pkgsrc-bugs: pkg/34816: pkgtools/pkg_chk-1.82 uses /tmp unconditionally for scratch

Subject: pkg/34816: pkgtools/pkg_chk-1.82 uses /tmp unconditionally for scratch
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <jbernard@mines.edu>
List: pkgsrc-bugs
Date: 10/14/2006 19:20:02

>Number:         34816
>Category:       pkg
>Synopsis:       pkgtools/pkg_chk-1.82 uses /tmp unconditionally for scratch
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Oct 14 19:20:02 +0000 2006
>Originator:     Jim Bernard
>Release:        NetBSD 4.99.2
>Organization:
>Environment:
System: NetBSD 4.99.2 #0: Sat Sep 16 12:17:30 MDT 2006 i386
Architecture: i386
Machine: i386
>Description:
	The pkg_chk shell script unconditionally puts its scratch
	directory under /tmp and sets TMPDIR to the directory created.
	This can lead to filling of the file system containing /tmp
	when installing large package trees, and externally setting
	TMPDIR doesn't help.

	While I'm here: I noticed that pkg_chk executes pkg_add,
	pkg_delete, and pkg_info as arguments to /usr/bin/env, but
	/usr/bin/env is given no flags, nor any environment variables
	to set, and the programs are specified by full path names,
	such as "/usr/bin/env  /usr/sbin/pkg_add ...".  That would seem
	to make the use of /usr/bin/env superfluous.  Perhaps the intent
	was to execute the version of (e.g.) pkg_add in the location where
	the shell would find it in $PATH.  If so, then it's appropriate
	to use just (e.g.) "/usr/bin/env pkg_add ..." without the path
	prefix to pkg_add.

>How-To-Repeat:
	Run pkg_chk with TMPDIR set to, say, /var/tmp, and notice that
	the temporary directory it creates is in /tmp.  Or just read
	the script.

>Fix:
	Here's a candidate patch.

--- /usr/pkg/sbin/pkg_chk	2006-10-14 09:57:23.000000000 -0600
+++ ./pkg_chk	2006-10-14 12:50:20.000000000 -0600
@@ -86,12 +86,12 @@
     done
     }
 
 cleanup_and_exit()
     {
-    rm -f $TMPFILE
-    rmdir $TMPDIR
+    rm -f $PKG_CHK_TMPFILE
+    rmdir $PKG_TMPDIR
     exit "$@"
     }
 
 delete_pkgs()
     {
@@ -246,13 +246,13 @@
 	${PKG_INFO} -. -q -b $PACKAGES/$PKGNAME$PKG_SUFX | ${GREP} .
 	return
     fi
     # Unfortunately pkgsrc always outputs to a file, but it does helpfully
     # allows # us to specify the name
-    rm -f $TMPFILE
-    ${MAKE} _BUILD_VERSION_FILE=$TMPFILE $TMPFILE
-    cat $TMPFILE
+    rm -f $PKG_CHK_TMPFILE
+    ${MAKE} _BUILD_VERSION_FILE=$PKG_CHK_TMPFILE $PKG_CHK_TMPFILE
+    cat $PKG_CHK_TMPFILE
     }
 
 list_packages()
     {
     # DEPCHECKLIST contains packages for which binary packages are known to
@@ -666,12 +666,12 @@
 
 if [ $# != 0 ];then
     usage "Additional argument ($*) given"
 fi
 
-TMPDIR=`mktemp -d /tmp/${0##*/}.XXXXXX`
-TMPFILE=$TMPDIR/tmp
+export PKG_TMPDIR=`mktemp -d ${PKG_TMPDIR:-${TMPDIR:-/tmp}}/${0##*/}.XXXXXX`
+PKG_CHK_TMPFILE=$PKG_TMPDIR/tmp
 
 # Hide PKG_PATH to avoid breakage in 'make' calls
 saved_PKG_PATH=$PKG_PATH
 unset PKG_PATH || true