<mailto:s...@freebsd.org>> wrote:Author: se Date: Mon Nov 2 18:48:06 2020 New Revision: 367280 URL: https://svnweb.freebsd.org/changeset/base/367280 <https://svnweb.freebsd.org/changeset/base/367280> Log: Re-arrange some of the code to separate writable user tree variables from R/O variables. While here fix some nearby style. No functional change intended. MFC after: 1 monthIs there any phabricator reference for this / these commit(s) + reviewer lists?
The previous commit that has been refined in this one has been discussed in D27009. I had added the new R/W sysctl variable to a switch statement that contained one R/O string value, and excluded the OID from causing an error return when a new value had been passed. This was functionally OK, but I have decided to move handling of the new writable variable to before the check for a write attempt and thus need to test specifically for its OID. This sysctl variable is referenced in Scott Longs proposed getlocalbase() function (D27022), but also in the change to make it define defaults paths in /etc/defaults/rc.conf (D27014). I do not support to make LOCALBASE dynamic for a broad range of programs, since this could lead to severe security issues (e.g. when a program is restricted by policy settings LOCALBASE/etc and an user-defined LOCALBASE could be used to circumvent them. There are already programs that respect a LOCALBASE environment variable, e.g. the pkg program, to allow it to e.g. operate with a DESTDIR prefix other than "/". This is a program that could instead use getlocalbase(), IMHO. But for security reasons all files that determine policies and exist in LOCALBASE since they are not distributed as part of the base system, should be located in a secure way, and that is by referring to a compiled in trusted path, IMHO. Even if the sysctl variable "user.localbase" can only be written to by root, the use of getlocalbase() provided by a shared library could allow to perform a LD_PRELOAD attack (provide a getlocalbase() that leadsto a user provided policy file instead of the admin controlled one). Regards, STefan
OpenPGP_signature
Description: OpenPGP digital signature