svn commit: r367280 - head/lib/libc/gen

Emmanuel Vadot manu at bidouilliste.com
Mon Nov 2 21:49:19 UTC 2020 

On Mon, 2 Nov 2020 22:41:38 +0100
Stefan Esser <se at freebsd.org> wrote:

> Am 02.11.20 um 20:20 schrieb Oliver Pinter:> On Monday, November 2, 
> 2020, Stefan Eßer <se at freebsd.org
> > <mailto:se at freebsd.org>> wrote:
> > 
> >     Author: se
> >     Date: Mon Nov  2 18:48:06 2020
> >     New Revision: 367280
> >     URL: https://svnweb.freebsd.org/changeset/base/367280
> >     <https://svnweb.freebsd.org/changeset/base/367280>
> > 
> >     Log:
> >        Re-arrange some of the code to separate writable user tree
> >     variables from
> >        R/O variables.
> > 
> >        While here fix some nearby style. No functional change intended.
> > 
> >        MFC after:    1 month
> > 
> > 
> > Is there any phabricator reference for this / these commit(s) + reviewer 
> > lists?
> 
> The previous commit that has been refined in this one has been
> discussed in D27009.
> 
> I had added the new R/W sysctl variable to a switch statement that
> contained one R/O string value, and excluded the OID from causing
> an error return when a new value had been passed.
> 
> This was functionally OK, but I have decided to move handling of
> the new writable variable to before the check for a write attempt
> and thus need to test specifically for its OID.
> 
> This sysctl variable is referenced in Scott Longs proposed
> getlocalbase() function (D27022), but also in the change to make
> it define defaults paths in /etc/defaults/rc.conf (D27014).
> 
> I do not support to make LOCALBASE dynamic for a broad range of
> programs, since this could lead to severe security issues (e.g.
> when a program is restricted by policy settings LOCALBASE/etc and
> an user-defined LOCALBASE could be used to circumvent them.
> 
> There are already programs that respect a LOCALBASE environment
> variable, e.g. the pkg program, to allow it to e.g. operate with
> a DESTDIR prefix other than "/". This is a program that could
> instead use getlocalbase(), IMHO.
> 
> But for security reasons all files that determine policies and
> exist in LOCALBASE since they are not distributed as part of the
> base system, should be located in a secure way, and that is by
> referring to a compiled in trusted path, IMHO.
> 
> Even if the sysctl variable "user.localbase" can only be written to
> by root, the use of getlocalbase() provided by a shared library could
> allow to perform a LD_PRELOAD attack (provide a getlocalbase() that
> leadsto a user provided policy file instead of the admin controlled
> one).
> 
> Regards, STefan

 I think that the first question we want to ask is : Do we want to
support LOCALBASE being different than /usr/local
 I honestly don't see any advantages of making it !=/usr/local/ and
before we start putting a lot of new/useless(for I guess 99% of our
user base) in the tree we should here why people are using /usr/pkg or
whatever weird location.
 If they have some good argument, then we should proceed further.

-- 
Emmanuel Vadot <manu at bidouilliste.com>

More information about the svn-src-head mailing list