_AU.ISO8859-15 .. en_AU.US-ASCII .. en_AU.UTF-8 .. en_CA.ISO8859-1 .. en_CA.ISO8859-15 .. en_CA.US-ASCII .. en_CA.UTF-8 .. en_GB.ISO8859-1 .. en_GB.ISO8859-15 .. en_GB.US-ASCII .. en_GB.UTF-8 .. en_IE.UTF-8 .. en_NZ.ISO8859-1 .. en_NZ.ISO8859-15 .. en_NZ.US-ASCII .. en_NZ.UTF-8 .. en_US.ISO8859-1 .. en_US.ISO8859-15 .. en_US.UTF-8 .. es_ES.ISO8859-1 .. es_ES.ISO8859-15 .. es_ES.UTF-8 .. et_EE.ISO8859-15 .. et_EE.UTF-8 .. fi_FI.ISO8859-1 .. fi_FI.ISO8859-15 .. fi_FI.UTF-8 .. fr_BE.ISO8859-1 .. fr_BE.ISO8859-15 .. fr_BE.UTF-8 .. fr_CA.ISO8859-1 .. fr_CA.ISO8859-15 .. fr_CA.UTF-8 .. fr_CH.ISO8859-1 .. fr_CH.ISO8859-15 .. fr_CH.UTF-8 .. fr_FR.ISO8859-1 .. fr_FR.ISO8859-15 .. fr_FR.UTF-8 .. gl_ES.ISO8859-1 .. he_IL.UTF-8 .. hi_IN.ISCII-DEV .. hr_HR.ISO8859-2 .. hr_HR.UTF-8 .. hu_HU.ISO8859-2 .. hu_HU.UTF-8 .. hy_AM.ARMSCII-8 .. hy_AM.UTF-8 .. is_IS.ISO8859-1 .. is_IS.ISO8859-15 .. is_IS.UTF-8 .. it_CH.ISO8859-1 .. it_CH.ISO8859-15 .. it_CH.UTF-8 .. it_IT.ISO8859-1 .. it_IT.ISO8859-15 .. it_IT.UTF-8 .. ja_JP.SJIS .. ja_JP.UTF-8 .. ja_JP.eucJP .. kk_KZ.PT154 .. kk_KZ.UTF-8 .. ko_KR.CP949 .. ko_KR.UTF-8 .. ko_KR.eucKR .. lt_LT.ISO8859-13 .. lt_LT.UTF-8 .. lv_LV.ISO8859-13 .. lv_LV.UTF-8 .. mn_MN.UTF-8 .. nl_BE.ISO8859-1 .. nl_BE.ISO8859-15 .. nl_BE.UTF-8 .. nl_NL.ISO8859-1 .. nl_NL.ISO8859-15 .. nl_NL.UTF-8 .. no_NO.ISO8859-1 .. no_NO.ISO8859-15 .. no_NO.UTF-8 .. pl_PL.ISO8859-2 .. pl_PL.UTF-8 .. pt_BR.ISO8859-1 .. pt_BR.UTF-8 .. pt_PT.ISO8859-1 .. pt_PT.ISO8859-15 .. pt_PT.UTF-8 .. ro_RO.ISO8859-2 .. ro_RO.UTF-8 .. ru_RU.CP1251 .. ru_RU.CP866 .. ru_RU.ISO8859-5 .. ru_RU.KOI8-R .. ru_RU.UTF-8 .. sk_SK.ISO8859-2 .. sk_SK.UTF-8 .. sl_SI.ISO8859-2 .. sl_SI.UTF-8 .. sr_YU.ISO8859-2 .. sr_YU.ISO8859-5 .. sr_YU.UTF-8 .. sv_SE.ISO8859-1 .. sv_SE.ISO8859-15 .. sv_SE.UTF-8 .. tr_TR.ISO8859-9 .. tr_TR.UTF-8 .. uk_UA.ISO8859-5 .. uk_UA.KOI8-U .. uk_UA.UTF-8 .. zh_CN.GB18030 .. zh_CN.GB2312 .. zh_CN.GBK .. zh_CN.UTF-8 .. zh_CN.eucCN .. zh_HK.UTF-8 .. zh_TW.UTF-8 .. .. openssl man man1 .. man3 .. .. .. pc-sysinstall backend .. backend-partmanager .. backend-query .. conf license .. .. doc .. .. security .. sendmail .. skel .. snmp defs .. mibs .. .. syscons fonts .. keymaps .. scrnmaps .. .. tabset .. vi catalog .. .. vt fonts .. keymaps .. .. zoneinfo Africa .. America Argentina .. Indiana .. Kentucky .. North_Dakota .. .. Antarctica .. Arctic .. Asia .. Atlantic .. Australia .. Etc .. Europe .. Indian .. Pacific .. SystemV .. .. .. src nochange .. .. Index: stable/12/secure/Makefile =================================================================== --- stable/12/secure/Makefile (revision 357081) +++ stable/12/secure/Makefile (revision 357082) @@ -1,39 +1,41 @@ # $FreeBSD$ .include SUBDIR= lib .WAIT \ libexec usr.bin usr.sbin SUBDIR_PARALLEL= SUBDIR.${MK_TESTS}+= tests +SUBDIR.${MK_CAROOT}+= caroot + # These are the programs which depend on crypto, but not Kerberos. SPROGS= lib/libfetch lib/libpam lib/libradius lib/libtelnet \ bin/ed libexec/telnetd usr.bin/fetch usr.bin/telnet \ usr.sbin/ppp usr.sbin/tcpdump/tcpdump .if ${MK_SENDMAIL} != "no" SPROGS+=usr.sbin/sendmail .endif # This target is used to rebuild these programs with crypto. secure: .MAKE .PHONY .for entry in ${SPROGS} cd ${.CURDIR:H}/${entry}; \ ${MAKE} cleandir; \ ${MAKE} obj; \ ${MAKE} all; \ ${MAKE} install .endfor # This target is used to rebuild these programs without crypto. insecure: .MAKE .PHONY .for entry in ${SPROGS} cd ${.CURDIR:H}/${entry}; \ ${MAKE} MK_CRYPT=no cleandir; \ ${MAKE} MK_CRYPT=no obj; \ ${MAKE} MK_CRYPT=no all; \ ${MAKE} MK_CRYPT=no install .endfor .include Index: stable/12/secure/caroot/MAca-bundle.pl =================================================================== --- stable/12/secure/caroot/MAca-bundle.pl (nonexistent) +++ stable/12/secure/caroot/MAca-bundle.pl (revision 357082) @@ -0,0 +1,277 @@ +#!/usr/bin/env perl +## +## MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt +## +## Rewritten in September 2011 by Matthias Andree to heed untrust +## + +## Copyright (c) 2011, 2013 Matthias Andree +## All rights reserved. +## Copyright (c) 2018, Allan Jude +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted provided that the following conditions are +## met: +## +## * Redistributions of source code must retain the above copyright +## notice, this list of conditions and the following disclaimer. +## +## * Redistributions in binary form must reproduce the above copyright +## notice, this list of conditions and the following disclaimer in the +## documentation and/or other materials provided with the distribution. +## +## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +## INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +## BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +## ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +## POSSIBILITY OF SUCH DAMAGE. + +use strict; +use Carp; +use MIME::Base64; +use Getopt::Long; + +my $VERSION = '$FreeBSD$'; +my $generated = '@' . 'generated'; +my $inputfh = *STDIN; +my $debug = 0; +my $infile; +my $outputdir; +my %labels; +my %certs; +my %trusts; + +$debug++ + if defined $ENV{'WITH_DEBUG'} + and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/; + +GetOptions ( + "debug+" => \$debug, + "infile:s" => \$infile, + "outputdir:s" => \$outputdir) + or die("Error in command line arguments\n$0 [-d] [-i input-file] [-o output-dir]\n"); + +if ($infile) { + open($inputfh, "<", $infile) or die "Failed to open $infile"; +} + +sub print_header($$) +{ + my $dstfile = shift; + my $label = shift; + + if ($outputdir) { + print $dstfile <) { + last if /^END/; + my (undef,@oct) = split /\\/; + my @bin = map(chr(oct), @oct); + $data .= join('', @bin); + } + + return $data; +} + + +sub grabcert($) +{ + my $ifh = shift; + my $certdata; + my $cka_label; + my $serial; + + while (<$ifh>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_VALUE MULTILINE_OCTAL/) { + $certdata = graboct($ifh); + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct($ifh); + } + } + return ($serial, $cka_label, $certdata); +} + +sub grabtrust($) { + my $ifh = shift; + my $cka_label; + my $serial; + my $maytrust = 0; + my $distrust = 0; + + while (<$ifh>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct($ifh); + } + + if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/) + { + if ($2 eq 'CKT_NSS_NOT_TRUSTED') { + $distrust = 1; + } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') { + $maytrust = 1; + } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') { + confess "Unknown trust setting on line $.:\n" + . "$_\n" + . "Script must be updated:"; + } + } + } + + if (!$maytrust && !$distrust && $debug) { + print STDERR "line $.: no explicit trust/distrust found for $cka_label\n"; + } + + my $trust = ($maytrust and not $distrust); + return ($serial, $cka_label, $trust); +} + +if (!$outputdir) { + print_header(*STDOUT, ""); +} + +while (<$inputfh>) { + if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { + my ($serial, $label, $certdata) = grabcert($inputfh); + if (defined $certs{$label."\0".$serial}) { + warn "Certificate $label duplicated!\n"; + } + $certs{$label."\0".$serial} = $certdata; + # We store the label in a separate hash because truncating the key + # with \0 was causing garbage data after the end of the text. + $labels{$label."\0".$serial} = $label; + } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { + my ($serial, $label, $trust) = grabtrust($inputfh); + if (defined $trusts{$label."\0".$serial}) { + warn "Trust for $label duplicated!\n"; + } + $trusts{$label."\0".$serial} = $trust; + $labels{$label."\0".$serial} = $label; + } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) { + print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n"; + } +} + +sub label_to_filename(@) { + my @res = @_; + map { s/\0.*//; s/[^[:alnum:]\-]/_/g; $_ = "$_.pem"; } @res; + return wantarray ? @res : $res[0]; +} + +# weed out untrusted certificates +my $untrusted = 0; +foreach my $it (keys %trusts) { + if (!$trusts{$it}) { + if (!exists($certs{$it})) { + warn "Found trust for nonexistent certificate $labels{$it}\n" if $debug; + } else { + delete $certs{$it}; + warn "Skipping untrusted $labels{$it}\n" if $debug; + $untrusted++; + } + } +} + +if (!$outputdir) { + print "## Untrusted certificates omitted from this bundle: $untrusted\n\n"; +} +print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n"; + +my $certcount = 0; +foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) { + my $fh = *STDOUT; + my $filename; + if (!exists($trusts{$it})) { + die "Found certificate without trust block,\naborting"; + } + if ($outputdir) { + $filename = label_to_filename($labels{$it}); + open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $filename"; + print_header($fh, $labels{$it}); + } + printcert($fh, $labels{$it}, $certs{$it}); + if ($outputdir) { + close($fh) or die "Unable to close: $filename"; + } else { + print $fh "\n\n\n"; + } + $certcount++; + print STDERR "Trusting $certcount: $labels{$it}\n" if $debug; +} + +if ($certcount < 25) { + die "Certificate count of $certcount is implausibly low.\nAbort"; +} + +if (!$outputdir) { + print "## Number of certificates: $certcount\n"; + print "## End of file.\n"; +} +print STDERR "## Number of certificates: $certcount\n"; Property changes on: stable/12/secure/caroot/MAca-bundle.pl ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:executable ## -0,0 +1 ## +* \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/12/secure/caroot/Makefile =================================================================== --- stable/12/secure/caroot/Makefile (nonexistent) +++ stable/12/secure/caroot/Makefile (revision 357082) @@ -0,0 +1,21 @@ +# $FreeBSD$ + +PACKAGE= caroot + +CLEANFILES+= certdata.txt + +SUBDIR+= trusted +SUBDIR+= blacklisted + +.include + +# To be used by secteam@ to update the trusted certificates + +fetchcerts: .PHONY + fetch --no-sslv3 --no-tlsv1 -o certdata.txt 'https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt' + +cleancerts: .PHONY + @${MAKE} -C ${.CURDIR}/trusted ${.TARGET} + +updatecerts: .PHONY cleancerts fetchcerts + perl ${.CURDIR}/MAca-bundle.pl -i certdata.txt -o ${.CURDIR}/trusted Property changes on: stable/12/secure/caroot/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/12/secure/caroot/README =================================================================== --- stable/12/secure/caroot/README (nonexistent) +++ stable/12/secure/caroot/README (revision 357082) @@ -0,0 +1,34 @@ +# $FreeBSD$ + +This directory contains the scripts to update the TLS CA Root Certificates +that comprise the 'root trust store'. + +The 'updatecerts' make target should be run periodically by secteam@ +specifically when there is an important change to the list of trusted root +certificates included by Mozilla. + +It will: + 1) Remove the old trusted certificates (cleancerts) + 2) Download the latest certdata.txt from Mozilla (fetchcerts) + 3) Split certdata.txt into the individual .pem files (updatecerts) + +Then the results should manually be inspected (svn status) + 1) Any no-longer-trusted certificates should be moved to the + blacklisted directory (svn mv) + 2) any newly added certificates will need to be added (svn add) + + +The following make targets exist: + +cleancerts: + Delete the old certificates, run as a dependency of updatecerts. + +fetchcerts: + Download the latest certdata.txt from the Mozilla NSS hg repo + See the changelog here: + https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt + +updatecerts: + Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt + to generate the individual certificate files (.pem) and store them + in the trusted/ directory. Property changes on: stable/12/secure/caroot/README ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Index: stable/12/secure/caroot/blacklisted/Makefile =================================================================== --- stable/12/secure/caroot/blacklisted/Makefile (nonexistent) +++ stable/12/secure/caroot/blacklisted/Makefile (revision 357082) @@ -0,0 +1,7 @@ +# $FreeBSD$ + +BINDIR= /usr/share/certs/blacklisted + +FILES= + +.include Property changes on: stable/12/secure/caroot/blacklisted/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/12/secure/caroot/trusted/Makefile =================================================================== --- stable/12/secure/caroot/trusted/Makefile (nonexistent) +++ stable/12/secure/caroot/trusted/Makefile (revision 357082) @@ -0,0 +1,12 @@ +# $FreeBSD$ + +BINDIR= /usr/share/certs/trusted + +TRUSTED_CERTS!= ls ${.CURDIR}/*.pem 2> /dev/null || true + +FILES+= ${TRUSTED_CERTS} + +cleancerts: + @[ -z "${TRUSTED_CERTS}" ] || rm ${TRUSTED_CERTS} + +.include Property changes on: stable/12/secure/caroot/trusted/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/12/share/mk/src.opts.mk =================================================================== --- stable/12/share/mk/src.opts.mk (revision 357081) +++ stable/12/share/mk/src.opts.mk (revision 357082) @@ -1,599 +1,600 @@ # $FreeBSD$ # # Option file for FreeBSD /usr/src builds. # # Users define WITH_FOO and WITHOUT_FOO on the command line or in /etc/src.conf # and /etc/make.conf files. These translate in the build system to MK_FOO={yes,no} # with sensible (usually) defaults. # # Makefiles must include bsd.opts.mk after defining specific MK_FOO options that # are applicable for that Makefile (typically there are none, but sometimes there # are exceptions). Recursive makes usually add MK_FOO=no for options that they wish # to omit from that make. # # Makefiles must include bsd.mkopt.mk before they test the value of any MK_FOO # variable. # # Makefiles may also assume that this file is included by src.opts.mk should it # need variables defined there prior to the end of the Makefile where # bsd.{subdir,lib.bin}.mk is traditionally included. # # The old-style YES_FOO and NO_FOO are being phased out. No new instances of them # should be added. Old instances should be removed since they were just to # bridge the gap between FreeBSD 4 and FreeBSD 5. # # Makefiles should never test WITH_FOO or WITHOUT_FOO directly (although an # exception is made for _WITHOUT_SRCONF which turns off this mechanism # completely inside bsd.