1
0
mirror of https://github.com/moparisthebest/pacman synced 2024-12-22 15:58:50 -05:00

repo-add: ensure database and signature files are always viewed in whole

This addresses a short but sweet race condition currently existing in
repo-add and repo-remove. We do the smart thing and zip the database to
a location in a temporary directory and not over the original database
directly. However, we then proceed to move this file directly from the
temporary directory to our final location, which is more than likely a
cross-filesystem move (/tmp on tmpfs) and thus non-atomic.

Instead, zip the file to the same directory, prefixing the filename with
'.tmp.'. We then move the file into place. This move is guaranteed to be
atomic, so any reader of the database file will get either the old
version, the new version, or ENOENT.

We also perform a hardlink if possible instead of a move when shifting
the old database out of the way to '.old'; this ensures there is no
chance of a database file not existing during the whole process.

Only one small race condition should now be present- when the database
has been fully moved into place and the signature has not, you may see a
mismatch. There seems to be no good way to address this, and it existed
before this patch.

A final note- if someone had locked-down permissions on the directory
that the database files are in (e.g., could only write to foo.db.tar.gz,
foo.db, foo.db.tar.gz.old, foo.db.old, and the lock file), this would
break.

Signed-off-by: Dan McGee <dan@archlinux.org>
This commit is contained in:
Dan McGee 2011-11-15 22:16:42 -06:00
parent 6a9ed33055
commit 80868b0da6

View File

@ -640,37 +640,51 @@ if (( success )); then
msg "$(gettext "Creating updated database file '%s'")" "$REPO_DB_FILE"
TAR_OPT=$(verify_repo_extension "$REPO_DB_FILE")
# $LOCKFILE is already guaranteed to be absolute so this is safe
dirname=${LOCKFILE%/*}
filename=${REPO_DB_FILE##*/}
# this ensures we create it on the same filesystem, making moves atomic
tempname="$dirname/.tmp.$filename"
pushd "$tmpdir/tree" >/dev/null
if ( shopt -s nullglob; files=(*); (( ${#files[*]} )) ); then
bsdtar -c${TAR_OPT}f "$tmpdir/$filename" *
bsdtar -c${TAR_OPT}f "$tempname" *
else
# we have no packages remaining? zip up some emptyness
warning "$(gettext "No packages remain, creating empty database.")"
bsdtar -c${TAR_OPT}f "$tmpdir/$filename" -T /dev/null
bsdtar -c${TAR_OPT}f "$tempname" -T /dev/null
fi
popd >/dev/null
create_signature "$tmpdir/$filename"
create_signature "$tempname"
[[ -f $REPO_DB_FILE ]] && mv -f "$REPO_DB_FILE" "${REPO_DB_FILE}.old"
# hardlink or move the previous version of the database and signature to .old
# extension as a backup measure
if [[ -f $REPO_DB_FILE ]]; then
ln -f "$REPO_DB_FILE" "$REPO_DB_FILE.old" 2>/dev/null || \
mv -f "$REPO_DB_FILE" "$REPO_DB_FILE.old"
fi
if [[ -f $REPO_DB_FILE.sig ]]; then
mv -f "$REPO_DB_FILE.sig" "$REPO_DB_FILE.old.sig"
ln -f "$REPO_DB_FILE.sig" "$REPO_DB_FILE.old.sig" 2>/dev/null || \
mv -f "$REPO_DB_FILE.sig" "$REPO_DB_FILE.old.sig"
else
rm -f "$REPO_DB_FILE.old.sig"
fi
[[ -f $tmpdir/$filename ]] && mv "$tmpdir/$filename" "$REPO_DB_FILE"
[[ -f $tmpdir/$filename.sig ]] && mv "$tmpdir/$filename.sig" "$REPO_DB_FILE.sig"
# rotate the newly-created database and signature into place
mv "$tempname" "$REPO_DB_FILE"
if [[ -f $tempname.sig ]]; then
mv "$tempname.sig" "$REPO_DB_FILE.sig"
fi
dblink="${REPO_DB_FILE%.tar*}"
target=${REPO_DB_FILE##*/}
rm -f "$dblink" "$dblink.sig"
ln -s "$target" "$dblink" 2>/dev/null || \
ln "$target" "$dblink" 2>/dev/null || \
ln -s "$filename" "$dblink" 2>/dev/null || \
ln "$filename" "$dblink" 2>/dev/null || \
cp "$REPO_DB_FILE" "$dblink"
if [[ -f "$REPO_DB_FILE.sig" ]]; then
ln -s "$target.sig" "$dblink.sig" 2>/dev/null || \
ln "$target.sig" "$dblink.sig" 2>/dev/null || \
ln -s "$filename.sig" "$dblink.sig" 2>/dev/null || \
ln "$filename.sig" "$dblink.sig" 2>/dev/null || \
cp "$REPO_DB_FILE.sig" "$dblink.sig"
fi
else