> I received this piece of code in a patch that turns on the FreeBSD http > filtering. I completely missed that it calls /sbin/sysctl directly > which means I'm slipping on my auditing. > [snip] > unless `/sbin/sysctl -nq net.inet.accf.http`.empty? [snip] > > I'd like to know the following from the FreeBSD crew: > > 1) Are there any potential malicious potentials to this? I don't assume > any intent, but would like to know if I need to rush out a fix if > there's a hackable problem with this (even theoretical).
Looks okay to me, and there's no arguments being passed in.. as long as it's not in a loop somewhere :) > 2) What would be the un-ghetto way to do this same check? This is probably the easiest, unless you wanted to write a C extension for accessing sysctl on freebsd. http://www.freebsd.org/cgi/man.cgi?query=sysctl&apropos=0&sektion=3&manpath=FreeBSD+6.1-RELEASE&format=html The only thing I'd keep in mind is this section at the end of the sysctl(1) man page: BUGS The sysctl utility presently exploits an undocumented interface to the kernel sysctl facility to traverse the sysctl tree and to retrieve format and name information. This correct interface is being thought about for the time being. http://www.freebsd.org/cgi/man.cgi?query=sysctl&apropos=0&sektion=0&manpath=FreeBSD+6.1-RELEASE&format=html But I've been using freebsd since 1998 and sysctl has always been there and for what I use it for (about the same as above) hasn't changed that I can recall... -philip _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