*.mk files). # .if !target(____) ____: .include # # Define MK_* variables (which are either "yes" or "no") for users # to set via WITH_*/WITHOUT_* in /etc/src.conf and override in the # make(1) environment. # These should be tested with `== "no"' or `!= "no"' in makefiles. # The NO_* variables should only be set by makefiles for variables # that haven't been converted over. # # These options are used by the src builds. Those listed in # __DEFAULT_YES_OPTIONS default to 'yes' and will build unless turned # off. __DEFAULT_NO_OPTIONS will default to 'no' and won't build # unless turned on. Any options listed in 'BROKEN_OPTIONS' will be # hard-wired to 'no'. "Broken" here means not working or # not-appropriate and/or not supported. It doesn't imply something is # wrong with the code. There's not a single good word for this, so # BROKEN was selected as the least imperfect one considered at the # time. Options are added to BROKEN_OPTIONS list on a per-arch basis. # At this time, there's no provision for mutually incompatible options. __DEFAULT_YES_OPTIONS = \ ACCT \ ACPI \ AMD \ APM \ AT \ ATM \ AUDIT \ AUTHPF \ AUTOFS \ BHYVE \ BINUTILS \ BINUTILS_BOOTSTRAP \ BLACKLIST \ BLUETOOTH \ BOOT \ BOOTPARAMD \ BOOTPD \ BSD_CPIO \ BSDINSTALL \ BSNMP \ BZIP2 \ CALENDAR \ CAPSICUM \ + CAROOT \ CASPER \ CCD \ CDDL \ CPP \ CROSS_COMPILER \ CRYPT \ CTM \ CUSE \ CXX \ DIALOG \ DICT \ DMAGENT \ DYNAMICROOT \ ED_CRYPTO \ EE \ EFI \ ELFTOOLCHAIN_BOOTSTRAP \ EXAMPLES \ FDT \ FILE \ FINGER \ FLOPPY \ FMTREE \ FORTH \ FP_LIBC \ FREEBSD_UPDATE \ FTP \ GAMES \ GCOV \ GDB \ GNU_DIFF \ GNU_GREP \ GOOGLETEST \ GPIO \ HAST \ HTML \ ICONV \ INET \ INET6 \ INETD \ IPFILTER \ IPFW \ ISCSI \ JAIL \ KDUMP \ KVM \ LDNS \ LDNS_UTILS \ LEGACY_CONSOLE \ LIB32 \ LIBPTHREAD \ LIBTHR \ LLVM_COV \ LLVM_TARGET_ALL \ LOADER_GELI \ LOADER_LUA \ LOADER_OFW \ LOADER_UBOOT \ LOCALES \ LOCATE \ LPR \ LS_COLORS \ LZMA_SUPPORT \ MAIL \ MAILWRAPPER \ MAKE \ NDIS \ NETCAT \ NETGRAPH \ NLS_CATALOGS \ NS_CACHING \ NTP \ OFED \ OPENSSL \ PAM \ PC_SYSINSTALL \ PF \ PKGBOOTSTRAP \ PMC \ PORTSNAP \ PPP \ QUOTAS \ RADIUS_SUPPORT \ RBOOTD \ REPRODUCIBLE_BUILD \ RESCUE \ ROUTED \ SENDMAIL \ SERVICESDB \ SETUID_LOGIN \ SHAREDOCS \ SOURCELESS \ SOURCELESS_HOST \ SOURCELESS_UCODE \ SVNLITE \ SYSCONS \ SYSTEM_COMPILER \ SYSTEM_LINKER \ TALK \ TCP_WRAPPERS \ TCSH \ TELNET \ TEXTPROC \ TFTP \ TIMED \ UNBOUND \ USB \ UTMPX \ VI \ VT \ WIRELESS \ WPA_SUPPLICANT_EAPOL \ ZFS \ LOADER_ZFS \ ZONEINFO __DEFAULT_NO_OPTIONS = \ BEARSSL \ BSD_CRTBEGIN \ BSD_GREP \ CLANG_EXTRAS \ DTRACE_TESTS \ GNU_GREP_COMPAT \ HESIOD \ LIBSOFT \ LOADER_FIREWIRE \ LOADER_FORCE_LE \ LOADER_VERIEXEC_PASS_MANIFEST \ NAND \ OFED_EXTRA \ OPENLDAP \ RPCBIND_WARMSTART_SUPPORT \ SHARED_TOOLCHAIN \ SORT_THREADS \ SVN \ ZONEINFO_LEAPSECONDS_SUPPORT \ ZONEINFO_OLD_TIMEZONES_SUPPORT \ # LEFT/RIGHT. Left options which default to "yes" unless their corresponding # RIGHT option is disabled. __DEFAULT_DEPENDENT_OPTIONS= \ CLANG_FULL/CLANG \ LOADER_VERIEXEC/BEARSSL \ LOADER_EFI_SECUREBOOT/LOADER_VERIEXEC \ VERIEXEC/BEARSSL \ # MK_*_SUPPORT options which default to "yes" unless their corresponding # MK_* variable is set to "no". # .for var in \ BLACKLIST \ BZIP2 \ INET \ INET6 \ KERBEROS \ KVM \ NETGRAPH \ PAM \ TESTS \ WIRELESS __DEFAULT_DEPENDENT_OPTIONS+= ${var}_SUPPORT/${var} .endfor # # Default behaviour of some options depends on the architecture. Unfortunately # this means that we have to test TARGET_ARCH (the buildworld case) as well # as MACHINE_ARCH (the non-buildworld case). Normally TARGET_ARCH is not # used at all in bsd.*.mk, but we have to make an exception here if we want # to allow defaults for some things like clang to vary by target architecture. # Additional, per-target behavior should be rarely added only after much # gnashing of teeth and grinding of gears. # .if defined(TARGET_ARCH) __T=${TARGET_ARCH} .else __T=${MACHINE_ARCH} .endif .if defined(TARGET) __TT=${TARGET} .else __TT=${MACHINE} .endif # All supported backends for LLVM_TARGET_XXX __LLVM_TARGETS= \ aarch64 \ arm \ mips \ powerpc \ sparc \ x86 __LLVM_TARGET_FILT= C/(amd64|i386)/x86/:S/sparc64/sparc/:S/arm64/aarch64/ .for __llt in ${__LLVM_TARGETS} # Default enable the given TARGET's LLVM_TARGET support .if ${__TT:${__LLVM_TARGET_FILT}} == ${__llt} __DEFAULT_YES_OPTIONS+= LLVM_TARGET_${__llt:${__LLVM_TARGET_FILT}:tu} # Disable other targets for arm and armv6, to work around "relocation truncated # to fit" errors with BFD ld, since libllvm.a will get too large to link. .elif ${__T} == "arm" || ${__T} == "armv6" __DEFAULT_NO_OPTIONS+=LLVM_TARGET_${__llt:tu} # aarch64 needs arm for -m32 support. .elif ${__TT} == "arm64" && ${__llt} == "arm" __DEFAULT_DEPENDENT_OPTIONS+= LLVM_TARGET_ARM/LLVM_TARGET_AARCH64 # Default the rest of the LLVM_TARGETs to the value of MK_LLVM_TARGET_ALL. .else __DEFAULT_DEPENDENT_OPTIONS+= LLVM_TARGET_${__llt:${__LLVM_TARGET_FILT}:tu}/LLVM_TARGET_ALL .endif .endfor __DEFAULT_NO_OPTIONS+=LLVM_TARGET_BPF __DEFAULT_NO_OPTIONS+=LLVM_TARGET_RISCV .include # If the compiler is not C++11 capable, disable Clang and use GCC instead. # This means that architectures that have GCC 4.2 as default can not # build Clang without using an external compiler. .if ${COMPILER_FEATURES:Mc++11} && (${__T} == "aarch64" || \ ${__T} == "amd64" || ${__TT} == "arm" || ${__T} == "i386") # Clang is enabled, and will be installed as the default /usr/bin/cc. __DEFAULT_YES_OPTIONS+=CLANG CLANG_BOOTSTRAP CLANG_IS_CC LLD __DEFAULT_NO_OPTIONS+=GCC GCC_BOOTSTRAP GNUCXX GPL_DTC .elif ${COMPILER_FEATURES:Mc++11} && ${__T:Mriscv*} == "" && ${__T} != "sparc64" # If an external compiler that supports C++11 is used as ${CC} and Clang # supports the target, then Clang is enabled but GCC is installed as the # default /usr/bin/cc. __DEFAULT_YES_OPTIONS+=CLANG GCC GCC_BOOTSTRAP GNUCXX GPL_DTC LLD __DEFAULT_NO_OPTIONS+=CLANG_BOOTSTRAP CLANG_IS_CC .else # Everything else disables Clang, and uses GCC instead. __DEFAULT_YES_OPTIONS+=GCC GCC_BOOTSTRAP GNUCXX GPL_DTC __DEFAULT_NO_OPTIONS+=CLANG CLANG_BOOTSTRAP CLANG_IS_CC LLD .endif # In-tree binutils/gcc are older versions without modern architecture support. .if ${__T} == "aarch64" || ${__T:Mriscv*} != "" BROKEN_OPTIONS+=BINUTILS BINUTILS_BOOTSTRAP GCC GCC_BOOTSTRAP GDB .endif .if ${__T:Mriscv*} != "" BROKEN_OPTIONS+=OFED .endif .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" || \ ${__T:Mriscv*} != "" || ${__TT} == "mips" __DEFAULT_YES_OPTIONS+=LLVM_LIBUNWIND .else __DEFAULT_NO_OPTIONS+=LLVM_LIBUNWIND .endif .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "armv7" || \ ${__T} == "i386" __DEFAULT_YES_OPTIONS+=LLD_BOOTSTRAP LLD_IS_LD .else __DEFAULT_NO_OPTIONS+=LLD_BOOTSTRAP LLD_IS_LD .endif .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" __DEFAULT_YES_OPTIONS+=LLDB .else __DEFAULT_NO_OPTIONS+=LLDB .endif # LLVM lacks support for FreeBSD 64-bit atomic operations for ARMv4/ARMv5 .if ${__T} == "arm" BROKEN_OPTIONS+=LLDB .endif # GDB in base is generally less functional than GDB in ports. Ports GDB # sparc64 kernel support has not been tested. .if ${__T} == "sparc64" __DEFAULT_NO_OPTIONS+=GDB_LIBEXEC .else __DEFAULT_YES_OPTIONS+=GDB_LIBEXEC .endif # Only doing soft float API stuff on armv6 and armv7 .if ${__T} != "armv6" && ${__T} != "armv7" BROKEN_OPTIONS+=LIBSOFT .endif .if ${__T:Mmips*} BROKEN_OPTIONS+=SSP .endif # EFI doesn't exist on mips, powerpc, sparc or riscv. .if ${__T:Mmips*} || ${__T:Mpowerpc*} || ${__T:Msparc64} || ${__T:Mriscv*} BROKEN_OPTIONS+=EFI .endif # OFW is only for powerpc and sparc64, exclude others .if ${__T:Mpowerpc*} == "" && ${__T:Msparc64} == "" BROKEN_OPTIONS+=LOADER_OFW .endif # UBOOT is only for arm, mips and powerpc, exclude others .if ${__T:Marm*} == "" && ${__T:Mmips*} == "" && ${__T:Mpowerpc*} == "" BROKEN_OPTIONS+=LOADER_UBOOT .endif # GELI and Lua in loader currently cause boot failures on sparc64 and powerpc. # Further debugging is required -- probably they are just broken on big # endian systems generically (they jump to null pointers or try to read # crazy high addresses, which is typical of endianness problems). .if ${__T} == "sparc64" || ${__T:Mpowerpc*} BROKEN_OPTIONS+=LOADER_GELI LOADER_LUA .endif .if ${__T:Mmips64*} # profiling won't work on MIPS64 because there is only assembly for o32 BROKEN_OPTIONS+=PROFILE .endif .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" || \ ${__T} == "powerpc64" || ${__T} == "sparc64" __DEFAULT_YES_OPTIONS+=CXGBETOOL __DEFAULT_YES_OPTIONS+=MLX5TOOL .else __DEFAULT_NO_OPTIONS+=CXGBETOOL __DEFAULT_NO_OPTIONS+=MLX5TOOL .endif # HyperV is currently x86-only .if ${__T} == "amd64" || ${__T} == "i386" __DEFAULT_YES_OPTIONS+=HYPERV .else __DEFAULT_NO_OPTIONS+=HYPERV .endif # NVME is only x86 and powerpc64 .if ${__T} == "amd64" || ${__T} == "i386" || ${__T} == "powerpc64" __DEFAULT_YES_OPTIONS+=NVME .else __DEFAULT_NO_OPTIONS+=NVME .endif # Sparc64 need extra crt*.o files .if ${__T:Msparc64} BROKEN_OPTIONS+=BSD_CRTBEGIN .endif .if ${COMPILER_FEATURES:Mc++11} && \ (${__T} == "amd64" || ${__T} == "i386" || ${__T} == "powerpc64") __DEFAULT_YES_OPTIONS+=OPENMP .else __DEFAULT_NO_OPTIONS+=OPENMP .endif .include # # MK_* options that default to "yes" if the compiler is a C++11 compiler. # .for var in \ LIBCPLUSPLUS .if !defined(MK_${var}) .if ${COMPILER_FEATURES:Mc++11} .if defined(WITHOUT_${var}) MK_${var}:= no .else MK_${var}:= yes .endif .else .if defined(WITH_${var}) MK_${var}:= yes .else MK_${var}:= no .endif .endif .endif .endfor # # Force some options off if their dependencies are off. # Order is somewhat important. # .if !${COMPILER_FEATURES:Mc++11} MK_GOOGLETEST:= no MK_LLVM_LIBUNWIND:= no .endif .if ${MK_BINUTILS} == "no" MK_GDB:= no .endif .if ${MK_CAPSICUM} == "no" MK_CASPER:= no .endif .if ${MK_LIBPTHREAD} == "no" MK_LIBTHR:= no .endif .if ${MK_LDNS} == "no" MK_LDNS_UTILS:= no MK_UNBOUND:= no .endif .if ${MK_SOURCELESS} == "no" MK_SOURCELESS_HOST:= no MK_SOURCELESS_UCODE:= no .endif .if ${MK_CDDL} == "no" MK_ZFS:= no MK_LOADER_ZFS:= no MK_CTF:= no .endif .if ${MK_CRYPT} == "no" MK_OPENSSL:= no MK_OPENSSH:= no MK_KERBEROS:= no .endif .if ${MK_CXX} == "no" MK_CLANG:= no MK_GNUCXX:= no MK_TESTS:= no .endif .if ${MK_DIALOG} == "no" MK_BSDINSTALL:= no .endif .if ${MK_MAIL} == "no" MK_MAILWRAPPER:= no MK_SENDMAIL:= no MK_DMAGENT:= no .endif .if ${MK_NETGRAPH} == "no" MK_ATM:= no MK_BLUETOOTH:= no .endif .if ${MK_NLS} == "no" MK_NLS_CATALOGS:= no .endif .if ${MK_OPENSSL} == "no" MK_DMAGENT:= no MK_OPENSSH:= no MK_KERBEROS:= no .endif .if ${MK_PF} == "no" MK_AUTHPF:= no .endif .if ${MK_OFED} == "no" MK_OFED_EXTRA:= no .endif .if ${MK_PORTSNAP} == "no" # freebsd-update depends on phttpget from portsnap MK_FREEBSD_UPDATE:= no .endif .if ${MK_TESTS} == "no" MK_DTRACE_TESTS:= no .endif .if ${MK_TESTS_SUPPORT} == "no" MK_GOOGLETEST:= no .endif .if ${MK_ZONEINFO} == "no" MK_ZONEINFO_LEAPSECONDS_SUPPORT:= no MK_ZONEINFO_OLD_TIMEZONES_SUPPORT:= no .endif .if ${MK_CROSS_COMPILER} == "no" MK_BINUTILS_BOOTSTRAP:= no MK_CLANG_BOOTSTRAP:= no MK_ELFTOOLCHAIN_BOOTSTRAP:= no MK_GCC_BOOTSTRAP:= no MK_LLD_BOOTSTRAP:= no .endif .if ${MK_TOOLCHAIN} == "no" MK_BINUTILS:= no MK_CLANG:= no MK_GCC:= no MK_GDB:= no MK_INCLUDES:= no MK_LLD:= no MK_LLDB:= no .endif .if ${MK_CLANG} == "no" MK_CLANG_EXTRAS:= no MK_CLANG_FULL:= no MK_LLVM_COV:= no .endif .if ${MK_LOADER_VERIEXEC} == "no" MK_LOADER_VERIEXEC_PASS_MANIFEST := no .endif # # MK_* options whose default value depends on another option. # .for vv in \ GSSAPI/KERBEROS \ MAN_UTILS/MAN .if defined(WITH_${vv:H}) MK_${vv:H}:= yes .elif defined(WITHOUT_${vv:H}) MK_${vv:H}:= no .else MK_${vv:H}:= ${MK_${vv:T}} .endif .endfor # # Set defaults for the MK_*_SUPPORT variables. # .if !${COMPILER_FEATURES:Mc++11} MK_LLDB:= no .endif # gcc 4.8 and newer supports libc++, so suppress gnuc++ in that case. # while in theory we could build it with that, we don't want to do # that since it creates too much confusion for too little gain. # XXX: This is incomplete and needs X_COMPILER_TYPE/VERSION checks too # to prevent Makefile.inc1 from bootstrapping unneeded dependencies # and to support 'make delete-old' when supplying an external toolchain. .if ${COMPILER_TYPE} == "gcc" && ${COMPILER_VERSION} >= 40800 MK_GNUCXX:=no MK_GCC:=no .endif .endif # !target(____) Index: stable/12/usr.sbin/Makefile =================================================================== --- stable/12/usr.sbin/Makefile (revision 357081) +++ stable/12/usr.sbin/Makefile (revision 357082) @@ -1,228 +1,231 @@ # From: @(#)Makefile 5.20 (Berkeley) 6/12/93 # $FreeBSD$ .include SUBDIR= adduser \ arp \ binmiscctl \ camdd \ cdcontrol \ chkgrp \ chown \ chroot \ ckdist \ clear_locks \ crashinfo \ cron \ ctladm \ ctld \ daemon \ dconschat \ devctl \ devinfo \ diskinfo \ dumpcis \ etcupdate \ extattr \ extattrctl \ fifolog \ fstyp \ fwcontrol \ getfmac \ getpmac \ gstat \ i2c \ ifmcstat \ iostat \ iovctl \ kldxref \ mailwrapper \ makefs \ memcontrol \ mergemaster \ mfiutil \ mixer \ mlxcontrol \ mountd \ mount_smbfs \ mpsutil \ mptutil \ mtest \ newsyslog \ nfscbd \ nfsd \ nfsdumpstate \ nfsrevoke \ nfsuserd \ nmtree \ nologin \ pciconf \ periodic \ pnfsdscopymr \ pnfsdsfile \ pnfsdskill \ powerd \ prometheus_sysctl_exporter \ pstat \ pw \ pwd_mkdb \ pwm \ quot \ rarpd \ rmt \ rpcbind \ rpc.lockd \ rpc.statd \ rpc.umntall \ rtprio \ rwhod \ service \ services_mkdb \ sesutil \ setfib \ setfmac \ setpmac \ smbmsg \ snapinfo \ spi \ spray \ syslogd \ sysrc \ tcpdrop \ tcpdump \ traceroute \ trim \ trpt \ tzsetup \ ugidfw \ valectl \ vigr \ vipw \ wake \ watch \ watchdogd \ zic \ zonectl # NB: keep these sorted by MK_* knobs SUBDIR.${MK_ACCT}+= accton SUBDIR.${MK_ACCT}+= sa SUBDIR.${MK_AMD}+= amd SUBDIR.${MK_AUDIT}+= audit SUBDIR.${MK_AUDIT}+= auditd .if ${MK_OPENSSL} != "no" SUBDIR.${MK_AUDIT}+= auditdistd .endif SUBDIR.${MK_AUDIT}+= auditreduce SUBDIR.${MK_AUDIT}+= praudit SUBDIR.${MK_AUTHPF}+= authpf SUBDIR.${MK_AUTOFS}+= autofs SUBDIR.${MK_BLACKLIST}+= blacklistctl SUBDIR.