===================================================================
RCS file: /cvs/openbsd/fw_update/fw_install.sh,v
retrieving revision 1.42
retrieving revision 1.47
diff -u -r1.42 -r1.47
--- openbsd/fw_update/fw_install.sh	2021/12/01 03:11:43	1.42
+++ openbsd/fw_update/fw_install.sh	2021/12/02 03:48:13	1.47
@@ -1,5 +1,5 @@
 #!/bin/ksh
-#	$OpenBSD: fw_install.sh,v 1.42 2021/12/01 03:11:43 afresh1 Exp $
+#	$OpenBSD: fw_install.sh,v 1.47 2021/12/02 03:48:13 afresh1 Exp $
 set -e
 
 # Copyright (c) 2021 Andrew Hewus Fresh <afresh1@openbsd.org>
@@ -21,15 +21,26 @@
 	echo "${DESTDIR}/tmp"
 }
 
-# tmpdir, do_as, unpriv, and unpriv2 are from install.sub
+# tmpdir, do_as, and unpriv are from install.sub
+# modified to use su(1) when not in the installer.
+# modified to use mktemp(1) when not in the installer.
 
 # Create a temporary directory based on the supplied directory name prefix.
 tmpdir() {
 	local _i=1 _dir
+	if [[ -z $1 ]]; then
+		echo No tmpdir >&2
+		exit 1
+	fi
 
-	until _dir="${1?}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do
-		((++_i < 10000)) || return 1
-	done
+	if [[ -e /usr/bin/mktemp ]]; then
+		_dir=$( /usr/bin/mktemp -d $1 )
+		chown _sndio "$_dir"
+	else
+		until _dir="${1%-+(X)}.$_i.$RANDOM" && mkdir -- "$_dir" 2>/dev/null; do
+		    ((++_i < 10000)) || return 1
+		done
+	fi
 	echo "$_dir"
 }
 
@@ -78,10 +89,6 @@
 	do_as _sndio "$@"
 }
 
-unpriv2() {
-	do_as _file "$@"
-}
-
 VNAME=${VNAME:-$(sysctl -n kern.osrelease)}
 VERSION=${VERSION:-"${VNAME%.*}${VNAME#*.}"}
 FWDIR=${FWDIR:-$VNAME}
@@ -143,7 +150,7 @@
 		# Create a download directory for the firmware and
 		# check that the _sndio user can read files from
 		# it. Otherwise cleanup and skip the filesystem.
-		if _tmpsrc=$(tmpdir "$_tmpfs/firmware"); then
+		if _tmpsrc=$(tmpdir "$_tmpfs/firmware-XXXXXXXXX"); then
 			(
 			>$_tmpsrc/t &&
 			$_unpriv cat $_tmpsrc/t
@@ -164,8 +171,7 @@
 	    echo "Cannot fetch SHA256.sig" >&2 && return 1
 
 	# Verify signature file with public keys.
-	! $_unpriv -f "$_cfile" \
-	    signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" &&
+	! signify -Vep $FWPUB_KEY -x "$_cfile.sig" -m "$_cfile" &&
 	    echo "Signature check of SHA256.sig failed" >&2 && return 1
 
 	for _d in $_drivers; do
@@ -190,8 +196,8 @@
 		# sha256. Create a flag file in case ftp failed. Firmware
 		# from net is written to the prefetch area.
 		( $_unpriv ftp -D "$_t" -Vmo - "$_src/$_f" || >/tmp/fail ) |
-		( $_srclocal && unpriv2 sha256 -b >/tmp/h ||
-		    unpriv2 -f /tmp/h sha256 -bph /tmp/h >"$_tmpsrc/$_f" )
+		( $_srclocal && sha256 -b >/tmp/h ||
+		    sha256 -bph /tmp/h >"$_tmpsrc/$_f" )
 
 		# Handle failed transfer.
 		if [[ -f /tmp/fail ]]; then