Permissions issue with pacman 3.0.5-1

Snowman · 2007-06-21 00:01:52

Fom the front page news:

Pacman 3.0.5-1 had a bit of an issue with permissions when installing packages that contained symlinks. A well-intentioned chmod call turned permissions on some files to 777 creating a security risk. This has been fixed in pacman 3.0.5-2.
More details:
http://bugs.archlinux.org/task/7461
http://archlinux.org/pipermail/pacman-d … 08579.html

[vEX] · 2007-06-21 07:15:20

From pacman update notice:

It is recommended you reinstall any packages you have installed since upgrading to version 3.0.5-1. Use /var/log/pacman.log for this information.

Am I correct in assuming that just doing "pacman -S <packages>" and answering yes for the whole lot (the already up to date questions) will fix this?

Last edited by [vEX] (2007-06-21 07:16:19)

tomk · 2007-06-21 08:19:07

You can even use the --noconfirm flag to avoid answering yes - see man pacman.

Allan · 2007-06-21 08:49:59

I installed the upgraded a lot after installing pacman - as in I installed Arch yesterday! So my whole system minus the base packages needs reinstalled.

Can someone help me with a bash script to do the reinstall. So far I have done:

pacman -Q | grep -v "pacman" > packages.txt

then trying a bash script like:

for i in packages.txt
do
pacman -S $i
done

but that fails. Replacing the "pacman -S $i" with "cat $i" does print the package names as I expect.

Thanks

thujone · 2007-06-21 10:02:52

Did this permission issue apply to upgraded packages too?

Allan wrote:

I installed the upgraded a lot after installing pacman - as in I installed Arch yesterday! So my whole system minus the base packages needs reinstalled.
Can someone help me with a bash script to do the reinstall. So far I have done:
pacman -Q | grep -v "pacman" > packages.txt
then trying a bash script like:
for i in packages.txt
do
pacman -S $i
done
but that fails. Replacing the "pacman -S $i" with "cat $i" does print the package names as I expect.
Thanks

Your "for i in packages.txt" just loops over 'packages.txt' filename, so you obtain a single "pacman -S packages.txt" call; cat works fine cause it outputs the content of the given package (see "man cat"); something like

pacman -S `cat packages.txt`

would do the job in a single pacman call.

Last edited by thujone (2007-06-21 10:12:20)

klixon · 2007-06-21 10:53:00

Allan wrote:

pacman -Q | grep -v "pacman" > packages.txt

replace that with

pacman -Q | grep -v pacman | cut -d' ' -f1 > packages.txt

this will remove the version numbers, so you're left with just the package names
then do what thujone suggested

Allan · 2007-06-21 11:21:18

Thanks, that work perfectly. I obviously still suck at bash scripting and linux commands!

Last edited by Allan (2007-06-21 11:21:53)

Skwisgaar · 2007-06-21 11:54:38

Also, don't forget to reinstall pacman 3.0.5-2 itself.

After I reinstalled all the other packages I had upgraded in the last three days, I still had a file with 777 permission:

/usr/lib/libalpm.so.1.0.0

... which is owned by pacman.

klixon · 2007-06-21 14:43:51

here's a oneliner to do this:

 pacman -Sy pacman && pacman -S $( tail -n$(( \
                $( wc -l /var/log/pacman.log | cut -d' ' -f1 ) \
                - $( grep -n "upgraded pacman .* -> 3.0.5-1" /var/log/pacman.log | awk -F: '{print $1}' )\
        )) /var/log/pacman.log \
        | awk '/\] upgraded |\] installed/ { if ($4 != "pacman") print $4}' \
        | sort | uniq )

i broke it down a bit to make it more readable

And i was to lazy to filter out everything that was installed after the upgrade to pacman-3.0.5-2

Last edited by klixon (2007-06-21 14:48:06)

shining · 2007-06-21 19:08:06

Apparently, the upgrade of libarchive caused new problems : http://archlinux.org/pipermail/arch/200 … 14931.html
http://bugs.archlinux.org/task/7484
I'm not sure how common that setup is (not too much I hope).

About the above script :
Why not using tail -n+ ?
Also in case pacman 3.0.5-1 has been upgraded several times, I think grep should use the first time (first line number it gets).

echo  $( tail -n+$(grep -n "pacman .* -> 3.0.5-1" /var/log/pacman.log \
        | awk -F: '{print $1}' | head -n 1) /var/log/pacman.log \
        | awk '/\] upgraded |\] installed/ { if ($4 != "pacman") print $4}' \
        | sort | uniq )

Also, this doesn't work with localized pacman.
Since I don't know awk, I wasn't even able to fix the third line for the french version.
example output :