${MK_BLACKLIST}+= blacklistd SUBDIR.${MK_BLUETOOTH}+= bluetooth SUBDIR.${MK_BOOTPARAMD}+= bootparamd SUBDIR.${MK_BSDINSTALL}+= bsdinstall SUBDIR.${MK_BSNMP}+= bsnmpd +.if ${MK_CAROOT} != "no" +SUBDIR.${MK_OPENSSL}+= certctl +.endif SUBDIR.${MK_CTM}+= ctm SUBDIR.${MK_CXGBETOOL}+= cxgbetool SUBDIR.${MK_DIALOG}+= bsdconfig SUBDIR.${MK_EFI}+= efivar efidp efibootmgr .if ${MK_OPENSSL} != "no" SUBDIR.${MK_EFI}+= uefisign .endif SUBDIR.${MK_FLOPPY}+= fdcontrol SUBDIR.${MK_FLOPPY}+= fdformat SUBDIR.${MK_FLOPPY}+= fdread SUBDIR.${MK_FLOPPY}+= fdwrite SUBDIR.${MK_FMTREE}+= fmtree SUBDIR.${MK_FREEBSD_UPDATE}+= freebsd-update SUBDIR.${MK_GSSAPI}+= gssd SUBDIR.${MK_GPIO}+= gpioctl SUBDIR.${MK_INET6}+= ip6addrctl SUBDIR.${MK_INET6}+= mld6query SUBDIR.${MK_INET6}+= ndp SUBDIR.${MK_INET6}+= rip6query SUBDIR.${MK_INET6}+= route6d SUBDIR.${MK_INET6}+= rrenumd SUBDIR.${MK_INET6}+= rtadvctl SUBDIR.${MK_INET6}+= rtadvd SUBDIR.${MK_INET6}+= rtsold SUBDIR.${MK_INET6}+= traceroute6 SUBDIR.${MK_INETD}+= inetd SUBDIR.${MK_IPFW}+= ipfwpcap SUBDIR.${MK_ISCSI}+= iscsid SUBDIR.${MK_JAIL}+= jail SUBDIR.${MK_JAIL}+= jexec SUBDIR.${MK_JAIL}+= jls # XXX MK_SYSCONS SUBDIR.${MK_LEGACY_CONSOLE}+= kbdcontrol SUBDIR.${MK_LEGACY_CONSOLE}+= kbdmap SUBDIR.${MK_LEGACY_CONSOLE}+= moused SUBDIR.${MK_LEGACY_CONSOLE}+= vidcontrol .if ${MK_LIBTHR} != "no" || ${MK_LIBPTHREAD} != "no" SUBDIR.${MK_PPP}+= pppctl SUBDIR.${MK_NS_CACHING}+= nscd .endif SUBDIR.${MK_LPR}+= lpr SUBDIR.${MK_MAN_UTILS}+= manctl SUBDIR.${MK_MLX5TOOL}+= mlx5tool SUBDIR.${MK_NAND}+= nandsim SUBDIR.${MK_NAND}+= nandtool SUBDIR.${MK_NETGRAPH}+= flowctl SUBDIR.${MK_NETGRAPH}+= ngctl SUBDIR.${MK_NETGRAPH}+= nghook SUBDIR.${MK_NIS}+= rpc.yppasswdd SUBDIR.${MK_NIS}+= rpc.ypupdated SUBDIR.${MK_NIS}+= rpc.ypxfrd SUBDIR.${MK_NIS}+= ypbind SUBDIR.${MK_NIS}+= ypldap SUBDIR.${MK_NIS}+= yp_mkdb SUBDIR.${MK_NIS}+= yppoll SUBDIR.${MK_NIS}+= yppush SUBDIR.${MK_NIS}+= ypserv SUBDIR.${MK_NIS}+= ypset SUBDIR.${MK_NTP}+= ntp SUBDIR.${MK_OPENSSL}+= keyserv SUBDIR.${MK_PC_SYSINSTALL}+= pc-sysinstall SUBDIR.${MK_PF}+= ftp-proxy SUBDIR.${MK_PKGBOOTSTRAP}+= pkg .if ${COMPILER_FEATURES:Mc++11} SUBDIR.${MK_PMC}+= pmc .endif SUBDIR.${MK_PMC}+= pmcannotate pmccontrol pmcstat pmcstudy SUBDIR.${MK_PORTSNAP}+= portsnap SUBDIR.${MK_PPP}+= ppp SUBDIR.${MK_QUOTAS}+= edquota SUBDIR.${MK_QUOTAS}+= quotaon SUBDIR.${MK_QUOTAS}+= repquota SUBDIR.${MK_SENDMAIL}+= editmap SUBDIR.${MK_SENDMAIL}+= mailstats SUBDIR.${MK_SENDMAIL}+= makemap SUBDIR.${MK_SENDMAIL}+= praliases SUBDIR.${MK_SENDMAIL}+= sendmail SUBDIR.${MK_TCP_WRAPPERS}+= tcpdchk SUBDIR.${MK_TCP_WRAPPERS}+= tcpdmatch SUBDIR.${MK_TIMED}+= timed SUBDIR.${MK_TOOLCHAIN}+= config SUBDIR.${MK_TOOLCHAIN}+= crunch SUBDIR.${MK_UNBOUND}+= unbound SUBDIR.${MK_USB}+= uathload SUBDIR.${MK_USB}+= uhsoctl SUBDIR.${MK_USB}+= usbconfig SUBDIR.${MK_USB}+= usbdump SUBDIR.${MK_UTMPX}+= ac SUBDIR.${MK_UTMPX}+= lastlogin SUBDIR.${MK_UTMPX}+= utx SUBDIR.${MK_WIRELESS}+= ancontrol SUBDIR.${MK_WIRELESS}+= wlandebug SUBDIR.${MK_WIRELESS}+= wpa SUBDIR.${MK_TESTS}+= tests .include SUBDIR_PARALLEL= .include Index: stable/12/usr.sbin/certctl/certctl.sh =================================================================== --- stable/12/usr.sbin/certctl/certctl.sh (nonexistent) +++ stable/12/usr.sbin/certctl/certctl.sh (revision 357082) @@ -0,0 +1,240 @@ +#!/bin/sh +#- +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright 2018 Allan Jude +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted providing that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# +# $FreeBSD$ + +############################################################ CONFIGURATION + +: ${DESTDIR:=} +: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} +: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} +: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} +: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} +: ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"} +: ${VERBOSE:=0} + +############################################################ GLOBALS + +SCRIPTNAME="${0##*/}" +ERRORS=0 +NOOP=0 + +############################################################ FUNCTIONS + +do_hash() +{ + local hash + + if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then + echo "$hash" + return 0 + else + echo "Error: $1" >&2 + ERRORS=$(( $ERRORS + 1 )) + return 1 + fi +} + +create_trusted_link() +{ + local hash + + hash=$( do_hash "$1" ) || return + if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then + echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" + return 1 + fi + [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" + [ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$CERTDESTDIR/$hash.0" +} + +create_blacklisted() +{ + local hash srcfile filename + + # If it exists as a file, we'll try that; otherwise, we'll scan + if [ -e "$1" ]; then + hash=$( do_hash "$1" ) || return + srcfile=$(realpath "$1") + filename="$hash.0" + elif [ -e "${CERTDESTDIR}/$1" ]; then + srcfile=$(realpath "${CERTDESTDIR}/$1") + filename="$1" + else + return + fi + [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" + [ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename" +} + +do_scan() +{ + local CFUNC CSEARCH CPATH CFILE + local oldIFS="$IFS" + CFUNC="$1" + CSEARCH="$2" + + IFS=: + set -- $CSEARCH + IFS="$oldIFS" + for CPATH in "$@"; do + [ -d "$CPATH" ] || continue + echo "Scanning $CPATH for certificates..." + cd "$CPATH" + for CFILE in $EXTENSIONS; do + [ -e "$CFILE" ] || continue + [ $VERBOSE -gt 0 ] && echo "Reading $CFILE" + "$CFUNC" "$CPATH/$CFILE" + done + cd - + done +} + +do_list() +{ + local CFILE subject + + if [ -e "$1" ]; then + cd "$1" + for CFILE in *.0; do + if [ ! -s "$CFILE" ]; then + echo "Unable to read $CFILE" >&2 + ERRORS=$(( $ERRORS + 1 )) + continue + fi + subject= + if [ $VERBOSE -eq 0 ]; then + subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | + sed -n '/commonName/s/.*= //p' ) + fi + [ "$subject" ] || + subject=$( openssl x509 -noout -subject -in "$CFILE" ) + printf "%s\t%s\n" "$CFILE" "$subject" + done + cd - + fi +} + +cmd_rehash() +{ + + [ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR" + [ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR" + [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR" + + do_scan create_blacklisted "$BLACKLISTPATH" + do_scan create_trusted_link "$TRUSTPATH" +} + +cmd_list() +{ + echo "Listing Trusted Certificates:" + do_list "$CERTDESTDIR" +} + +cmd_blacklist() +{ + local BPATH + + shift # verb + [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR" + for BFILE in "$@"; do + echo "Adding $BFILE to blacklist" + create_blacklisted "$BFILE" + done +} + +cmd_unblacklist() +{ + local BFILE hash + + shift # verb + for BFILE in "$@"; do + if [ -s "$BFILE" ]; then + hash=$( do_hash "$BFILE" ) + echo "Removing $hash.0 from blacklist" + [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0" + elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then + echo "Removing $BFILE from blacklist" + [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" + else + echo "Cannot find $BFILE" >&2 + ERRORS=$(( $ERRORS + 1 )) + fi + done +} + +cmd_blacklisted() +{ + echo "Listing Blacklisted Certificates:" + do_list "$BLACKLISTDESTDIR" +} + +usage() +{ + exec >&2 + echo "Manage the TLS trusted certificates on the system" + echo " $SCRIPTNAME [-v] list" + echo " List trusted certificates" + echo " $SCRIPTNAME [-v] blacklisted" + echo " List blacklisted certificates" + echo " $SCRIPTNAME [-nv] rehash" + echo " Generate hash links for all certificates" + echo " $SCRIPTNAME [-nv] blacklist " + echo " Add to the list of blacklisted certificates" + echo " $SCRIPTNAME [-nv] unblacklist " + echo " Remove from the list of blacklisted certificates" + exit 64 +} + +############################################################ MAIN + +while getopts nv flag; do + case "$flag" in + n) NOOP=1 ;; + v) VERBOSE=$(( $VERBOSE + 1 )) ;; + esac +done +shift $(( $OPTIND - 1 )) + +[ $# -gt 0 ] || usage +case "$1" in +list) cmd_list ;; +rehash) cmd_rehash ;; +blacklist) cmd_blacklist "$@" ;; +unblacklist) cmd_unblacklist "$@" ;; +blacklisted) cmd_blacklisted ;; +*) usage # NOTREACHED +esac + +retval=$? +[ $ERRORS -gt 0 ] && echo "Encountered $ERRORS errors" >&2 +exit $retval + +################################################################################ +# END +################################################################################ Property changes on: stable/12/usr.sbin/certctl/certctl.sh ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:executable ## -0,0 +1 ## +* \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/12/usr.sbin/certctl/Makefile =================================================================== --- stable/12/usr.sbin/certctl/Makefile (nonexistent) +++ stable/12/usr.sbin/certctl/Makefile (revision 357082) @@ -0,0 +1,6 @@ +# $FreeBSD$ + +SCRIPTS=certctl.sh +MAN= certctl.8 + +.include Property changes on: stable/12/usr.sbin/certctl/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/12/usr.sbin/certctl/certctl.8 =================================================================== --- stable/12/usr.sbin/certctl/certctl.8 (nonexistent) +++ stable/12/usr.sbin/certctl/certctl.8 (revision 357082) @@ -0,0 +1,119 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause-FreeBSD +.\" +.\" Copyright 2018 Allan Jude +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted providing that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd February 19, 2019 +.Dt CERTCTL 8 +.Os +.Sh NAME +.Nm certctl +.Nd "tool for managing trusted and blacklist TLS certificates" +.Sh SYNOPSIS +.Nm +.Op Fl v +.Ic list +.Nm +.Op Fl v +.Ic blacklisted +.Nm +.Op Fl nv +.Ic rehash +.Nm +.Op Fl nv +.Ic blacklist Ar file +.Nm +.Op Fl nv +.Ic unblacklist Ar file +.Sh DESCRIPTION +The +.Nm +utility manages the list of TLS Certificate Authorities that are trusted by +applications that use OpenSSL. +.Pp +Flags: +.Bl -tag -width 4n +.It Fl n +No-Op mode, do not actually perform any actions. +.It Fl v +be verbose, print details about actions before performing them. +.El +.Pp +Primary command functions: +.Bl -tag -width blacklisted +.It Ic list +List all currently trusted certificate authorities. +.It Ic blacklisted +List all currently blacklisted certificates. +.It Ic rehash +Rebuild the list of trusted certificate authorities by scanning all directories +in +.Ev TRUSTPATH +and all blacklisted certificates in +.Ev BLACKLISTPATH . +A symbolic link to each trusted certificate is placed in +.Ev CERTDESTDIR +and each blacklisted certificate in +.Ev BLACKLISTDESTDIR . +.It Ic blacklist +Add the specified file to the blacklist. +.It Ic unblacklist +Remove the specified file from the blacklist. +.El +.Sh ENVIRONMENT +.Bl -tag -width BLACKLISTDESTDIR +.It Ev DESTDIR +Alternate destination directory to operate on. +.It Ev TRUSTPATH +List of paths to search for trusted certificates. +Default: +.Pa /usr/share/certs/trusted +.Pa /usr/local/share/certs /usr/local/etc/ssl/certs +.It Ev BLACKLISTPATH +List of paths to search for blacklisted certificates. +Default: +.Pa /usr/share/certs/blacklisted +.Pa /usr/local/etc/ssl/blacklisted +.It Ev CERTDESTDIR +Destination directory for symbolic links to trusted certificates. +Default: +.Pa /etc/ssl/certs +.It Ev BLACKLISTDESTDIR +Destination directory for symbolic links to blacklisted certificates. +Default: +.Pa /etc/ssl/blacklisted +.It Ev EXTENSIONS +List of file extensions to read as certificate files. +Default: *.pem *.crt *.cer *.crl *.0 +.El +.Sh SEE ALSO +.Xr openssl 1 +.Sh HISTORY +.Nm +first appeared in +.Fx 12.0 +.Sh AUTHORS +.An Allan Jude Aq Mt allanjude@freebsd.org Property changes on: stable/12/usr.sbin/certctl/certctl.8 ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: stable/12/usr.sbin/etcupdate/etcupdate.sh =================================================================== --- stable/12/usr.sbin/etcupdate/etcupdate.sh (revision 357081) +++ stable/12/usr.sbin/etcupdate/etcupdate.sh (revision 357082) @@ -1,1801 +1,1807 @@ #!