svn commit: r367280 - head/lib/libc/gen

Stefan Esser se at freebsd.org
Mon Nov 2 21:41:40 UTC 2020 

Am 02.11.20 um 20:20 schrieb Oliver Pinter:> On Monday, November 2, 
2020, Stefan Eßer <se at freebsd.org
> <mailto:se at freebsd.org>> wrote:
> 
>     Author: se
>     Date: Mon Nov  2 18:48:06 2020
>     New Revision: 367280
>     URL: https://svnweb.freebsd.org/changeset/base/367280
>     <https://svnweb.freebsd.org/changeset/base/367280>
> 
>     Log:
>        Re-arrange some of the code to separate writable user tree
>     variables from
>        R/O variables.
> 
>        While here fix some nearby style. No functional change intended.
> 
>        MFC after:    1 month
> 
> 
> Is there any phabricator reference for this / these commit(s) + reviewer 
> lists?

The previous commit that has been refined in this one has been
discussed in D27009.

I had added the new R/W sysctl variable to a switch statement that
contained one R/O string value, and excluded the OID from causing
an error return when a new value had been passed.

This was functionally OK, but I have decided to move handling of
the new writable variable to before the check for a write attempt
and thus need to test specifically for its OID.

This sysctl variable is referenced in Scott Longs proposed
getlocalbase() function (D27022), but also in the change to make
it define defaults paths in /etc/defaults/rc.conf (D27014).

I do not support to make LOCALBASE dynamic for a broad range of
programs, since this could lead to severe security issues (e.g.
when a program is restricted by policy settings LOCALBASE/etc and
an user-defined LOCALBASE could be used to circumvent them.

There are already programs that respect a LOCALBASE environment
variable, e.g. the pkg program, to allow it to e.g. operate with
a DESTDIR prefix other than "/". This is a program that could
instead use getlocalbase(), IMHO.

But for security reasons all files that determine policies and
exist in LOCALBASE since they are not distributed as part of the
base system, should be located in a secure way, and that is by
referring to a compiled in trusted path, IMHO.

Even if the sysctl variable "user.localbase" can only be written to
by root, the use of getlocalbase() provided by a shared library could
allow to perform a LD_PRELOAD attack (provide a getlocalbase() that
leadsto a user provided policy file instead of the admin controlled
one).

Regards, STefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20201102/87eb55ba/attachment-0001.sig>

More information about the svn-src-all mailing list