[2007-06-21 01:33] mplayer-plugin désinstallé (3.40-2)
[2007-06-21 11:47] libarchive mis à jour (2.2.3-2 -> 1.3.1-2)
[2007-06-21 11:47] pacman mis à jour (3.0.5-2 -> 3.0.5-1)
[2007-06-21 12:37] libarchive mis à jour (1.3.1-2 -> 2.2.3-2)
[2007-06-21 12:37] pacman mis à jour (3.0.5-1 -> 3.0.5-2)
[2007-06-21 12:37] filesystem mis à jour (0.8-7 -> 0.8-9)
[2007-06-21 14:22] transfig installé (3.2.4-2)

I could probably find another way for doing it, but I'm curious about how to adopt the awk way

Otherwise, this security problem with wrong permission is a non issue on all desktop single-user system, right ?
I see how it is a big problem on public and open systems that many users have access too, but not in other cases. Please enlighten me

klixon · 2007-06-21 20:03:46

hmmm tail --help didn't show the "-n+" option and head --help did show the "-n-" so i assumed tail didn't have this (man-page would've told me i guess... )

echo  $( tail -n+$(grep -n "pacman .* -> 3.0.5-1" /var/log/pacman.log \
        | awk -F: '{print $1}' | head -n 1) /var/log/pacman.log \
        | awk '/ mis à jour \(| installé \(/ { if ($4 != "pacman") print $4}' \
        | sort | uniq )

should do the trick i think, but you might want to check the output of

grep " mis à jour \(\| installé \(" /var/log/pacman.log

beforehand to see if you don't match to much or to little on the awk regexp

shining · 2007-06-21 20:43:01

klixon wrote:

hmmm tail --help didn't show the "-n+" option and head --help did show the "-n-" so i assumed tail didn't have this (man-page would've told me i guess... )
echo  $( tail -n+$(grep -n "pacman .* -> 3.0.5-1" /var/log/pacman.log \
        | awk -F: '{print $1}' | head -n 1) /var/log/pacman.log \
        | awk '/ mis à jour \(| installé \(/ { if ($4 != "pacman") print $4}' \
        | sort | uniq )
should do the trick i think

nearly, just had to replace the two $4 by $3 (since it isn't in the same order). great job

but you might want to check the output of
grep " mis à jour \(\| installé \(" /var/log/pacman.log
beforehand to see if you don't match to much or to little on the awk regexp

I had to use this rather :

grep -E " mis à jour \(| installé \(" /var/log/pacman.log

It looks like this matches all packages correctly, thanks
I hope it'll be useful to others.

klixon · 2007-06-21 21:07:31

shining wrote:

nearly, just had to replace the two $4 by $3 (since it isn't in the same order). great job

I was a bit in a hurry, sorry glad you figured it out

shining wrote:

It looks like this matches all packages correctly, thanks
I hope it'll be useful to others.

Thanks for your input. You made it a lot cleaner

hybrid · 2007-06-22 18:19:23

shining wrote:

Apparently, the upgrade of libarchive caused new problems : http://archlinux.org/pipermail/arch/200 … 14931.html
http://bugs.archlinux.org/task/7484
I'm not sure how common that setup is (not too much I hope).

Well affects me too (I have /opt symlinked to /usr/opt), but it's not limited to /opt. If anyone ever linked a folder to a different place and reinstalled a package that is using that directory, it's messed up!
I don't think I personally did do that on anything else besides /opt but I honestly might not remember it anymore from when I set my system up a long time ago (my arch isn't that old yet (maybe 6 months), but think about all the people who set their system up years ago.. (for example my slackware system I set up more than 5 years ago... way to remember if during that period of time I symlinked something.....)

Arch Linux

#1 2007-06-21 00:01:52

Permissions issue with pacman 3.0.5-1

#2 2007-06-21 07:15:20

Re: Permissions issue with pacman 3.0.5-1

#3 2007-06-21 08:19:07

Re: Permissions issue with pacman 3.0.5-1

#4 2007-06-21 08:49:59

Re: Permissions issue with pacman 3.0.5-1

#5 2007-06-21 10:02:52

Re: Permissions issue with pacman 3.0.5-1

#6 2007-06-21 10:53:00

Re: Permissions issue with pacman 3.0.5-1

#7 2007-06-21 11:21:18

Re: Permissions issue with pacman 3.0.5-1

#8 2007-06-21 11:54:38

Re: Permissions issue with pacman 3.0.5-1

#9 2007-06-21 14:43:51

Re: Permissions issue with pacman 3.0.5-1

#10 2007-06-21 19:08:06

Re: Permissions issue with pacman 3.0.5-1

#11 2007-06-21 20:03:46

Re: Permissions issue with pacman 3.0.5-1

#12 2007-06-21 20:43:01

Re: Permissions issue with pacman 3.0.5-1

#13 2007-06-21 21:07:31

Re: Permissions issue with pacman 3.0.5-1

#14 2007-06-22 18:19:23

Re: Permissions issue with pacman 3.0.5-1

Board footer