/bin/sh # # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # # Copyright (c) 2010-2013 Hudson River Trading LLC # Written by: John H. Baldwin # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # This is a tool to manage updating files that are not updated as part # of 'make installworld' such as files in /etc. Unlike other tools, # this one is specifically tailored to assisting with mass upgrades. # To that end it does not require user intervention while running. # # Theory of operation: # # The most reliable way to update changes to files that have local # modifications is to perform a three-way merge between the original # unmodified file, the new version of the file, and the modified file. # This requires having all three versions of the file available when # performing an update. # # To that end, etcupdate uses a strategy where the current unmodified # tree is kept in WORKDIR/current and the previous unmodified tree is # kept in WORKDIR/old. When performing a merge, a new tree is built # if needed and then the changes are merged into DESTDIR. Any files # with unresolved conflicts after the merge are left in a tree rooted # at WORKDIR/conflicts. # # To provide extra flexibility, etcupdate can also build tarballs of # root trees that can later be used. It can also use a tarball as the # source of a new tree instead of building it from /usr/src. # Global settings. These can be adjusted by config files and in some # cases by command line options. # TODO: # - automatable conflict resolution # - a 'revert' command to make a file "stock" usage() { cat < etcupdate diff [-d workdir] [-D destdir] [-I patterns] [-L logfile] etcupdate extract [-B] [-d workdir] [-s source | -t tarball] [-L logfile] [-M options] etcupdate resolve [-p] [-d workdir] [-D destdir] [-L logfile] etcupdate status [-d workdir] [-D destdir] EOF exit 1 } # Used to write a message prepended with '>>>' to the logfile. log() { echo ">>>" "$@" >&3 } # Used for assertion conditions that should never happen. panic() { echo "PANIC:" "$@" exit 10 } # Used to write a warning message. These are saved to the WARNINGS # file with " " prepended. warn() { echo -n " " >> $WARNINGS echo "$@" >> $WARNINGS } # Output a horizontal rule using the passed-in character. Matches the # length used for Index lines in CVS and SVN diffs. # # $1 - character rule() { jot -b "$1" -s "" 67 } # Output a text description of a specified file's type. # # $1 - file pathname. file_type() { stat -f "%HT" $1 | tr "[:upper:]" "[:lower:]" } # Returns true (0) if a file exists # # $1 - file pathname. exists() { [ -e $1 -o -L $1 ] } # Returns true (0) if a file should be ignored, false otherwise. # # $1 - file pathname ignore() { local pattern - set -o noglob for pattern in $IGNORE_FILES; do set +o noglob case $1 in $pattern) return 0 ;; esac set -o noglob done # Ignore /.cshrc and /.profile if they are hardlinked to the # same file in /root. This ensures we only compare those # files once in that case. case $1 in /.cshrc|/.profile) if [ ${DESTDIR}$1 -ef ${DESTDIR}/root$1 ]; then return 0 fi ;; *) ;; esac return 1 } # Returns true (0) if the new version of a file should always be # installed rather than attempting to do a merge. # # $1 - file pathname always_install() { local pattern - set -o noglob for pattern in $ALWAYS_INSTALL; do set +o noglob case $1 in $pattern) return 0 ;; esac set -o noglob done return 1 } # Build a new tree # # $1 - directory to store new tree in build_tree() { local destdir dir file make make="make $MAKE_OPTIONS -DNO_FILEMON" log "Building tree at $1 with $make" mkdir -p $1/usr/obj >&3 2>&1 destdir=`realpath $1` if [ -n "$preworld" ]; then # Build a limited tree that only contains files that are # crucial to installworld. for file in $PREWORLD_FILES; do dir=`dirname /$file` mkdir -p $1/$dir >&3 2>&1 || return 1 cp -p $SRCDIR/$file $1/$file || return 1 done elif ! [ -n "$nobuild" ]; then (cd $SRCDIR; $make DESTDIR=$destdir distrib-dirs && MAKEOBJDIRPREFIX=$destdir/usr/obj $make _obj SUBDIR_OVERRIDE=etc && MAKEOBJDIRPREFIX=$destdir/usr/obj $make everything SUBDIR_OVERRIDE=etc && MAKEOBJDIRPREFIX=$destdir/usr/obj $make DESTDIR=$destdir distribution) \ >&3 2>&1 || return 1 else (cd $SRCDIR; $make DESTDIR=$destdir distrib-dirs && $make DESTDIR=$destdir distribution) >&3 2>&1 || return 1 fi chflags -R noschg $1 >&3 2>&1 || return 1 rm -rf $1/usr/obj >&3 2>&1 || return 1 # Purge auto-generated files. Only the source files need to # be updated after which these files are regenerated. rm -f $1/etc/*.db $1/etc/passwd $1/var/db/services.db >&3 2>&1 || \ return 1 # Remove empty files. These just clutter the output of 'diff'. find $1 -type f -size 0 -delete >&3 2>&1 || return 1 # Trim empty directories. find -d $1 -type d -empty -delete >&3 2>&1 || return 1 return 0 } # Generate a new NEWTREE tree. If tarball is set, then the tree is # extracted from the tarball. Otherwise the tree is built from a # source tree. extract_tree() { local files # If we have a tarball, extract that into the new directory. if [ -n "$tarball" ]; then files= if [ -n "$preworld" ]; then files="$PREWORLD_FILES" fi if ! (mkdir -p $NEWTREE && tar xf $tarball -C $NEWTREE $files) \ >&3 2>&1; then echo "Failed to extract new tree." remove_tree $NEWTREE exit 1 fi else if ! build_tree $NEWTREE; then echo "Failed to build new tree." remove_tree $NEWTREE exit 1 fi fi } # Forcefully remove a tree. Returns true (0) if the operation succeeds. # # $1 - path to tree remove_tree() { rm -rf $1 >&3 2>&1 if [ -e $1 ]; then chflags -R noschg $1 >&3 2>&1 rm -rf $1 >&3 2>&1 fi [ ! -e $1 ] } # Return values for compare() COMPARE_EQUAL=0 COMPARE_ONLYFIRST=1 COMPARE_ONLYSECOND=2 COMPARE_DIFFTYPE=3 COMPARE_DIFFLINKS=4 COMPARE_DIFFFILES=5 # Compare two files/directories/symlinks. Note that this does not # recurse into subdirectories. Instead, if two nodes are both # directories, they are assumed to be equivalent. # # Returns true (0) if the nodes are identical. If only one of the two # nodes are present, return one of the COMPARE_ONLY* constants. If # the nodes are different, return one of the COMPARE_DIFF* constants # to indicate the type of difference. # # $1 - first node # $2 - second node compare() { local first second # If the first node doesn't exist, then check for the second # node. Note that -e will fail for a symbolic link that # points to a missing target. if ! exists $1; then if exists $2; then return $COMPARE_ONLYSECOND else return $COMPARE_EQUAL fi elif ! exists $2; then return $COMPARE_ONLYFIRST fi # If the two nodes are different file types fail. first=`stat -f "%Hp" $1` second=`stat -f "%Hp" $2` if [ "$first" != "$second" ]; then return $COMPARE_DIFFTYPE fi # If both are symlinks, compare the link values. if [ -L $1 ]; then first=`readlink $1` second=`readlink $2` if [ "$first" = "$second" ]; then return $COMPARE_EQUAL else return $COMPARE_DIFFLINKS fi fi # If both are files, compare the file contents. if [ -f $1 ]; then if cmp -s $1 $2; then return $COMPARE_EQUAL else return $COMPARE_DIFFFILES fi fi # As long as the two nodes are the same type of file, consider # them equivalent. return $COMPARE_EQUAL } # Returns true (0) if the only difference between two regular files is a # change in the FreeBSD ID string. # # $1 - path of first file # $2 - path of second file fbsdid_only() { diff -qI '\$FreeBSD.*\$' $1 $2 >/dev/null 2>&1 } # This is a wrapper around compare that will return COMPARE_EQUAL if # the only difference between two regular files is a change in the # FreeBSD ID string. It only makes this adjustment if the -F flag has # been specified. # # $1 - first node # $2 - second node compare_fbsdid() { local cmp compare $1 $2 cmp=$? if [ -n "$FREEBSD_ID" -a "$cmp" -eq $COMPARE_DIFFFILES ] && \ fbsdid_only $1 $2; then return $COMPARE_EQUAL fi return $cmp } # Returns true (0) if a directory is empty. # # $1 - pathname of the directory to check empty_dir() { local contents contents=`ls -A $1` [ -z "$contents" ] } # Returns true (0) if one directories contents are a subset of the # other. This will recurse to handle subdirectories and compares # individual files in the trees. Its purpose is to quiet spurious # directory warnings for dryrun invocations. # # $1 - first directory (sub) # $2 - second directory (super) dir_subset() { local contents file if ! [ -d $1 -a -d $2 ]; then return 1 fi # Ignore files that are present in the second directory but not # in the first. contents=`ls -A $1` for file in $contents; do if ! compare $1/$file $2/$file; then return 1 fi if [ -d $1/$file ]; then if ! dir_subset $1/$file $2/$file; then return 1 fi fi done return 0 } # Returns true (0) if a directory in the destination tree is empty. # If this is a dryrun, then this returns true as long as the contents # of the directory are a subset of the contents in the old tree # (meaning that the directory would be empty in a non-dryrun when this # was invoked) to quiet spurious warnings. # # $1 - pathname of the directory to check relative to DESTDIR. empty_destdir() { if [ -n "$dryrun" ]; then dir_subset $DESTDIR/$1 $OLDTREE/$1 return fi empty_dir $DESTDIR/$1 } # Output a diff of two directory entries with the same relative name # in different trees. Note that as with compare(), this does not # recurse into subdirectories. If the nodes are identical, nothing is # output. # # $1 - first tree # $2 - second tree # $3 - node name # $4 - label for first tree # $5 - label for second tree diffnode() { local first second file old new diffargs if [ -n "$FREEBSD_ID" ]; then diffargs="-I \\\$FreeBSD.*\\\$" else diffargs="" fi compare_fbsdid $1/$3 $2/$3 case $? in $COMPARE_EQUAL) ;; $COMPARE_ONLYFIRST) echo echo "Removed: $3" echo ;; $COMPARE_ONLYSECOND) echo echo "Added: $3" echo ;; $COMPARE_DIFFTYPE) first=`file_type $1/$3` second=`file_type $2/$3` echo echo "Node changed from a $first to a $second: $3" echo ;; $COMPARE_DIFFLINKS) first=`readlink $1/$file` second=`readlink $2/$file` echo echo "Link changed: $file" rule "=" echo "-$first" echo "+$second" echo ;; $COMPARE_DIFFFILES) echo "Index: $3" rule "=" diff -u $diffargs -L "$3 ($4)" $1/$3 -L "$3 ($5)" $2/$3 ;; esac } # Run one-off commands after an update has completed. These commands # are not tied to a specific file, so they cannot be handled by # post_install_file(). post_update() { local args # None of these commands should be run for a pre-world update. if [ -n "$preworld" ]; then return fi # If /etc/localtime exists and is not a symlink and /var/db/zoneinfo # exists, run tzsetup -r to refresh /etc/localtime. if [ -f ${DESTDIR}/etc/localtime -a \ ! -L ${DESTDIR}/etc/localtime ]; then if [ -f ${DESTDIR}/var/db/zoneinfo ]; then if [ -n "${DESTDIR}" ]; then args="-C ${DESTDIR}" else args="" fi log "tzsetup -r ${args}" if [ -z "$dryrun" ]; then tzsetup -r ${args} >&3 2>&1 fi else warn "Needs update: /etc/localtime (required" \ "manual update via tzsetup(8))" fi fi } # Create missing parent directories of a node in a target tree # preserving the owner, group, and permissions from a specified # template tree. # # $1 - template tree # $2 - target tree # $3 - pathname of the node (relative to both trees) install_dirs() { local args dir dir=`dirname $3` # Nothing to do if the parent directory exists. This also # catches the degenerate cases when the path is just a simple # filename. if [ -d ${2}$dir ]; then return 0 fi # If non-directory file exists with the desired directory # name, then fail. if exists ${2}$dir; then # If this is a dryrun and we are installing the # directory in the DESTDIR and the file in the DESTDIR # matches the file in the old tree, then fake success # to quiet spurious warnings. if [ -n "$dryrun" -a "$2" = "$DESTDIR" ]; then if compare $OLDTREE/$dir $DESTDIR/$dir; then return 0 fi fi args=`file_type ${2}$dir` warn "Directory mismatch: ${2}$dir ($args)" return 1 fi # Ensure the parent directory of the directory is present # first. if ! install_dirs $1 "$2" $dir; then return 1 fi # Format attributes from template directory as install(1) # arguments. args=`stat -f "-o %Su -g %Sg -m %0Mp%0Lp" $1/$dir` log "install -d $args ${2}$dir" if [ -z "$dryrun" ]; then install -d $args ${2}$dir >&3 2>&1 fi return 0 } # Perform post-install fixups for a file. This largely consists of # regenerating any files that depend on the newly installed file. # # $1 - pathname of the updated file (relative to DESTDIR) post_install_file() { case $1 in /etc/mail/aliases) # Grr, newaliases only works for an empty DESTDIR. if [ -z "$DESTDIR" ]; then log "newaliases" if [ -z "$dryrun" ]; then newaliases >&3 2>&1 fi else NEWALIAS_WARN=yes fi ;; + /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + log "certctl rehash" + if [ -z "$dryrun" ]; then + env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1 + fi + ;; /etc/login.conf) log "cap_mkdb ${DESTDIR}$1" if [ -z "$dryrun" ]; then cap_mkdb ${DESTDIR}$1 >&3 2>&1 fi ;; /etc/master.passwd) log "pwd_mkdb -p -d $DESTDIR/etc ${DESTDIR}$1" if [ -z "$dryrun" ]; then pwd_mkdb -p -d $DESTDIR/etc ${DESTDIR}$1 \ >&3 2>&1 fi ;; /etc/motd) # /etc/rc.d/motd hardcodes the /etc/motd path. # Don't warn about non-empty DESTDIR's since this # change is only cosmetic anyway. if [ -z "$DESTDIR" ]; then log "sh /etc/rc.d/motd start" if [ -z "$dryrun" ]; then sh /etc/rc.d/motd start >&3 2>&1 fi fi ;; /etc/services) log "services_mkdb -q -o $DESTDIR/var/db/services.db" \ "${DESTDIR}$1" if [ -z "$dryrun" ]; then services_mkdb -q -o $DESTDIR/var/db/services.db \ ${DESTDIR}$1 >&3 2>&1 fi ;; esac } # Install the "new" version of a file. Returns true if it succeeds # and false otherwise. # # $1 - pathname of the file to install (relative to DESTDIR) install_new() { if ! install_dirs $NEWTREE "$DESTDIR" $1; then return 1 fi log "cp -Rp ${NEWTREE}$1 ${DESTDIR}$1" if [ -z "$dryrun" ]; then cp -Rp ${NEWTREE}$1 ${DESTDIR}$1 >&3 2>&1 fi post_install_file $1 return 0 } # Install the "resolved" version of a file. Returns true if it succeeds # and false otherwise. # # $1 - pathname of the file to install (relative to DESTDIR) install_resolved() { # This should always be present since the file is already # there (it caused a conflict). However, it doesn't hurt to # just be safe. if ! install_dirs $NEWTREE "$DESTDIR" $1; then return 1 fi log "cp -Rp ${CONFLICTS}$1 ${DESTDIR}$1" cp -Rp ${CONFLICTS}$1 ${DESTDIR}$1 >&3 2>&1 post_install_file $1 return 0 } # Generate a conflict file when a "new" file conflicts with an # existing file in DESTDIR. # # $1 - pathname of the file that conflicts (relative to DESTDIR) new_conflict() { if [ -n "$dryrun" ]; then return fi install_dirs $NEWTREE $CONFLICTS $1 diff --changed-group-format='<<<<<<< (local) %<======= %>>>>>>>> (stock) ' $DESTDIR/$1 $NEWTREE/$1 > $CONFLICTS/$1 } # Remove the "old" version of a file. # # $1 - pathname of the old file to remove (relative to DESTDIR) remove_old() { log "rm -f ${DESTDIR}$1" if [ -z "$dryrun" ]; then rm -f ${DESTDIR}$1 >&3 2>&1 fi echo " D $1" } # Update a file that has no local modifications. # # $1 - pathname of the file to update (relative to DESTDIR) update_unmodified() { local new old # If the old file is a directory, then remove it with rmdir # (this should only happen if the file has changed its type # from a directory to a non-directory). If the directory # isn't empty, then fail. This will be reported as a warning # later. if [ -d $DESTDIR/$1 ]; then if empty_destdir $1; then log "rmdir ${DESTDIR}$1" if [ -z "$dryrun" ]; then rmdir ${DESTDIR}$1 >&3 2>&1 fi else return 1 fi # If both the old and new files are regular files, leave the # existing file. This avoids breaking hard links for /.cshrc # and /.profile. Otherwise, explicitly remove the old file. elif ! [ -f ${DESTDIR}$1 -a -f ${NEWTREE}$1 ]; then log "rm -f ${DESTDIR}$1" if [ -z "$dryrun" ]; then rm -f ${DESTDIR}$1 >&3 2>&1 fi fi # If the new file is a directory, note that the old file has # been removed, but don't do anything else for now. The # directory will be installed if needed when new files within # that directory are installed. if [ -d $NEWTREE/$1 ]; then if empty_dir $NEWTREE/$1; then echo " D $file" else echo " U $file" fi elif install_new $1; then echo " U $file" fi return 0 } # Update the FreeBSD ID string in a locally modified file to match the # FreeBSD ID string from the "new" version of the file. # # $1 - pathname of the file to update (relative to DESTDIR) update_freebsdid() { local new dest file # If the FreeBSD ID string is removed from the local file, # there is nothing to do. In this case, treat the file as # updated. Otherwise, if either file has more than one # FreeBSD ID string, just punt and let the user handle the # conflict manually. new=`grep -c '\$FreeBSD.