svn commit: r367280 - head/lib/libc/gen
Emmanuel Vadot
manu at bidouilliste.com
Mon Nov 2 21:49:19 UTC 2020
On Mon, 2 Nov 2020 22:41:38 +0100
Stefan Esser <se at freebsd.org> wrote:
> Am 02.11.20 um 20:20 schrieb Oliver Pinter:> On Monday, November 2,
> 2020, Stefan Eßer <se at freebsd.org
> > <mailto:se at freebsd.org>> wrote:
> >
> > Author: se
> > Date: Mon Nov 2 18:48:06 2020
> > New Revision: 367280
> > URL: https://svnweb.freebsd.org/changeset/base/367280
> > <https://svnweb.freebsd.org/changeset/base/367280>
> >
> > Log:
> > Re-arrange some of the code to separate writable user tree
> > variables from
> > R/O variables.
> >
> > While here fix some nearby style. No functional change intended.
> >
> > MFC after: 1 month
> >
> >
> > Is there any phabricator reference for this / these commit(s) + reviewer
> > lists?
>
> The previous commit that has been refined in this one has been
> discussed in D27009.
>
> I had added the new R/W sysctl variable to a switch statement that
> contained one R/O string value, and excluded the OID from causing
> an error return when a new value had been passed.
>
> This was functionally OK, but I have decided to move handling of
> the new writable variable to before the check for a write attempt
> and thus need to test specifically for its OID.
>
> This sysctl variable is referenced in Scott Longs proposed
> getlocalbase() function (D27022), but also in the change to make
> it define defaults paths in /etc/defaults/rc.conf (D27014).
>
> I do not support to make LOCALBASE dynamic for a broad range of
> programs, since this could lead to severe security issues (e.g.
> when a program is restricted by policy settings LOCALBASE/etc and
> an user-defined LOCALBASE could be used to circumvent them.
>
> There are already programs that respect a LOCALBASE environment
> variable, e.g. the pkg program, to allow it to e.g. operate with
> a DESTDIR prefix other than "/". This is a program that could
> instead use getlocalbase(), IMHO.
>
> But for security reasons all files that determine policies and
> exist in LOCALBASE since they are not distributed as part of the
> base system, should be located in a secure way, and that is by
> referring to a compiled in trusted path, IMHO.
>
> Even if the sysctl variable "user.localbase" can only be written to
> by root, the use of getlocalbase() provided by a shared library could
> allow to perform a LD_PRELOAD attack (provide a getlocalbase() that
> leadsto a user provided policy file instead of the admin controlled
> one).
>
> Regards, STefan
I think that the first question we want to ask is : Do we want to
support LOCALBASE being different than /usr/local
I honestly don't see any advantages of making it !=/usr/local/ and
before we start putting a lot of new/useless(for I guess 99% of our
user base) in the tree we should here why people are using /usr/pkg or
whatever weird location.
If they have some good argument, then we should proceed further.
--
Emmanuel Vadot <manu at bidouilliste.com>
More information about the svn-src-head
mailing list