On 1/26/07, Zed A. Shaw <zedshaw at zedshaw.com> wrote:> I''d like to know the following from the FreeBSD crew: > > 1) Are there any potential malicious potentials to this? I don''t assume any intent, but would like to know if I need to rush out a fix if there''s a hackable problem with this (even theoretical).Only if there is some way to change the arguments to sysctl, and then only if you are root. As far as I know most of the kernel states are readable via sysctl by any user.> 2) What would be the un-ghetto way to do this same check?There probably isn''t one, as several of the freebsd rc scripts do basically the same thing. Chris
I received this piece of code in a patch that turns on the FreeBSD http
filtering. I completely missed that it calls /sbin/sysctl directly which means
I''m slipping on my auditing.
def configure_socket_options
case RUBY_PLATFORM
when /linux/
# 9 is currently TCP_DEFER_ACCEPT
$tcp_defer_accept_opts = [Socket::SOL_TCP, 9, 1]
$tcp_cork_opts = [Socket::SOL_TCP, 3, 1]
when /freebsd/
# Use the HTTP accept filter if available.
# The struct made by pack() is defined in /usr/include/sys/socket.h as
accept_filter_arg
unless `/sbin/sysctl -nq net.inet.accf.http`.empty?
$tcp_defer_accept_opts = [Socket::SOL_SOCKET, Socket::SO_ACCEPTFILTER,
[''httpready'', nil].pack(''a16a240'')]
end
end
end
I''d like to know the following from the FreeBSD crew:
1) Are there any potential malicious potentials to this? I don''t
assume any intent, but would like to know if I need to rush out a fix if
there''s a hackable problem with this (even theoretical).
2) What would be the un-ghetto way to do this same check?
Thanks a bunch.
--
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://www.awprofessional.com/title/0321483502 -- The Mongrel Book
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.
> I received this piece of code in a patch that turns on the FreeBSD http > filtering. I completely missed that it calls /sbin/sysctl directly > which means I''m slipping on my auditing. >[snip]> unless `/sbin/sysctl -nq net.inet.accf.http`.empty?[snip]> > I''d like to know the following from the FreeBSD crew: > > 1) Are there any potential malicious potentials to this? I don''t assume > any intent, but would like to know if I need to rush out a fix if > there''s a hackable problem with this (even theoretical).Looks okay to me, and there''s no arguments being passed in.. as long as it''s not in a loop somewhere :)> 2) What would be the un-ghetto way to do this same check?This is probably the easiest, unless you wanted to write a C extension for accessing sysctl on freebsd. http://www.freebsd.org/cgi/man.cgi?query=sysctl&apropos=0&sektion=3&manpath=FreeBSD+6.1-RELEASE&format=html The only thing I''d keep in mind is this section at the end of the sysctl(1) man page: BUGS The sysctl utility presently exploits an undocumented interface to the kernel sysctl facility to traverse the sysctl tree and to retrieve format and name information. This correct interface is being thought about for the time being. http://www.freebsd.org/cgi/man.cgi?query=sysctl&apropos=0&sektion=0&manpath=FreeBSD+6.1-RELEASE&format=html But I''ve been using freebsd since 1998 and sysctl has always been there and for what I use it for (about the same as above) hasn''t changed that I can recall... -philip