*\$' ${NEWTREE}$1` dest=`grep -c '\$FreeBSD.*\$' ${DESTDIR}$1` if [ "$dest" -eq 0 ]; then return 0 fi if [ "$dest" -ne 1 -o "$dest" -ne 1 ]; then return 1 fi # If the FreeBSD ID string in the new file matches the FreeBSD ID # string in the local file, there is nothing to do. new=`grep '\$FreeBSD.*\$' ${NEWTREE}$1` dest=`grep '\$FreeBSD.*\$' ${DESTDIR}$1` if [ "$new" = "$dest" ]; then return 0 fi # Build the new file in three passes. First, copy all the # lines preceding the FreeBSD ID string from the local version # of the file. Second, append the FreeBSD ID string line from # the new version. Finally, append all the lines after the # FreeBSD ID string from the local version of the file. file=`mktemp $WORKDIR/etcupdate-XXXXXXX` awk '/\$FreeBSD.*\$/ { exit } { print }' ${DESTDIR}$1 >> $file awk '/\$FreeBSD.*\$/ { print }' ${NEWTREE}$1 >> $file awk '/\$FreeBSD.*\$/ { ok = 1; next } { if (ok) print }' \ ${DESTDIR}$1 >> $file # As an extra sanity check, fail the attempt if the updated # version of the file has any differences aside from the # FreeBSD ID string. if ! fbsdid_only ${DESTDIR}$1 $file; then rm -f $file return 1 fi log "cp $file ${DESTDIR}$1" if [ -z "$dryrun" ]; then cp $file ${DESTDIR}$1 >&3 2>&1 fi rm -f $file post_install_file $1 echo " M $1" return 0 } # Attempt to update a file that has local modifications. This routine # only handles regular files. If the 3-way merge succeeds without # conflicts, the updated file is installed. If the merge fails, the # merged version with conflict markers is left in the CONFLICTS tree. # # $1 - pathname of the file to merge (relative to DESTDIR) merge_file() { local res # Try the merge to see if there is a conflict. diff3 -E -m ${DESTDIR}$1 ${OLDTREE}$1 ${NEWTREE}$1 > /dev/null 2>&3 res=$? case $res in 0) # No conflicts, so just redo the merge to the # real file. log "diff3 -E -m ${DESTDIR}$1 ${OLDTREE}$1 ${NEWTREE}$1" if [ -z "$dryrun" ]; then temp=$(mktemp -t etcupdate) diff3 -E -m ${DESTDIR}$1 ${OLDTREE}$1 ${NEWTREE}$1 > ${temp} # Use "cat >" to preserve metadata. cat ${temp} > ${DESTDIR}$1 rm -f ${temp} fi post_install_file $1 echo " M $1" ;; 1) # Conflicts, save a version with conflict markers in # the conflicts directory. if [ -z "$dryrun" ]; then install_dirs $NEWTREE $CONFLICTS $1 log "diff3 -m -A ${DESTDIR}$1 ${CONFLICTS}$1" diff3 -m -A -L "yours" -L "original" -L "new" \ ${DESTDIR}$1 ${OLDTREE}$1 ${NEWTREE}$1 > \ ${CONFLICTS}$1 fi echo " C $1" ;; *) panic "merge failed with status $res" ;; esac } # Returns true if a file contains conflict markers from a merge conflict. # # $1 - pathname of the file to resolve (relative to DESTDIR) has_conflicts() { egrep -q '^(<{7}|\|{7}|={7}|>{7}) ' $CONFLICTS/$1 } # Attempt to resolve a conflict. The user is prompted to choose an # action for each conflict. If the user edits the file, they are # prompted again for an action. The process is very similar to # resolving conflicts after an update or merge with Perforce or # Subversion. The prompts are modelled on a subset of the available # commands for resolving conflicts with Subversion. # # $1 - pathname of the file to resolve (relative to DESTDIR) resolve_conflict() { local command junk echo "Resolving conflict in '$1':" edit= while true; do # Only display the resolved command if the file # doesn't contain any conflicts. echo -n "Select: (p) postpone, (df) diff-full, (e) edit," if ! has_conflicts $1; then echo -n " (r) resolved," fi echo echo -n " (h) help for more options: " read command case $command in df) diff -u ${DESTDIR}$1 ${CONFLICTS}$1 ;; e) $EDITOR ${CONFLICTS}$1 ;; h) cat </dev/null 2>&1 fi echo " D $dir" else warn "Non-empty directory remains: $dir" fi fi } # Handle a file that exists in both the old and new trees. If the # file has not changed in the old and new trees, there is nothing to # do. If the file in the destination directory matches the new file, # there is nothing to do. If the file in the destination directory # matches the old file, then the new file should be installed. # Everything else becomes some sort of conflict with more detailed # handling. # # $1 - pathname of the file (relative to DESTDIR) handle_modified_file() { local cmp dest file new newdestcmp old file=$1 if ignore $file; then log "IGNORE: modified file $file" return fi compare $OLDTREE/$file $NEWTREE/$file cmp=$? if [ $cmp -eq $COMPARE_EQUAL ]; then return fi if [ $cmp -eq $COMPARE_ONLYFIRST -o $cmp -eq $COMPARE_ONLYSECOND ]; then panic "Changed file now missing" fi compare $NEWTREE/$file $DESTDIR/$file newdestcmp=$? if [ $newdestcmp -eq $COMPARE_EQUAL ]; then return fi # If the only change in the new file versus the destination # file is a change in the FreeBSD ID string and -F is # specified, just install the new file. if [ -n "$FREEBSD_ID" -a $newdestcmp -eq $COMPARE_DIFFFILES ] && \ fbsdid_only $NEWTREE/$file $DESTDIR/$file; then if update_unmodified $file; then return else panic "Updating FreeBSD ID string failed" fi fi # If the local file is the same as the old file, install the # new file. If -F is specified and the only local change is # in the FreeBSD ID string, then install the new file as well. if compare_fbsdid $OLDTREE/$file $DESTDIR/$file; then if update_unmodified $file; then return fi fi # If the file was removed from the dest tree, just whine. if [ $newdestcmp -eq $COMPARE_ONLYFIRST ]; then # If the removed file matches an ALWAYS_INSTALL glob, # then just install the new version of the file. if always_install $file; then log "ALWAYS: adding $file" if ! [ -d $NEWTREE/$file ]; then if install_new $file; then echo " A $file" fi fi return fi # If the only change in the new file versus the old # file is a change in the FreeBSD ID string and -F is # specified, don't warn. if [ -n "$FREEBSD_ID" -a $cmp -eq $COMPARE_DIFFFILES ] && \ fbsdid_only $OLDTREE/$file $NEWTREE/$file; then return fi case $cmp in $COMPARE_DIFFTYPE) old=`file_type $OLDTREE/$file` new=`file_type $NEWTREE/$file` warn "Remove mismatch: $file ($old became $new)" ;; $COMPARE_DIFFLINKS) old=`readlink $OLDTREE/$file` new=`readlink $NEWTREE/$file` warn \ "Removed link changed: $file (\"$old\" became \"$new\")" ;; $COMPARE_DIFFFILES) warn "Removed file changed: $file" ;; esac return fi # Treat the file as unmodified and force install of the new # file if it matches an ALWAYS_INSTALL glob. If the update # attempt fails, then fall through to the normal case so a # warning is generated. if always_install $file; then log "ALWAYS: updating $file" if update_unmodified $file; then return fi fi # If the only change in the new file versus the old file is a # change in the FreeBSD ID string and -F is specified, just # update the FreeBSD ID string in the local file. if [ -n "$FREEBSD_ID" -a $cmp -eq $COMPARE_DIFFFILES ] && \ fbsdid_only $OLDTREE/$file $NEWTREE/$file; then if update_freebsdid $file; then continue fi fi # If the file changed types between the old and new trees but # the files in the new and dest tree are both of the same # type, treat it like an added file just comparing the new and # dest files. if [ $cmp -eq $COMPARE_DIFFTYPE ]; then case $newdestcmp in $COMPARE_DIFFLINKS) new=`readlink $NEWTREE/$file` dest=`readlink $DESTDIR/$file` warn \ "New link conflict: $file (\"$new\" vs \"$dest\")" return ;; $COMPARE_DIFFFILES) new_conflict $file echo " C $file" return ;; esac else # If the file has not changed types between the old # and new trees, but it is a different type in # DESTDIR, then just warn. if [ $newdestcmp -eq $COMPARE_DIFFTYPE ]; then new=`file_type $NEWTREE/$file` dest=`file_type $DESTDIR/$file` warn "Modified mismatch: $file ($new vs $dest)" return fi fi case $cmp in $COMPARE_DIFFTYPE) old=`file_type $OLDTREE/$file` new=`file_type $NEWTREE/$file` dest=`file_type $DESTDIR/$file` warn "Modified $dest changed: $file ($old became $new)" ;; $COMPARE_DIFFLINKS) old=`readlink $OLDTREE/$file` new=`readlink $NEWTREE/$file` warn \ "Modified link changed: $file (\"$old\" became \"$new\")" ;; $COMPARE_DIFFFILES) merge_file $file ;; esac } # Handle a file that has been added in the new tree. If the file does # not exist in DESTDIR, simply copy the file into DESTDIR. If the # file exists in the DESTDIR and is identical to the new version, do # nothing. Otherwise, generate a diff of the two versions of the file # and mark it as a conflict. # # $1 - pathname of the file (relative to DESTDIR) handle_added_file() { local cmp dest file new file=$1 if ignore $file; then log "IGNORE: added file $file" return fi compare $DESTDIR/$file $NEWTREE/$file cmp=$? case $cmp in $COMPARE_EQUAL) return ;; $COMPARE_ONLYFIRST) panic "Added file now missing" ;; $COMPARE_ONLYSECOND) # Ignore new directories. They will be # created as needed when non-directory nodes # are installed. if ! [ -d $NEWTREE/$file ]; then if install_new $file; then echo " A $file" fi fi return ;; esac # Treat the file as unmodified and force install of the new # file if it matches an ALWAYS_INSTALL glob. If the update # attempt fails, then fall through to the normal case so a # warning is generated. if always_install $file; then log "ALWAYS: updating $file" if update_unmodified $file; then return fi fi case $cmp in $COMPARE_DIFFTYPE) new=`file_type $NEWTREE/$file` dest=`file_type $DESTDIR/$file` warn "New file mismatch: $file ($new vs $dest)" ;; $COMPARE_DIFFLINKS) new=`readlink $NEWTREE/$file` dest=`readlink $DESTDIR/$file` warn "New link conflict: $file (\"$new\" vs \"$dest\")" ;; $COMPARE_DIFFFILES) # If the only change in the new file versus # the destination file is a change in the # FreeBSD ID string and -F is specified, just # install the new file. if [ -n "$FREEBSD_ID" ] && \ fbsdid_only $NEWTREE/$file $DESTDIR/$file; then if update_unmodified $file; then return else panic \ "Updating FreeBSD ID string failed" fi fi new_conflict $file echo " C $file" ;; esac } # Main routines for each command # Build a new tree and save it in a tarball. build_cmd() { local dir if [ $# -ne 1 ]; then echo "Missing required tarball." echo usage fi log "build command: $1" # Create a temporary directory to hold the tree dir=`mktemp -d $WORKDIR/etcupdate-XXXXXXX` if [ $? -ne 0 ]; then echo "Unable to create temporary directory." exit 1 fi if ! build_tree $dir; then echo "Failed to build tree." remove_tree $dir exit 1 fi if ! tar cfj $1 -C $dir . >&3 2>&1; then echo "Failed to create tarball." remove_tree $dir exit 1 fi remove_tree $dir } # Output a diff comparing the tree at DESTDIR to the current # unmodified tree. Note that this diff does not include files that # are present in DESTDIR but not in the unmodified tree. diff_cmd() { local file if [ $# -ne 0 ]; then usage fi # Requires an unmodified tree to diff against. if ! [ -d $NEWTREE ]; then echo "Reference tree to diff against unavailable." exit 1 fi # Unfortunately, diff alone does not quite provide the right # level of options that we want, so improvise. for file in `(cd $NEWTREE; find .) | sed -e 's/^\.//'`; do if ignore $file; then continue fi diffnode $NEWTREE "$DESTDIR" $file "stock" "local" done } # Just extract a new tree into NEWTREE either by building a tree or # extracting a tarball. This can be used to bootstrap updates by # initializing the current "stock" tree to match the currently # installed system. # # Unlike 'update', this command does not rotate or preserve an # existing NEWTREE, it just replaces any existing tree. extract_cmd() { if [ $# -ne 0 ]; then usage fi log "extract command: tarball=$tarball" if [ -d $NEWTREE ]; then if ! remove_tree $NEWTREE; then echo "Unable to remove current tree." exit 1 fi fi extract_tree } # Resolve conflicts left from an earlier merge. resolve_cmd() { local conflicts if [ $# -ne 0 ]; then usage fi if ! [ -d $CONFLICTS ]; then return fi if ! [ -d $NEWTREE ]; then echo "The current tree is not present to resolve conflicts." exit 1 fi conflicts=`(cd $CONFLICTS; find . ! -type d) | sed -e 's/^\.//'` for file in $conflicts; do resolve_conflict $file done if [ -n "$NEWALIAS_WARN" ]; then warn "Needs update: /etc/mail/aliases.db" \ "(requires manual update via newaliases(1))" echo echo "Warnings:" echo " Needs update: /etc/mail/aliases.db" \ "(requires manual update via newaliases(1))" fi } # Report a summary of the previous merge. Specifically, list any # remaining conflicts followed by any warnings from the previous # update. status_cmd() { if [ $# -ne 0 ]; then usage fi if [ -d $CONFLICTS ]; then (cd $CONFLICTS; find . ! -type d) | sed -e 's/^\./ C /' fi if [ -s $WARNINGS ]; then echo "Warnings:" cat $WARNINGS fi } # Perform an actual merge. The new tree can either already exist (if # rerunning a merge), be extracted from a tarball, or generated from a # source tree. update_cmd() { local dir if [ $# -ne 0 ]; then usage fi log "update command: rerun=$rerun tarball=$tarball preworld=$preworld" if [ `id -u` -ne 0 ]; then echo "Must be root to update a tree." exit 1 fi # Enforce a sane umask umask 022 # XXX: Should existing conflicts be ignored and removed during # a rerun? # Trim the conflicts tree. Whine if there is anything left. if [ -e $CONFLICTS ]; then find -d $CONFLICTS -type d -empty -delete >&3 2>&1 rmdir $CONFLICTS >&3 2>&1 fi if [ -d $CONFLICTS ]; then echo "Conflicts remain from previous update, aborting." exit 1 fi if [ -z "$rerun" ]; then # For a dryrun that is not a rerun, do not rotate the existing # stock tree. Instead, extract a tree to a temporary directory # and use that for the comparison. if [ -n "$dryrun" ]; then dir=`mktemp -d $WORKDIR/etcupdate-XXXXXXX` if [ $? -ne 0 ]; then echo "Unable to create temporary directory." exit 1 fi # A pre-world dryrun has already set OLDTREE to # point to the current stock tree. if [ -z "$preworld" ]; then OLDTREE=$NEWTREE fi NEWTREE=$dir # For a pre-world update, blow away any pre-existing # NEWTREE. elif [ -n "$preworld" ]; then if ! remove_tree $NEWTREE; then echo "Unable to remove pre-world tree." exit 1 fi # Rotate the existing stock tree to the old tree. elif [ -d $NEWTREE ]; then # First, delete the previous old tree if it exists. if ! remove_tree $OLDTREE; then echo "Unable to remove old tree." exit 1 fi # Move the current stock tree. if ! mv $NEWTREE $OLDTREE >&3 2>&1; then echo "Unable to rename current stock tree." exit 1 fi fi if ! [ -d $OLDTREE ]; then cat < $WORKDIR/old.files (cd $NEWTREE; find .) | sed -e 's/^\.