>
>
> On Thu, Nov 01, 2007 at 02:25:31PM -0700, Clint Pachl wrote:
>
>> Markus Wernig wrote:
>>
>>> Dear list
>>>
>>> I have a couple of 4.1 firewalls that I would like to upgrade to 4.2.
>>> Before taking them online again I'd like to deploy the openssl patch
>>>
>> >from
>>
>>>
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/002_openssl.patch
>>>
>> I feel your pain. Others have dissed on you for not having compile tools
>> on your hosts and assume you're doing it for security reasons. I don't
>> know your reason, but I only have compile tools on my build system. I
>> create binary patches (see script below) and distribute across the
>> network. Who the hell wants 20 (# of servers in my network) builds
>> cranking on all your machines in the network? What a nightmare. What if
>> they all fail? Worse yet, what if one fails? Someone is going to say,
>> "script/automate it." Screw that. Now you need to figure out how to make
>> the sources available to all the hosts, initiate the build, make sure
>> the build didn't fail, etc.
>>
>> Another reason I don't have compile tools on some of my servers is
>> because they won't fit. Many of my dedicated systems use 256MB flash drives.
>>
>> The third reason to keep crap off your servers, including compiler
>> tools, is that potentially that extra stuff could be exploitable. If it
>> is, then you have to patch it too. Just extra work.
>>
>>
>>> Being perimeter firewalls, those systems don't have compile tools
>>> installed. I would thus need to pre-compile libssl on a 4.2 buildhost
>>> and deploy it onto the firewalls. I've been looking through the
>>> documentation but did not find a "good" way to do this, because
>>> openssl is not a package, but part of the base system.
>>>
>> OpenBSD makes if very easy to create binary patches. I wrote a script
>> below that automates most of the process. I have been using this script
>> for a while and it works pretty good. The good thing about this is that
>> it only creates a binary patch of executables and files that were
>> affected by the source patch. This also has the benefit of touching only
>> a small portion of the installed system, which can be helpful when you
>> are monitoring for trojan horses.
>>
>> The alternative, which someone else mentioned, is just make a release.
>> This is straightforward and officially supported. See release(8).
>>
>>
>>> Is there any way other than tar - scp - untar after compiling libssl?
>>>
>>> thx for any pointers
>>>
>>> /markus
>>>
>> I will apologize in advance for the screwed spacing/tabbing.
>>
>> #!/bin/sh
>> #
>> # Builds kernel and userland from the /usr/src tree. The script sets up the
>> # build environment then kicks the user to a shell to manually patch the
>> # source. When in userland build mode, the user is also asked to build and
>> # install using the instructions specified in the official OpenBSD
>> patch. After
>> # the user exits the work shell, this script will build the kernel or
>> create a
>> # binary userland patch depending on the operation mode.
>> #
>> # BUGS
>> # Does not build or make binary patches for the X system.
>> #
>>
>> usage()
>> {
>> cat <<- EOF
>> usage: $APP {-k | -u} [-h] [-p patch-name]
>>
>> -k : kernel build mode; makes GENERIC & GENERIC.MP kernels
>> -u : userland build mode; makes binary patches
>> -p : embedded in the newly built kernel/patch filenames
>> -h : help
>> EOF
>> exit
>> }
>>
>> APP=${0##*/}
>> REL=`uname -r`
>> ARCH=`uname -m`
>> Mode=0
>> PatchName=
>> KernCfgs='GENERIC GENERIC.MP'
>>
>> while getopts p:kuh i
>> do case $i in
>> k) Mode=1 ;;
>> u) Mode=2 ;;
>> p) PatchName=-$OPTARG ;;
>> h) usage 0 ;;
>> *) echo "$APP: cmdline parse error."
>> usage 1
>> esac
>> done
>>
>> [ $Mode -ne 0 ] || usage 1
>>
>> TDIR=`mktemp -d /var/tmp/${APP}.XXXXXXX` || exit 1
>> trap 'rm -rf $TDIR 2>/dev/null || sudo rm -rf $TDIR' EXIT
>>
>> if [ $Mode -eq 1 ]
>> then KDIR=`mktemp -d /var/tmp/kernels-XXXXXXX` || exit 1
>> cat <<- EOF
>>
>> === Kernel Build Rules ===
>> - Patch the kernel source.
>> - Type "exit" when complete.
>> - The kernels ($KernCfgs) will automatically build.
>>
>> === Command Sequence Hint ===
>> $ cd /usr/src
>> $ ftp -Vo -
>> ftp://ftp.openbsd.org/pub/OpenBSD/patches/$REL/$ARCH/<patch> | patch -p0
>> $ exit
>>
>> EOF
>>
>> $SHELL
>>
>> for k in $KernCfgs
>> do mkdir $TDIR/$k
>> cd $TDIR/$k
>> cp /sys/arch/$ARCH/conf/$k .
>> config -s /sys -b . $k
>> make clean && make depend && make || exit 1
>> mv bsd $KDIR/bsd.$k$PatchName
>> rm -rf $TDIR/$k &
>> done
>>
>> cat <<- EOF
>>
>> The kernels have been built and can be found in "$KDIR".
>>
>> Install your kernel safely:
>> # ln -f /bsd /bsd.old
>> # cp $KDIR/<new-kernel> /bsd.tmp
>> # mv /bsd.tmp /bsd
>>
>> EOF
>>
>> else export BSDOBJDIR=$TDIR/obj _DESTDIR=$TDIR/dest
>> readonly BSDOBJDIR _DESTDIR
>> mkdir $BSDOBJDIR $_DESTDIR
>>
>> cd /usr/src/etc
>> sudo env DESTDIR=$_DESTDIR make distrib-dirs >/dev/null
>> cd $_DESTDIR
>> sudo mtree -c -k type > ../dest.mtree
>>
>> cat <<- EOF
>>
>> === Userland Build Rules ===
>> - Manually patch and rebuild the affected sources according to
>> the patch instructions.
>> - Set "DESTDIR=$_DESTDIR" on the command line for ALL make
>> install targets!
>> - Type "exit" when complete.
>>
>> === Command Sequence Hint ===
>> $ cd /usr/src
>> $ ftp -Vo -
>> ftp://ftp.openbsd.org/pub/OpenBSD/patches/$REL/$ARCH/<patch> | patch -p0
>> $ cd <thing that needs building>
>> $ make obj && make cleandir && make depend && make && sudo make
>> DESTDIR=$_DESTDIR install
>> $ exit
>>
>> EOF
>>
>> $SHELL
>>
>> cd $_DESTDIR
>> sudo mtree -f ../dest.mtree > ../tmp.mtree
>> [ -s ../tmp.mtree ] || { echo "Nothing installed in
>> $_DESTDIR."; exit 1; }
>>
>> PATCH=`mktemp /var/tmp/patch$PatchName.tgz-XXXXXXX` || exit 1
>> echo -n "\nCreating binary patch '$PATCH'..."
>> sudo mtree -f ../dest.mtree | grep '^extra:' | cut -d' ' -f2 |
>> tar czf $PATCH -I - && echo OK || echo FAILED
>> fi
