[Mongrel] Attention FreeBSD Gurus

Zed A. Shaw zedshaw at zedshaw.com
Fri Jan 26 03:49:46 EST 2007

I received this piece of code in a patch that turns on the FreeBSD http filtering.  I completely missed that it calls /sbin/sysctl directly which means I'm slipping on my auditing.

    def configure_socket_options
      case RUBY_PLATFORM
      when /linux/
        # 9 is currently TCP_DEFER_ACCEPT
        $tcp_defer_accept_opts = [Socket::SOL_TCP, 9, 1]
        $tcp_cork_opts = [Socket::SOL_TCP, 3, 1]
      when /freebsd/
        # Use the HTTP accept filter if available.
        # The struct made by pack() is defined in /usr/include/sys/socket.h as accept_filter_arg
        unless `/sbin/sysctl -nq net.inet.accf.http`.empty?
          $tcp_defer_accept_opts = [Socket::SOL_SOCKET, Socket::SO_ACCEPTFILTER, ['httpready', nil].pack('a16a240')]

I'd like to know the following from the FreeBSD crew:

1) Are there any potential malicious potentials to this?  I don't assume any intent, but would like to know if I need to rush out a fix if there's a hackable problem with this (even theoretical).
2) What would be the un-ghetto way to do this same check?

Thanks a bunch.

Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.awprofessional.com/title/0321483502 -- The Mongrel Book
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.

More information about the Mongrel-users mailing list