//' | sort > $WORKDIR/new.files # Split the files up into three groups using comm. comm -23 $WORKDIR/old.files $WORKDIR/new.files > $WORKDIR/removed.files comm -13 $WORKDIR/old.files $WORKDIR/new.files > $WORKDIR/added.files comm -12 $WORKDIR/old.files $WORKDIR/new.files > $WORKDIR/both.files # Initialize conflicts and warnings handling. rm -f $WARNINGS mkdir -p $CONFLICTS # Ignore removed files for the pre-world case. A pre-world # update uses a stripped-down tree. if [ -n "$preworld" ]; then > $WORKDIR/removed.files fi # The order for the following sections is important. In the # odd case that a directory is converted into a file, the # existing subfiles need to be removed if possible before the # file is converted. Similarly, in the case that a file is # converted into a directory, the file needs to be converted # into a directory if possible before the new files are added. # First, handle removed files. for file in `cat $WORKDIR/removed.files`; do handle_removed_file $file done # For the directory pass, reverse sort the list to effect a # depth-first traversal. This is needed to ensure that if a # directory with subdirectories is removed, the entire # directory is removed if there are no local modifications. for file in `sort -r $WORKDIR/removed.files`; do handle_removed_directory $file done # Second, handle files that exist in both the old and new # trees. for file in `cat $WORKDIR/both.files`; do handle_modified_file $file done # Finally, handle newly added files. for file in `cat $WORKDIR/added.files`; do handle_added_file $file done if [ -n "$NEWALIAS_WARN" ]; then warn "Needs update: /etc/mail/aliases.db" \ "(requires manual update via newaliases(1))" fi # Run any special one-off commands after an update has completed. post_update if [ -s $WARNINGS ]; then echo "Warnings:" cat $WARNINGS fi if [ -n "$dir" ]; then if [ -z "$dryrun" -o -n "$rerun" ]; then panic "Should not have a temporary directory" fi remove_tree $dir fi } # Determine which command we are executing. A command may be # specified as the first word. If one is not specified then 'update' # is assumed as the default command. command="update" if [ $# -gt 0 ]; then case "$1" in build|diff|extract|status|resolve) command="$1" shift ;; -*) # If first arg is an option, assume the # default command. ;; *) usage ;; esac fi # Set default variable values. # The path to the source tree used to build trees. SRCDIR=/usr/src # The destination directory where the modified files live. DESTDIR= # Ignore changes in the FreeBSD ID string. FREEBSD_ID= # Files that should always have the new version of the file installed. ALWAYS_INSTALL= # Files to ignore and never update during a merge. IGNORE_FILES= # Flags to pass to 'make' when building a tree. MAKE_OPTIONS= # Include a config file if it exists. Note that command line options # override any settings in the config file. More details are in the # manual, but in general the following variables can be set: # - ALWAYS_INSTALL # - DESTDIR # - EDITOR # - FREEBSD_ID # - IGNORE_FILES # - LOGFILE # - MAKE_OPTIONS # - SRCDIR # - WORKDIR if [ -r /etc/etcupdate.conf ]; then . /etc/etcupdate.conf fi # Parse command line options tarball= rerun= always= dryrun= ignore= nobuild= preworld= while getopts "d:nprs:t:A:BD:FI:L:M:" option; do case "$option" in d) WORKDIR=$OPTARG ;; n) dryrun=YES ;; p) preworld=YES ;; r) rerun=YES ;; s) SRCDIR=$OPTARG ;; t) tarball=$OPTARG ;; A) # To allow this option to be specified # multiple times, accumulate command-line # specified patterns in an 'always' variable # and use that to overwrite ALWAYS_INSTALL # after parsing all options. Need to be # careful here with globbing expansion. set -o noglob always="$always $OPTARG" set +o noglob ;; B) nobuild=YES ;; D) DESTDIR=$OPTARG ;; F) FREEBSD_ID=YES ;; I) # To allow this option to be specified # multiple times, accumulate command-line # specified patterns in an 'ignore' variable # and use that to overwrite IGNORE_FILES after # parsing all options. Need to be careful # here with globbing expansion. set -o noglob ignore="$ignore $OPTARG" set +o noglob ;; L) LOGFILE=$OPTARG ;; M) MAKE_OPTIONS="$OPTARG" ;; *) echo usage ;; esac done shift $((OPTIND - 1)) # Allow -A command line options to override ALWAYS_INSTALL set from # the config file. set -o noglob if [ -n "$always" ]; then ALWAYS_INSTALL="$always" fi # Allow -I command line options to override IGNORE_FILES set from the # config file. if [ -n "$ignore" ]; then IGNORE_FILES="$ignore" fi set +o noglob # Where the "old" and "new" trees are stored. WORKDIR=${WORKDIR:-$DESTDIR/var/db/etcupdate} # Log file for verbose output from program that are run. The log file # is opened on fd '3'. LOGFILE=${LOGFILE:-$WORKDIR/log} # The path of the "old" tree OLDTREE=$WORKDIR/old # The path of the "new" tree NEWTREE=$WORKDIR/current # The path of the "conflicts" tree where files with merge conflicts are saved. CONFLICTS=$WORKDIR/conflicts # The path of the "warnings" file that accumulates warning notes from an update. WARNINGS=$WORKDIR/warnings # Use $EDITOR for resolving conflicts. If it is not set, default to vi. EDITOR=${EDITOR:-/usr/bin/vi} # Files that need to be updated before installworld. PREWORLD_FILES="etc/master.passwd etc/group" # Handle command-specific argument processing such as complaining # about unsupported options. Since the configuration file is always # included, do not complain about extra command line arguments that # may have been set via the config file rather than the command line. case $command in update) if [ -n "$rerun" -a -n "$tarball" ]; then echo "Only one of -r or -t can be specified." echo usage fi if [ -n "$rerun" -a -n "$preworld" ]; then echo "Only one of -p or -r can be specified." echo usage fi ;; build|diff|status) if [ -n "$dryrun" -o -n "$rerun" -o -n "$tarball" -o \ -n "$preworld" ]; then usage fi ;; resolve) if [ -n "$dryrun" -o -n "$rerun" -o -n "$tarball" ]; then usage fi ;; extract) if [ -n "$dryrun" -o -n "$rerun" -o -n "$preworld" ]; then usage fi ;; esac # Pre-world mode uses a different set of trees. It leaves the current # tree as-is so it is still present for a full etcupdate run after the # world install is complete. Instead, it installs a few critical files # into a separate tree. if [ -n "$preworld" ]; then OLDTREE=$NEWTREE NEWTREE=$WORKDIR/preworld fi # Open the log file. Don't truncate it if doing a minor operation so # that a minor operation doesn't lose log info from a major operation. if ! mkdir -p $WORKDIR 2>/dev/null; then echo "Failed to create work directory $WORKDIR" fi case $command in diff|resolve|status) exec 3>>$LOGFILE ;; *) exec 3>$LOGFILE ;; esac ${command}_cmd "$@" Index: stable/12/usr.sbin/mergemaster/mergemaster.sh =================================================================== --- stable/12/usr.sbin/mergemaster/mergemaster.sh (revision 357081) +++ stable/12/usr.sbin/mergemaster/mergemaster.sh (revision 357082) @@ -1,1436 +1,1456 @@ #!/bin/sh # mergemaster # Compare files created by /usr/src/etc/Makefile (or the directory # the user specifies) with the currently installed copies. # Copyright (c) 1998-2012 Douglas Barton, All rights reserved # Please see detailed copyright below # $FreeBSD$ PATH=/bin:/usr/bin:/usr/sbin display_usage () { VERSION_NUMBER=`grep "[$]FreeBSD:" $0 | cut -d ' ' -f 4` echo "mergemaster version ${VERSION_NUMBER}" echo 'Usage: mergemaster [-scrvhpCP] [-a|[-iFU]] [--run-updates=always|never]' echo ' [-m /path] [-t /path] [-d] [-u N] [-w N] [-A arch] [-D /path]' echo "Options:" echo " -s Strict comparison (diff every pair of files)" echo " -c Use context diff instead of unified diff" echo " -r Re-run on a previously cleaned directory (skip temproot creation)" echo " -v Be more verbose about the process, include additional checks" echo " -a Leave all files that differ to merge by hand" echo " -h Display more complete help" echo ' -i Automatically install files that do not exist in destination directory' echo ' -p Pre-buildworld mode, only compares crucial files' echo ' -F Install files that differ only by revision control Id ($FreeBSD)' echo ' -C Compare local rc.conf variables to the defaults' echo ' -P Preserve files that are overwritten' echo " -U Attempt to auto upgrade files that have not been user modified" echo ' ***DANGEROUS***' echo ' --run-updates= Specify always or never to run newalises, pwd_mkdb, etc.' echo '' echo " -m /path/directory Specify location of source to do the make in" echo " -t /path/directory Specify temp root directory" echo " -d Add date and time to directory name (e.g., /var/tmp/temproot.`date +%m%d.%H.%M`)" echo " -u N Specify a numeric umask" echo " -w N Specify a screen width in columns to sdiff" echo " -A architecture Alternative architecture name to pass to make" echo ' -D /path/directory Specify the destination directory to install files to' echo '' } display_help () { echo "* To specify a directory other than /var/tmp/temproot for the" echo " temporary root environment, use -t /path/to/temp/root" echo "* The -w option takes a number as an argument for the column width" echo " of the screen. The default is 80." echo '* The -a option causes mergemaster to run without prompting.' } # Loop allowing the user to use sdiff to merge files and display the merged # file. merge_loop () { case "${VERBOSE}" in '') ;; *) echo " *** Type h at the sdiff prompt (%) to get usage help" ;; esac echo '' MERGE_AGAIN=yes while [ "${MERGE_AGAIN}" = "yes" ]; do # Prime file.merged so we don't blat the owner/group id's cp -p "${COMPFILE}" "${COMPFILE}.merged" sdiff -o "${COMPFILE}.merged" --text --suppress-common-lines \ --width=${SCREEN_WIDTH:-80} "${DESTDIR}${COMPFILE#.}" "${COMPFILE}" INSTALL_MERGED=V while [ "${INSTALL_MERGED}" = "v" -o "${INSTALL_MERGED}" = "V" ]; do echo '' echo " Use 'i' to install merged file" echo " Use 'r' to re-do the merge" echo " Use 'v' to view the merged file" echo " Default is to leave the temporary file to deal with by hand" echo '' echo -n " *** How should I deal with the merged file? [Leave it for later] " read INSTALL_MERGED case "${INSTALL_MERGED}" in [iI]) mv "${COMPFILE}.merged" "${COMPFILE}" echo '' if mm_install "${COMPFILE}"; then echo " *** Merged version of ${COMPFILE} installed successfully" else echo " *** Problem installing ${COMPFILE}, it will remain to merge by hand later" fi unset MERGE_AGAIN ;; [rR]) rm "${COMPFILE}.merged" ;; [vV]) ${PAGER} "${COMPFILE}.merged" ;; '') echo " *** ${COMPFILE} will remain for your consideration" unset MERGE_AGAIN ;; *) echo "invalid choice: ${INSTALL_MERGED}" INSTALL_MERGED=V ;; esac done done } # Loop showing user differences between files, allow merge, skip or install # options diff_loop () { HANDLE_COMPFILE=v while [ "${HANDLE_COMPFILE}" = "v" -o "${HANDLE_COMPFILE}" = "V" -o \ "${HANDLE_COMPFILE}" = "NOT V" ]; do if [ -f "${DESTDIR}${COMPFILE#.}" -a -f "${COMPFILE}" ]; then if [ -n "${AUTO_UPGRADE}" -a -n "${CHANGED}" ]; then case "${CHANGED}" in *:${DESTDIR}${COMPFILE#.}:*) ;; # File has been modified *) echo '' echo " *** ${COMPFILE} has not been user modified." echo '' if mm_install "${COMPFILE}"; then echo " *** ${COMPFILE} upgraded successfully" echo '' # Make the list print one file per line AUTO_UPGRADED_FILES="${AUTO_UPGRADED_FILES} ${DESTDIR}${COMPFILE#.} " else echo " *** Problem upgrading ${COMPFILE}, it will remain to merge by hand" fi return ;; esac fi if [ "${HANDLE_COMPFILE}" = "v" -o "${HANDLE_COMPFILE}" = "V" ]; then echo '' echo ' ====================================================================== ' echo '' ( echo " *** Displaying differences between ${COMPFILE} and installed version:" echo '' diff ${DIFF_FLAG} ${DIFF_OPTIONS} "${DESTDIR}${COMPFILE#.}" "${COMPFILE}" ) | ${PAGER} echo '' fi else echo '' echo " *** There is no installed version of ${COMPFILE}" echo '' case "${AUTO_INSTALL}" in [Yy][Ee][Ss]) echo '' if mm_install "${COMPFILE}"; then echo " *** ${COMPFILE} installed successfully" echo '' # Make the list print one file per line AUTO_INSTALLED_FILES="${AUTO_INSTALLED_FILES} ${DESTDIR}${COMPFILE#.} " else echo " *** Problem installing ${COMPFILE}, it will remain to merge by hand" fi return ;; *) NO_INSTALLED=yes ;; esac fi echo " Use 'd' to delete the temporary ${COMPFILE}" echo " Use 'i' to install the temporary ${COMPFILE}" case "${NO_INSTALLED}" in '') echo " Use 'm' to merge the temporary and installed versions" echo " Use 'v' to view the diff results again" ;; esac echo '' echo " Default is to leave the temporary file to deal with by hand" echo '' echo -n "How should I deal with this? [Leave it for later] " read HANDLE_COMPFILE case "${HANDLE_COMPFILE}" in [dD]) rm "${COMPFILE}" echo '' echo " *** Deleting ${COMPFILE}" ;; [iI]) echo '' if mm_install "${COMPFILE}"; then echo " *** ${COMPFILE} installed successfully" else echo " *** Problem installing ${COMPFILE}, it will remain to merge by hand" fi ;; [mM]) case "${NO_INSTALLED}" in '') # interact with user to merge files merge_loop ;; *) echo '' echo " *** There is no installed version of ${COMPFILE}" echo '' HANDLE_COMPFILE="NOT V" ;; esac # End of "No installed version of file but user selected merge" test ;; [vV]) continue ;; '') echo '' echo " *** ${COMPFILE} will remain for your consideration" ;; *) # invalid choice, show menu again. echo "invalid choice: ${HANDLE_COMPFILE}" echo '' HANDLE_COMPFILE="NOT V" continue ;; esac # End of "How to handle files that are different" done unset NO_INSTALLED echo '' case "${VERBOSE}" in '') ;; *) sleep 3 ;; esac } press_to_continue () { local DISCARD echo -n ' *** Press the [Enter] or [Return] key to continue ' read DISCARD } # Set the default path for the temporary root environment # TEMPROOT='/var/tmp/temproot' # Read /etc/mergemaster.rc first so the one in $HOME can override # if [ -r /etc/mergemaster.rc ]; then . /etc/mergemaster.rc fi # Read .mergemasterrc before command line so CLI can override # if [ -r "$HOME/.mergemasterrc" ]; then . "$HOME/.mergemasterrc" fi for var in "$@" ; do case "$var" in --run-updates*) RUN_UPDATES=`echo ${var#--run-updates=} | tr [:upper:] [:lower:]` ;; *) newopts="$newopts $var" ;; esac done set -- $newopts unset var newopts # Check the command line options # while getopts ":ascrvhipCPm:t:du:w:D:A:FU" COMMAND_LINE_ARGUMENT ; do case "${COMMAND_LINE_ARGUMENT}" in A) ARCHSTRING='TARGET_ARCH='${OPTARG} ;; F) FREEBSD_ID=yes ;; U) AUTO_UPGRADE=yes ;; s) STRICT=yes unset DIFF_OPTIONS ;; c) DIFF_FLAG='-c' ;; r) RERUN=yes ;; v) case "${AUTO_RUN}" in '') VERBOSE=yes ;; esac ;; a) AUTO_RUN=yes unset VERBOSE ;; h) display_usage display_help exit 0 ;; i) AUTO_INSTALL=yes ;; C) COMP_CONFS=yes ;; P) PRESERVE_FILES=yes ;; p) PRE_WORLD=yes unset COMP_CONFS unset AUTO_RUN ;; m) SOURCEDIR=${OPTARG} ;; t) TEMPROOT=${OPTARG} ;; d) TEMPROOT=${TEMPROOT}.