pkg check -s - why does it try to open the pkg DB in r/w mode?

From: Patrick M. Hausen <hausen_at_punkt.de>
Date: Tue, 21 May 2024 12:54:29 UTC
Hi all,

we have this jail based hosting environment and I began to debug some odd error message
of the daily security check output:

-----------
pkg: Insufficient privileges
-----------

The cause was quickly found with truss:

-----------
14199: openat(AT_FDCWD,"/var/db/pkg",O_RDONLY|O_DIRECTORY|O_CLOEXEC,00) = 5 (0x5)
14199: fstatat(5,".",{ mode=drwxr-xr-x ,inode=34,size=5,blksize=4096 },0x0) = 0 (0x0)
14199: faccessat(5,".",R_OK,AT_EACCESS) = 0 (0x0)
14199: fstatat(5,"local.sqlite",{ mode=-rw-r--r-- ,inode=2,size=109010944,blksize=131072 },0x0) = 0 (0x0)
14199: faccessat(5,"local.sqlite",R_OK,AT_EACCESS) = 0 (0x0)
14199: fstatat(5,".",{ mode=drwxr-xr-x ,inode=34,size=5,blksize=4096 },0x0) = 0 (0x0)
14199: faccessat(5,".",R_OK,AT_EACCESS) = 0 (0x0)
14199: fstatat(5,"local.sqlite",{ mode=-rw-r--r-- ,inode=2,size=109010944,blksize=131072 },0x0) = 0 (0x0)
14199: faccessat(5,"local.sqlite",W_OK,AT_EACCESS) ERR#30 'Read-only file system'
pkg: 14199: write(2,"pkg: ",5) = 5 (0x5)
Insufficient privileges14199: write(2,"Insufficient privileges",23) = 23 (0x17)
-----------

Yes, we mount lots of things into the jails r/o. The daily script runs `pkg -qsa` for a checksum check
of all installed packages.


Question: why does pkg need the database to be r/w for a -s/--checksum check?

Thanks and kind regards,
Patrick
-- 
punkt.de GmbH
Patrick M. Hausen
.infrastructure

Sophienstr. 187
76185 Karlsruhe

Tel. +49 721 9109500

https://infrastructure.punkt.de
info@punkt.de

AG Mannheim 108285
Geschäftsführer: Daniel Lienert, Fabian Stein