On Mon, 2 Nov 2020 22:41:38 +0100 Stefan Esser <s...@freebsd.org> wrote:
> Am 02.11.20 um 20:20 schrieb Oliver Pinter:> On Monday, November 2, > 2020, Stefan Eßer <s...@freebsd.org > > <mailto:s...@freebsd.org>> wrote: > > > > Author: se > > Date: Mon Nov 2 18:48:06 2020 > > New Revision: 367280 > > URL: https://svnweb.freebsd.org/changeset/base/367280 > > <https://svnweb.freebsd.org/changeset/base/367280> > > > > Log: > > Re-arrange some of the code to separate writable user tree > > variables from > > R/O variables. > > > > While here fix some nearby style. No functional change intended. > > > > MFC after: 1 month > > > > > > Is there any phabricator reference for this / these commit(s) + reviewer > > lists? > > The previous commit that has been refined in this one has been > discussed in D27009. > > I had added the new R/W sysctl variable to a switch statement that > contained one R/O string value, and excluded the OID from causing > an error return when a new value had been passed. > > This was functionally OK, but I have decided to move handling of > the new writable variable to before the check for a write attempt > and thus need to test specifically for its OID. > > This sysctl variable is referenced in Scott Longs proposed > getlocalbase() function (D27022), but also in the change to make > it define defaults paths in /etc/defaults/rc.conf (D27014). > > I do not support to make LOCALBASE dynamic for a broad range of > programs, since this could lead to severe security issues (e.g. > when a program is restricted by policy settings LOCALBASE/etc and > an user-defined LOCALBASE could be used to circumvent them. > > There are already programs that respect a LOCALBASE environment > variable, e.g. the pkg program, to allow it to e.g. operate with > a DESTDIR prefix other than "/". This is a program that could > instead use getlocalbase(), IMHO. > > But for security reasons all files that determine policies and > exist in LOCALBASE since they are not distributed as part of the > base system, should be located in a secure way, and that is by > referring to a compiled in trusted path, IMHO. > > Even if the sysctl variable "user.localbase" can only be written to > by root, the use of getlocalbase() provided by a shared library could > allow to perform a LD_PRELOAD attack (provide a getlocalbase() that > leadsto a user provided policy file instead of the admin controlled > one). > > Regards, STefan I think that the first question we want to ask is : Do we want to support LOCALBASE being different than /usr/local I honestly don't see any advantages of making it !=/usr/local/ and before we start putting a lot of new/useless(for I guess 99% of our user base) in the tree we should here why people are using /usr/pkg or whatever weird location. If they have some good argument, then we should proceed further. -- Emmanuel Vadot <m...@bidouilliste.com> _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