`date +%m%d.%H.%M` ;; u) NEW_UMASK=${OPTARG} ;; w) SCREEN_WIDTH=${OPTARG} ;; D) DESTDIR=${OPTARG} ;; *) display_usage exit 1 ;; esac done if [ -n "$AUTO_RUN" ]; then if [ -n "$FREEBSD_ID" -o -n "$AUTO_UPGRADE" -o -n "$AUTO_INSTALL" ]; then echo '' echo "*** You have included the -a option along with one or more options" echo ' that indicate that you wish mergemaster to actually make updates' echo ' (-F, -U, or -i), however these options are not compatible.' echo ' Please read mergemaster(8) for more information.' echo '' exit 1 fi fi # Assign the location of the mtree database # MTREEDB=${MTREEDB:-${DESTDIR}/var/db} MTREEFILE="${MTREEDB}/mergemaster.mtree" # Don't force the user to set this in the mergemaster rc file if [ -n "${PRESERVE_FILES}" -a -z "${PRESERVE_FILES_DIR}" ]; then PRESERVE_FILES_DIR=/var/tmp/mergemaster/preserved-files-`date +%y%m%d-%H%M%S` mkdir -p ${PRESERVE_FILES_DIR} fi # Check for the mtree database in DESTDIR case "${AUTO_UPGRADE}" in '') ;; # If the option is not set no need to run the test or warn the user *) if [ ! -s "${MTREEFILE}" ]; then echo '' echo "*** Unable to find mtree database (${MTREEFILE})." echo " Skipping auto-upgrade on this run." echo " It will be created for the next run when this one is complete." echo '' case "${AUTO_RUN}" in '') press_to_continue ;; esac unset AUTO_UPGRADE fi ;; esac if [ -e "${DESTDIR}/etc/fstab" ]; then if grep -q nodev ${DESTDIR}/etc/fstab; then echo '' echo "*** You have the deprecated 'nodev' option in ${DESTDIR}/etc/fstab." echo " This can prevent the filesystem from being mounted on reboot." echo " Please update your fstab before continuing." echo " See fstab(5) for more information." echo '' exit 1 fi fi echo '' # If the user has a pager defined, make sure we can run it # case "${DONT_CHECK_PAGER}" in '') check_pager () { while ! type "${PAGER%% *}" >/dev/null; do echo " *** Your PAGER environment variable specifies '${PAGER}', but" echo " due to the limited PATH that I use for security reasons," echo " I cannot execute it. So, what would you like to do?" echo '' echo " Use 'e' to exit mergemaster and fix your PAGER variable" echo " Use 'l' to set PAGER to 'less' for this run" echo " Use 'm' to use plain old 'more' as your PAGER for this run" echo '' echo " or you may type an absolute path to PAGER for this run" echo '' echo " Default is to use 'less' " echo '' echo -n "What should I do? [Use 'less'] " read FIXPAGER case "${FIXPAGER}" in [eE]) exit 0 ;; [lL]|'') PAGER=less ;; [mM]) PAGER=more ;; /*) PAGER="$FIXPAGER" ;; *) echo '' echo "invalid choice: ${FIXPAGER}" esac echo '' done } if [ -n "${PAGER}" ]; then check_pager fi ;; esac # If user has a pager defined, or got assigned one above, use it. # If not, use less. # PAGER=${PAGER:-less} if [ -n "${VERBOSE}" -a ! "${PAGER}" = "less" ]; then echo " *** You have ${PAGER} defined as your pager so we will use that" echo '' sleep 3 fi # Assign the diff flag once so we will not have to keep testing it # DIFF_FLAG=${DIFF_FLAG:--u} # Assign the source directory # SOURCEDIR=${SOURCEDIR:-/usr/src} if [ ! -f ${SOURCEDIR}/Makefile.inc1 -a \ -f ${SOURCEDIR}/../Makefile.inc1 ]; then echo " *** The source directory you specified (${SOURCEDIR})" echo " will be reset to ${SOURCEDIR}/.." echo '' sleep 3 SOURCEDIR=${SOURCEDIR}/.. fi if [ ! -f ${SOURCEDIR}/Makefile.inc1 ]; then echo "*** ${SOURCEDIR} was not found." if [ -f ./Makefile.inc1 ]; then echo " Found Makefile.inc1 in the current directory." echo -n " Would you like to set SOURCEDIR to $(pwd)? [no and exit] " read SRCDOT case "${SRCDOT}" in [yY]*) echo " *** Setting SOURCEDIR to $(pwd)" SOURCEDIR=$(pwd) ;; *) echo " **** No suitable ${SOURCEDIR} found, exiting" exit 1 ;; esac else echo " **** No suitable ${SOURCEDIR} found, exiting" exit 1 fi fi SOURCEDIR=$(realpath "$SOURCEDIR") # Setup make to use system files from SOURCEDIR MM_MAKE="make ${ARCHSTRING} -m ${SOURCEDIR}/share/mk -DNO_FILEMON" MM_MAKE="${MM_MAKE} -j$(/sbin/sysctl -n hw.ncpu)" # Check DESTDIR against the mergemaster mtree database to see what # files the user changed from the reference files. # if [ -n "${AUTO_UPGRADE}" -a -s "${MTREEFILE}" ]; then # Force FreeBSD 9 compatible output when available. if mtree -F freebsd9 -c -p /var/empty/ > /dev/null 2>&1; then MTREE_FLAVOR="-F freebsd9" else MTREE_FLAVOR= fi CHANGED=: for file in `mtree -eqL ${MTREE_FLAVOR} -f ${MTREEFILE} -p ${DESTDIR}/ \ 2>/dev/null | awk '($2 == "changed") {print $1}'`; do if [ -f "${DESTDIR}/$file" ]; then CHANGED="${CHANGED}${DESTDIR}/${file}:" fi done [ "$CHANGED" = ':' ] && unset CHANGED fi # Check the width of the user's terminal # if [ -t 0 ]; then w=`tput columns` case "${w}" in 0|'') ;; # No-op, since the input is not valid *) case "${SCREEN_WIDTH}" in '') SCREEN_WIDTH="${w}" ;; "${w}") ;; # No-op, since they are the same *) echo -n "*** You entered ${SCREEN_WIDTH} as your screen width, but stty " echo "thinks it is ${w}." echo '' echo -n "What would you like to use? [${w}] " read SCREEN_WIDTH case "${SCREEN_WIDTH}" in '') SCREEN_WIDTH="${w}" ;; esac ;; esac esac fi # Define what $Id tag to look for to aid portability. # ID_TAG=FreeBSD delete_temproot () { rm -rf "${TEMPROOT}" 2>/dev/null chflags -R 0 "${TEMPROOT}" 2>/dev/null rm -rf "${TEMPROOT}" || { echo "*** Unable to delete ${TEMPROOT}"; exit 1; } } case "${RERUN}" in '') # Set up the loop to test for the existence of the # temp root directory. # TEST_TEMP_ROOT=yes while [ "${TEST_TEMP_ROOT}" = "yes" ]; do if [ -d "${TEMPROOT}" ]; then echo "*** The directory specified for the temporary root environment," echo " ${TEMPROOT}, exists. This can be a security risk if untrusted" echo " users have access to the system." echo '' case "${AUTO_RUN}" in '') echo " Use 'd' to delete the old ${TEMPROOT} and continue" echo " Use 't' to select a new temporary root directory" echo " Use 'e' to exit mergemaster" echo '' echo " Default is to use ${TEMPROOT} as is" echo '' echo -n "How should I deal with this? [Use the existing ${TEMPROOT}] " read DELORNOT case "${DELORNOT}" in [dD]) echo '' echo " *** Deleting the old ${TEMPROOT}" echo '' delete_temproot unset TEST_TEMP_ROOT ;; [tT]) echo " *** Enter new directory name for temporary root environment" read TEMPROOT ;; [eE]) exit 0 ;; '') echo '' echo " *** Leaving ${TEMPROOT} intact" echo '' unset TEST_TEMP_ROOT ;; *) echo '' echo "invalid choice: ${DELORNOT}" echo '' ;; esac ;; *) # If this is an auto-run, try a hopefully safe alternative then # re-test anyway. TEMPROOT=/var/tmp/temproot.`date +%m%d.%H.%M.%S` ;; esac else unset TEST_TEMP_ROOT fi done echo "*** Creating the temporary root environment in ${TEMPROOT}" if mkdir -p "${TEMPROOT}"; then echo " *** ${TEMPROOT} ready for use" fi if [ ! -d "${TEMPROOT}" ]; then echo '' echo " *** FATAL ERROR: Cannot create ${TEMPROOT}" echo '' exit 1 fi echo " *** Creating and populating directory structure in ${TEMPROOT}" echo '' case "${VERBOSE}" in '') ;; *) press_to_continue ;; esac case "${PRE_WORLD}" in '') { cd ${SOURCEDIR} && case "${DESTDIR}" in '') ;; *) ${MM_MAKE} DESTDIR=${DESTDIR} distrib-dirs >/dev/null ;; esac ${MM_MAKE} DESTDIR=${TEMPROOT} distrib-dirs >/dev/null && ${MM_MAKE} _obj SUBDIR_OVERRIDE=etc >/dev/null && ${MM_MAKE} everything SUBDIR_OVERRIDE=etc >/dev/null && ${MM_MAKE} DESTDIR=${TEMPROOT} distribution >/dev/null;} || { echo ''; echo " *** FATAL ERROR: Cannot 'cd' to ${SOURCEDIR} and install files to"; echo " the temproot environment"; echo ''; exit 1;} ;; *) # Only set up files that are crucial to {build|install}world { mkdir -p ${TEMPROOT}/etc && cp -p ${SOURCEDIR}/etc/master.passwd ${TEMPROOT}/etc && install -p -o root -g wheel -m 0644 ${SOURCEDIR}/etc/group ${TEMPROOT}/etc;} || { echo ''; echo ' *** FATAL ERROR: Cannot copy files to the temproot environment'; echo ''; exit 1;} ;; esac # Doing the inventory and removing files that we don't want to compare only # makes sense if we are not doing a rerun, since we have no way of knowing # what happened to the files during previous incarnations. case "${VERBOSE}" in '') ;; *) echo '' echo ' *** The following files exist only in the installed version of' echo " ${DESTDIR}/etc. In the vast majority of cases these files" echo ' are necessary parts of the system and should not be deleted.' echo ' However because these files are not updated by this process you' echo ' might want to verify their status before rebooting your system.' echo '' press_to_continue diff -qr ${DESTDIR}/etc ${TEMPROOT}/etc | grep "^Only in ${DESTDIR}/etc" | ${PAGER} echo '' press_to_continue ;; esac case "${IGNORE_MOTD}" in '') ;; *) echo '' echo "*** You have the IGNORE_MOTD option set in your mergemaster rc file." echo " This option is deprecated in favor of the IGNORE_FILES option." echo " Please update your rc file accordingly." echo '' exit 1 ;; esac # Avoid comparing the following user specified files for file in ${IGNORE_FILES}; do test -e ${TEMPROOT}/${file} && unlink ${TEMPROOT}/${file} done # We really don't want to have to deal with files like login.conf.db, pwd.db, # or spwd.db. Instead, we want to compare the text versions, and run *_mkdb. # Prompt the user to do so below, as needed. # rm -f ${TEMPROOT}/etc/*.db ${TEMPROOT}/etc/passwd \ ${TEMPROOT}/var/db/services.db # We only need to compare things like freebsd.cf once find ${TEMPROOT}/usr/obj -type f -delete 2>/dev/null # Delete stuff we do not need to keep the mtree database small, # and to make the actual comparison faster. find ${TEMPROOT}/usr -type l -delete 2>/dev/null find ${TEMPROOT} -type f -size 0 -delete 2>/dev/null find -d ${TEMPROOT} -type d -empty -mindepth 1 -delete 2>/dev/null # Build the mtree database in a temporary location. case "${PRE_WORLD}" in '') MTREENEW=`mktemp -t mergemaster.mtree` mtree -nci -p ${TEMPROOT} -k size,md5digest > ${MTREENEW} 2>/dev/null ;; *) # We don't want to mess with the mtree database on a pre-world run or # when re-scanning a previously-built tree. ;; esac ;; # End of the "RERUN" test esac # Get ready to start comparing files # Check umask if not specified on the command line, # and we are not doing an autorun # if [ -z "${NEW_UMASK}" -a -z "${AUTO_RUN}" ]; then USER_UMASK=`umask` case "${USER_UMASK}" in 0022|022) ;; *) echo '' echo " *** Your umask is currently set to ${USER_UMASK}. By default, this script" echo " installs all files with the same user, group and modes that" echo " they are created with by ${SOURCEDIR}/etc/Makefile, compared to" echo " a umask of 022. This umask allows world read permission when" echo " the file's default permissions have it." echo '' echo " No world permissions can sometimes cause problems. A umask of" echo " 022 will restore the default behavior, but is not mandatory." echo " /etc/master.passwd is a special case. Its file permissions" echo " will be 600 (rw-------) if installed." echo '' echo -n "What umask should I use? [${USER_UMASK}] " read NEW_UMASK NEW_UMASK="${NEW_UMASK:-$USER_UMASK}" ;; esac echo '' fi CONFIRMED_UMASK=${NEW_UMASK:-0022} # # Warn users who still have old rc files # for file in atm devfs diskless1 diskless2 network network6 pccard \ serial syscons sysctl alpha amd64 i386 sparc64; do if [ -f "${DESTDIR}/etc/rc.${file}" ]; then OLD_RC_PRESENT=1 break fi done case "${OLD_RC_PRESENT}" in 1) echo '' echo " *** There are elements of the old rc system in ${DESTDIR}/etc/." echo '' echo ' While these scripts will not hurt anything, they are not' echo ' functional on an up to date system, and can be removed.' echo '' case "${AUTO_RUN}" in '') echo -n 'Move these files to /var/tmp/mergemaster/old_rc? [yes] ' read MOVE_OLD_RC case "${MOVE_OLD_RC}" in [nN]*) ;; *) mkdir -p /var/tmp/mergemaster/old_rc for file in atm devfs diskless1 diskless2 network network6 pccard \ serial syscons sysctl alpha amd64 i386 sparc64; do if [ -f "${DESTDIR}/etc/rc.${file}" ]; then mv ${DESTDIR}/etc/rc.${file} /var/tmp/mergemaster/old_rc/ fi done echo ' The files have been moved' press_to_continue ;; esac ;; *) ;; esac esac # Use the umask/mode information to install the files # Create directories as needed # install_error () { echo "*** FATAL ERROR: Unable to install ${1} to ${2}" echo '' exit 1 } do_install_and_rm () { case "${PRESERVE_FILES}" in [Yy][Ee][Ss]) if [ -f "${3}/${2##*/}" ]; then mkdir -p ${PRESERVE_FILES_DIR}/${2%/*} cp ${3}/${2##*/} ${PRESERVE_FILES_DIR}/${2%/*} fi ;; esac if [ ! -d "${3}/${2##*/}" ]; then if install -m ${1} ${2} ${3}; then unlink ${2} else install_error ${2} ${3} fi else install_error ${2} ${3} fi } # 4095 = "obase=10;ibase=8;07777" | bc find_mode () { local OCTAL OCTAL=$(( ~$(echo "obase=10; ibase=8; ${CONFIRMED_UMASK}" | bc) & 4095 & $(echo "obase=10; ibase=8; $(stat -f "%OMp%OLp" ${1})" | bc) )) printf "%04o\n" ${OCTAL} } mm_install () { local INSTALL_DIR INSTALL_DIR=${1#.