diff --git a/UPDATING b/UPDATING index ef324a450a40..410624dca46f 100644 --- a/UPDATING +++ b/UPDATING @@ -1,4 +1,4 @@ -$NetBSD: UPDATING,v 1.342 2023/07/19 17:49:40 martin Exp $ +$NetBSD: UPDATING,v 1.343 2023/08/28 22:25:49 riastradh Exp $ This file (UPDATING) is intended to be a brief reference to recent changes that might cause problems in the build process, and a guide for @@ -19,6 +19,21 @@ See also: BUILDING, build.sh, Makefile. Recent changes: ^^^^^^^^^^^^^^^ +20230828: + If: + - you updated to current and ran postinstall between 20230826 + and 20230828 inclusive, and + - you are not using anything outside the base system to + populate /etc/openssl/certs (e.g., manually adding + certificates or using ca-certificates or mozilla-rootcerts or + mozilla-rootcerts-openssl from pkgsrc), + delete /etc/openssl/certs and rerun postinstall or just + `certctl rehash'. + + Otherwise, certctl(8) will think someone else has left + /etc/openssl/certs in the way and will avoid clobbering it on + upgrade from older NetBSD. + 20230718: build.sh will use mk.conf in the same directory as build.sh instead of /etc/mk.conf, unless MAKECONF is already defined in the environment. diff --git a/tests/usr.sbin/certctl/t_certctl.sh b/tests/usr.sbin/certctl/t_certctl.sh index 6c96d5beb79f..204defa9f7da 100644 --- a/tests/usr.sbin/certctl/t_certctl.sh +++ b/tests/usr.sbin/certctl/t_certctl.sh @@ -1,6 +1,6 @@ #!/bin/sh -# $NetBSD: t_certctl.sh,v 1.4 2023/08/28 22:25:41 riastradh Exp $ +# $NetBSD: t_certctl.sh,v 1.5 2023/08/28 22:25:49 riastradh Exp $ # # Copyright (c) 2023 The NetBSD Foundation, Inc. # All rights reserved. @@ -358,7 +358,6 @@ symlinkcertsdir_body() mkdir empty ln -sfn empty certs - atf_expect_fail "certctl clobbers symlink at /etc/openssl/certs" atf_check -s not-exit:0 -e match:symlink $CERTCTL -n rehash atf_check -s not-exit:0 -e match:symlink $CERTCTL rehash atf_check -s exit:0 rmdir empty @@ -375,7 +374,6 @@ regularfilecertsdir_body() rmdir certs echo 'hello world' >certs - atf_expect_fail "certctl clobbers file at /etc/openssl/certs" atf_check -s not-exit:0 -e match:directory $CERTCTL -n rehash atf_check -s not-exit:0 -e match:directory $CERTCTL rehash atf_check -s exit:0 rm certs @@ -393,7 +391,6 @@ prepopulatedcerts_body() setupconf certs1 ln -sfn "$(atf_get_srcdir)/certs2"/*.pem certs/ - atf_expect_fail "certctl clobbers prepopulated /etc/openssl/certs" atf_check -s not-exit:0 -e match:manual $CERTCTL -n rehash atf_check -s not-exit:0 -e match:manual $CERTCTL rehash for cert in "$(atf_get_srcdir)/certs2"/*.pem; do diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh index 5a639b008bac..961e414a9c1b 100755 --- a/usr.sbin/certctl/certctl.sh +++ b/usr.sbin/certctl/certctl.sh @@ -1,6 +1,6 @@ #!/bin/sh -# $NetBSD: certctl.sh,v 1.2 2023/08/28 22:25:32 riastradh Exp $ +# $NetBSD: certctl.sh,v 1.3 2023/08/28 22:25:50 riastradh Exp $ # # Copyright (c) 2023 The NetBSD Foundation, Inc. # All rights reserved. @@ -427,9 +427,40 @@ rehash() return fi - # Delete the active certificates symlink cache. - run rm -rf "$certsdir" + # Delete the active certificates symlink cache, if either it is + # empty or nonexistent, or it is tagged for use by certctl. + if [ -f "$certsdir/.certctl" ]; then + # Directory exists and is managed by certctl(8). + # Safe to delete it and everything in it. + run rm -rf "$certsdir" + elif [ -h "$certsdir" ]; then + # Paranoia: refuse to chase a symlink. (Caveat: this + # is not secure against an adversary who can recreate + # the symlink at any time. Just a helpful check for + # mistakes.) + error "certificates directory is a symlink" + return 1 + elif [ ! -e "$certsdir" ]; then + # Directory doesn't exist at all. Nothing to do! + elif [ ! -d "$certsdir" ]; then + error "certificates directory is not a directory" + return 1 + elif ! find "$certsdir" -maxdepth 0 -type d -empty -exit 1; then + # certsdir exists, is a directory, and is empty. Safe + # to delete it with rmdir and take it over. + run rmdir "$certsdir" + else + error "existing certificates; set manual or move them" + return 1 + fi run mkdir "$certsdir" + if $vflag; then + printf '# initialize %s\n' "$certsdir" + fi + if ! $nflag; then + printf 'This directory is managed by certctl(8).\n' \ + >$certsdir/.certctl + fi # Create a temporary file for the single-file bundle. This # will be automatically deleted on normal exit or