This isn't a security bug as it requires root privilege to empty /etc/rc.conf. If you have root privilege, you can do that already.
Also, changing the root shell is bad for many reasons and I'm not surprised that something doesn't work. That said, it certainly is less than desirable and should probably be more robust in case of this failure. I would recommend opening a bug for this and see if we can get someone to pick it up. Thanks for the report! Gordon Hat: security-officer On Sat, May 29, 2021 at 11:10 PM Fas Xmut via freebsd-security <[email protected]> wrote: > > I don't know if it is a security bug or not. When I use sysrc today, the > error operations emptied my /etc/rc.conf, that's a small disaster, because my > /etc/rc.conf is updated day by day, but now, it is empty. > > First, change your default root shell to sh/ksh or their derived shell. (I > have tested, csh will not trigger that bug). > > Second, backup /etc/rc.conf to any other place. > > Then do the following commands: > > ------------------------------------------------------------------------ > # sysrc something_enable="NO" > # sysrc something_enable="YES > > " > awk: newline in string YES > ... at source line 1 > something_enable: NO -> YES > ------------------------------------------------------------------------ > > Now see what is inside /etc/rc.conf ? Everything is empty! only one thing in > it: > > ------------------------------------------------------------------------ > something_enable="YES > " > ------------------------------------------------------------------------ > > Sent with [ProtonMail](https://protonmail.com) Secure Email. > _______________________________________________ > [email protected] mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected]" _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