} INSTALL_DIR=${INSTALL_DIR%/*} case "${INSTALL_DIR}" in '') INSTALL_DIR=/ ;; esac if [ -n "${DESTDIR}${INSTALL_DIR}" -a ! -d "${DESTDIR}${INSTALL_DIR}" ]; then DIR_MODE=`find_mode "${TEMPROOT}/${INSTALL_DIR}"` install -d -o root -g wheel -m "${DIR_MODE}" "${DESTDIR}${INSTALL_DIR}" || install_error $1 ${DESTDIR}${INSTALL_DIR} fi FILE_MODE=`find_mode "${1}"` if [ ! -x "${1}" ]; then case "${1#.}" in /etc/mail/aliases) NEED_NEWALIASES=yes ;; + /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*) + NEED_CERTCTL=yes + ;; /etc/login.conf) NEED_CAP_MKDB=yes ;; /etc/services) NEED_SERVICES_MKDB=yes ;; /etc/master.passwd) do_install_and_rm 600 "${1}" "${DESTDIR}${INSTALL_DIR}" NEED_PWD_MKDB=yes DONT_INSTALL=yes ;; /.cshrc | /.profile) local st_nlink # install will unlink the file before it installs the new one, # so we have to restore/create the link afterwards. # st_nlink=0 # In case the file does not yet exist eval $(stat -s ${DESTDIR}${COMPFILE#.} 2>/dev/null) do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}" if [ -n "${AUTO_INSTALL}" -a $st_nlink -gt 1 ]; then HANDLE_LINK=l else case "${LINK_EXPLAINED}" in '') echo " *** Historically BSD derived systems have had a" echo " hard link from /.cshrc and /.profile to" echo " their namesakes in /root. Please indicate" echo " your preference below for bringing your" echo " installed files up to date." echo '' LINK_EXPLAINED=yes ;; esac echo " Use 'd' to delete the temporary ${COMPFILE}" echo " Use 'l' to delete the existing ${DESTDIR}/root/${COMPFILE##*/} and create the link" echo '' echo " Default is to leave the temporary file to deal with by hand" echo '' echo -n " How should I handle ${COMPFILE}? [Leave it to install later] " read HANDLE_LINK fi case "${HANDLE_LINK}" in [dD]*) rm "${COMPFILE}" echo '' echo " *** Deleting ${COMPFILE}" ;; [lL]*) echo '' unlink ${DESTDIR}/root/${COMPFILE##*/} if ln ${DESTDIR}${COMPFILE#.} ${DESTDIR}/root/${COMPFILE##*/}; then echo " *** Link from ${DESTDIR}${COMPFILE#.} to ${DESTDIR}/root/${COMPFILE##*/} installed successfully" else echo " *** Error linking ${DESTDIR}${COMPFILE#.} to ${DESTDIR}/root/${COMPFILE##*/}" echo " *** ${COMPFILE} will remain for your consideration" fi ;; *) echo " *** ${COMPFILE} will remain for your consideration" ;; esac return ;; esac case "${DONT_INSTALL}" in '') do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}" ;; *) unset DONT_INSTALL ;; esac else # File matched -x do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}" fi return $? } if [ ! -d "${TEMPROOT}" ]; then echo "*** FATAL ERROR: The temproot directory (${TEMPROOT})" echo ' has disappeared!' echo '' exit 1 fi echo '' echo "*** Beginning comparison" echo '' # Pre-world does not populate /etc/rc.d. # It is very possible that a previous run would have deleted files in # ${TEMPROOT}/etc/rc.d, thus creating a lot of false positives. if [ -z "${PRE_WORLD}" -a -z "${RERUN}" ]; then echo " *** Checking ${DESTDIR}/etc/rc.d for stale files" echo '' cd "${DESTDIR}/etc/rc.d" && for file in *; do if [ ! -e "${TEMPROOT}/etc/rc.d/${file}" ]; then STALE_RC_FILES="${STALE_RC_FILES} ${file}" fi done case "${STALE_RC_FILES}" in ''|' *') echo ' *** No stale files found' ;; *) echo " *** The following files exist in ${DESTDIR}/etc/rc.d but not in" echo " ${TEMPROOT}/etc/rc.d/:" echo '' echo "${STALE_RC_FILES}" echo '' echo ' The presence of stale files in this directory can cause the' echo ' dreaded unpredictable results, and therefore it is highly' echo ' recommended that you delete them.' case "${AUTO_RUN}" in '') echo '' echo -n ' *** Delete them now? [n] ' read DELETE_STALE_RC_FILES case "${DELETE_STALE_RC_FILES}" in [yY]) echo ' *** Deleting ... ' rm ${STALE_RC_FILES} echo ' done.' ;; *) echo ' *** Files will not be deleted' ;; esac sleep 2 ;; *) if [ -n "${DELETE_STALE_RC_FILES}" ]; then echo ' *** Deleting ... ' rm ${STALE_RC_FILES} echo ' done.' fi esac ;; esac echo '' fi cd "${TEMPROOT}" if [ -r "${MM_PRE_COMPARE_SCRIPT}" ]; then . "${MM_PRE_COMPARE_SCRIPT}" fi # Things that were files/directories/links in one version can sometimes # change to something else in a newer version. So we need to explicitly # test for this, and warn the user if what we find does not match. # for COMPFILE in `find . | sort` ; do if [ -e "${DESTDIR}${COMPFILE#.}" ]; then INSTALLED_TYPE=`stat -f '%HT' ${DESTDIR}${COMPFILE#.}` else continue fi TEMPROOT_TYPE=`stat -f '%HT' $COMPFILE` if [ ! "$TEMPROOT_TYPE" = "$INSTALLED_TYPE" ]; then [ "$COMPFILE" = '.' ] && continue TEMPROOT_TYPE=`echo $TEMPROOT_TYPE | tr [:upper:] [:lower:]` INSTALLED_TYPE=`echo $INSTALLED_TYPE | tr [:upper:] [:lower:]` echo "*** The installed file ${DESTDIR}${COMPFILE#.} has the type \"$INSTALLED_TYPE\"" echo " but the new version has the type \"$TEMPROOT_TYPE\"" echo '' echo " How would you like to handle this?" echo '' echo " Use 'r' to remove ${DESTDIR}${COMPFILE#.}" case "$TEMPROOT_TYPE" in 'symbolic link') TARGET=`readlink $COMPFILE` echo " and create a link to $TARGET in its place" ;; *) echo " You will be able to install it as a \"$TEMPROOT_TYPE\"" ;; esac echo '' echo " Use 'i' to ignore this" echo '' echo -n " How to proceed? [i] " read ANSWER case "$ANSWER" in [rR]) case "${PRESERVE_FILES}" in [Yy][Ee][Ss]) mv ${DESTDIR}${COMPFILE#.} ${PRESERVE_FILES_DIR}/ || exit 1 ;; *) rm -rf ${DESTDIR}${COMPFILE#.} ;; esac case "$TEMPROOT_TYPE" in 'symbolic link') ln -sf $TARGET ${DESTDIR}${COMPFILE#.} ;; esac ;; *) echo '' echo "*** See the man page about adding ${COMPFILE#.} to the list of IGNORE_FILES" press_to_continue ;; esac echo '' fi done for COMPFILE in `find . -type f | sort`; do # First, check to see if the file exists in DESTDIR. If not, the # diff_loop function knows how to handle it. # if [ ! -e "${DESTDIR}${COMPFILE#.}" ]; then case "${AUTO_RUN}" in '') diff_loop ;; *) case "${AUTO_INSTALL}" in '') # If this is an auto run, make it official echo " *** ${COMPFILE} will remain for your consideration" ;; *) diff_loop ;; esac ;; esac # Auto run test continue fi case "${STRICT}" in '' | [Nn][Oo]) # Compare $Id's first so if the file hasn't been modified # local changes will be ignored. # If the files have the same $Id, delete the one in temproot so the # user will have less to wade through if files are left to merge by hand. # ID1=`grep "[$]${ID_TAG}:" ${DESTDIR}${COMPFILE#.} 2>/dev/null` ID2=`grep "[$]${ID_TAG}:" ${COMPFILE} 2>/dev/null` || ID2=none case "${ID2}" in "${ID1}") echo " *** Temp ${COMPFILE} and installed have the same Id, deleting" rm "${COMPFILE}" ;; esac ;; esac # If the file is still here either because the $Ids are different, the # file doesn't have an $Id, or we're using STRICT mode; look at the diff. # if [ -f "${COMPFILE}" ]; then # Do an absolute diff first to see if the files are actually different. # If they're not different, delete the one in temproot. # if diff -q ${DIFF_OPTIONS} "${DESTDIR}${COMPFILE#.}" "${COMPFILE}" > \ /dev/null 2>&1; then echo " *** Temp ${COMPFILE} and installed are the same, deleting" rm "${COMPFILE}" else # Ok, the files are different, so show the user where they differ. # Use user's choice of diff methods; and user's pager if they have one. # Use less if not. # Use unified diffs by default. Context diffs give me a headache. :) # # If the user chose the -F option, test for that before proceeding # if [ -n "$FREEBSD_ID" ]; then if diff -q -I'[$]FreeBSD.*[$]' "${DESTDIR}${COMPFILE#.}" "${COMPFILE}" > \ /dev/null 2>&1; then if mm_install "${COMPFILE}"; then echo "*** Updated revision control Id for ${DESTDIR}${COMPFILE#.}" else echo "*** Problem installing ${COMPFILE}, it will remain to merge by hand later" fi continue fi fi case "${AUTO_RUN}" in '') # prompt user to install/delete/merge changes diff_loop ;; *) # If this is an auto run, make it official echo " *** ${COMPFILE} will remain for your consideration" ;; esac # Auto run test fi # Yes, the files are different fi # Yes, the file still remains to be checked done # This is for the for way up there at the beginning of the comparison echo '' echo "*** Comparison complete" if [ -s "${MTREENEW}" ]; then echo "*** Saving mtree database for future upgrades" test -e "${MTREEFILE}" && unlink ${MTREEFILE} mv ${MTREENEW} ${MTREEFILE} fi echo '' TEST_FOR_FILES=`find ${TEMPROOT} -type f -size +0 2>/dev/null` if [ -n "${TEST_FOR_FILES}" ]; then echo "*** Files that remain for you to merge by hand:" find "${TEMPROOT}" -type f -size +0 | sort echo '' case "${AUTO_RUN}" in '') echo -n "Do you wish to delete what is left of ${TEMPROOT}? [no] " read DEL_TEMPROOT case "${DEL_TEMPROOT}" in [yY]*) delete_temproot ;; *) echo " *** ${TEMPROOT} will remain" ;; esac ;; *) ;; esac else echo "*** ${TEMPROOT} is empty, deleting" delete_temproot fi case "${AUTO_INSTALLED_FILES}" in '') ;; *) case "${AUTO_RUN}" in '') ( echo '' echo '*** You chose the automatic install option for files that did not' echo ' exist on your system. The following were installed for you:' echo "${AUTO_INSTALLED_FILES}" ) | ${PAGER} ;; *) echo '' echo '*** You chose the automatic install option for files that did not' echo ' exist on your system. The following were installed for you:' echo "${AUTO_INSTALLED_FILES}" ;; esac ;; esac case "${AUTO_UPGRADED_FILES}" in '') ;; *) case "${AUTO_RUN}" in '') ( echo '' echo '*** You chose the automatic upgrade option for files that you did' echo ' not alter on your system. The following were upgraded for you:' echo "${AUTO_UPGRADED_FILES}" ) | ${PAGER} ;; *) echo '' echo '*** You chose the automatic upgrade option for files that you did' echo ' not alter on your system. The following were upgraded for you:' echo "${AUTO_UPGRADED_FILES}" ;; esac ;; esac run_it_now () { [ -n "$AUTO_RUN" ] && return local answer echo '' while : ; do if [ "$RUN_UPDATES" = always ]; then answer=y elif [ "$RUN_UPDATES" = never ]; then answer=n else echo -n ' Would you like to run it now? y or n [n] ' read answer fi case "$answer" in y) echo " Running ${1}" echo '' eval "${1}" return ;; ''|n) if [ ! "$RUN_UPDATES" = never ]; then echo '' echo " *** Cancelled" echo '' fi echo " Make sure to run ${1} yourself" return ;; *) echo '' echo " *** Sorry, I do not understand your answer (${answer})" echo '' esac done } case "${NEED_NEWALIASES}" in '') ;; *) echo '' if [ -n "${DESTDIR}" ]; then echo "*** You installed a new aliases file into ${DESTDIR}/etc/mail, but" echo " the newaliases command is limited to the directories configured" echo " in sendmail.cf. Make sure to create your aliases database by" echo " hand when your sendmail configuration is done." else echo "*** You installed a new aliases file, so make sure that you run" echo " '/usr/bin/newaliases' to rebuild your aliases database" run_it_now '/usr/bin/newaliases' fi ;; esac case "${NEED_CAP_MKDB}" in '') ;; *) echo '' echo "*** You installed a login.conf file, so make sure that you run" echo " '/usr/bin/cap_mkdb ${DESTDIR}/etc/login.conf'" echo " to rebuild your login.conf database" run_it_now "/usr/bin/cap_mkdb ${DESTDIR}/etc/login.conf" ;; esac case "${NEED_SERVICES_MKDB}" in '') ;; *) echo '' echo "*** You installed a services file, so make sure that you run" echo " '/usr/sbin/services_mkdb -q -o ${DESTDIR}/var/db/services.db ${DESTDIR}/etc/services'" echo " to rebuild your services database" run_it_now "/usr/sbin/services_mkdb -q -o ${DESTDIR}/var/db/services.db ${DESTDIR}/etc/services" ;; esac case "${NEED_PWD_MKDB}" in '') ;; *) echo '' echo "*** You installed a new master.passwd file, so make sure that you run" if [ -n "${DESTDIR}" ]; then echo " '/usr/sbin/pwd_mkdb -d ${DESTDIR}/etc -p ${DESTDIR}/etc/master.passwd'" echo " to rebuild your password files" run_it_now "/usr/sbin/pwd_mkdb -d ${DESTDIR}/etc -p ${DESTDIR}/etc/master.passwd" else echo " '/usr/sbin/pwd_mkdb -p /etc/master.passwd'" echo " to rebuild your password files" run_it_now '/usr/sbin/pwd_mkdb -p /etc/master.passwd' + fi + ;; +esac + +case "${NEED_CERTCTL}" in +'') ;; +*) + echo '' + echo "*** You installed files in /etc/ssl/certs, so make sure that you run" + if [ -n "${DESTDIR}" ]; then + echo " 'env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash'" + echo " to rebuild your certificate authority database" + run_it_now "env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash" + else + echo " '/usr/sbin/certctl rehash'" + echo " to rebuild your certificate authority database" + run_it_now "/usr/sbin/certctl rehash" fi ;; esac if [ -e "${DESTDIR}/etc/localtime" -a ! -L "${DESTDIR}/etc/localtime" -a -z "${PRE_WORLD}" ]; then # Ignore if TZ == UTC echo '' [ -n "${DESTDIR}" ] && tzs_args="-C ${DESTDIR}" if [ -f "${DESTDIR}/var/db/zoneinfo" ]; then echo "*** Reinstalling `cat ${DESTDIR}/var/db/zoneinfo` as ${DESTDIR}/etc/localtime" tzsetup $tzs_args -r else echo "*** There is no ${DESTDIR}/var/db/zoneinfo file to update ${DESTDIR}/etc/localtime." echo ' You should run tzsetup' run_it_now "tzsetup $tzs_args" fi fi echo '' if [ -r "${MM_EXIT_SCRIPT}" ]; then . "${MM_EXIT_SCRIPT}" fi case "${COMP_CONFS}" in '') ;; *) . ${DESTDIR}/etc/defaults/rc.conf (echo '' echo "*** Comparing conf files: ${rc_conf_files}" for CONF_FILE in ${rc_conf_files}; do if [ -r "${DESTDIR}${CONF_FILE}" ]; then echo '' echo "*** From ${DESTDIR}${CONF_FILE}" echo "*** From ${DESTDIR}/etc/defaults/rc.conf" for RC_CONF_VAR in `grep -i ^[a-z] ${DESTDIR}${CONF_FILE} | cut -d '=' -f 1`; do echo '' grep -w ^${RC_CONF_VAR} ${DESTDIR}${CONF_FILE} grep -w ^${RC_CONF_VAR} ${DESTDIR}/etc/defaults/rc.conf || echo ' * No default variable with this name' done fi done) | ${PAGER} echo '' ;; esac if [ -n "${PRESERVE_FILES}" ]; then find -d $PRESERVE_FILES_DIR -type d -empty -delete 2>/dev/null rmdir $PRESERVE_FILES_DIR 2>/dev/null fi exit 0 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Copyright (c) 1998-2012 Douglas Barton # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. Index: stable/12 =================================================================== --- stable/12 (revision 357081) +++ stable/12 (revision 357082) Property changes on: stable/12 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r352948-352951,353002,353066,353070