dpkg questions regarding installation in non-standard directories
Hi!
For a test system for a security-relevant setting, I'd like to split
/usr in a way that "dangerous" tools like gcc are stored on a second
disk that can be umounted and switched off, preventing attackers from
compling their tools because there is no compiler without physical
access to the box to switch that second disk on.
A possible solution would be to install these security relevant
programs into /usr/develdisk and to use stow to link /usr/develdisk to
/usr. That way, I would have /usr/develdisk/bin/gcc and a symlink
pointing from /usr/bin/gcc to /usr/develdisk/bin/gcc. If develdisk is
umounted, I'd have a dangling link and could either live with it or do
a stow -D prior to unmounting to clean up the symlinks.
Could that work?
I have written the following script to do so:
|#!/bin/bash
|
|# this script will aid in moving some files belonging to dpkg-packages
|# to different locations on the system. This is done by first learning
|# which files belong to a package, then passing all file names through
|# a sed script and executing appropriate mv commands.
|#
|# Example: Move all of gcc, stow and libreadlineg2 what is usually stored
|# in /usr to /usr/devel:
|# dpkg-move -v -s "s|/usr|/usr/devel|" gcc stow libreadlineg2
|
|while getopts "s:vn" opt; do
| case $opt in
| s ) sedscript=$OPTARG ;;
| v ) verbose=1 ;;
| n ) noop=1 ;;
| \? ) echo 'usage: $0 [-v] [-n] -s sedscript packages...'
| echo ' -v: verbose'
| echo ' -n: do not actually execute the move commands'
| exit 1
| esac
|done
|shift $(($OPTIND - 1))
|
|if [ -z $sedscript ]; then
| echo 'no script given'
| exit 1
|fi
|
|[ $verbose ] && echo "entering verbose mode."
|
|while [ "$1" != "" ]; do
| dpkg --listfiles $1 |
| while read filename; do
| if [ ! -d $filename ]; then
| newname=`echo $filename | sed $sedscript`
| if [ $filename != $newname ]; then
|
| # make sure that target directory exists
|
| dir=$newname
|
|
| [ $verbose ] && echo "mv $filename $newname"
| [ $noop ] || echo "execmv $filename $newname"
| else
| [ $verbose ] && echo "$filename: not touched by script, skipping."
| fi
| else
| [ $verbose ] && echo "$filename: directory, skipping."
| fi
| done
| shift
|done
I am not yet a wizard in shell scripting and would appreciate your
comments about possible bugs and coding style problems. This script
currently breaks when the package includes symlinks since mv can't
move symlinks across file systems. Is copying and deleting a possible
workaround? What am I to do in this situation?
However, I have two dpkg issues with this approach:
(1)
A package moved by this script and re-stowed to its original location
will certainly break during a distribution update. Is there anything I
can do to prevent this or would dpkg have to support this? Is there
any chance of getting support for this situation into a future version
of dpkg?
(2)
Should I make my script update dpkg databases?
I'd appreciate your comments, thanks in advance.
Am I probably better off in a different mailing list? Should I
crosspost to devel or user?
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
Reply to: