[Mongrel] Attention FreeBSD Gurus

Zed A. Shaw zedshaw at zedshaw.com
Fri Jan 26 03:49:46 EST 2007


I received this piece of code in a patch that turns on the FreeBSD http filtering.  I completely missed that it calls /sbin/sysctl directly which means I'm slipping on my auditing.

    def configure_socket_options
      case RUBY_PLATFORM
      when /linux/
        # 9 is currently TCP_DEFER_ACCEPT
        $tcp_defer_accept_opts = [Socket::SOL_TCP, 9, 1]
        $tcp_cork_opts = [Socket::SOL_TCP, 3, 1]
      when /freebsd/
        # Use the HTTP accept filter if available.
        # The struct made by pack() is defined in /usr/include/sys/socket.h as accept_filter_arg
        unless `/sbin/sysctl -nq net.inet.accf.http`.empty?
          $tcp_defer_accept_opts = [Socket::SOL_SOCKET, Socket::SO_ACCEPTFILTER, ['httpready', nil].pack('a16a240')]
        end
      end
    end

I'd like to know the following from the FreeBSD crew:

1) Are there any potential malicious potentials to this?  I don't assume any intent, but would like to know if I need to rush out a fix if there's a hackable problem with this (even theoretical).
2) What would be the un-ghetto way to do this same check?

Thanks a bunch.

-- 
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://www.awprofessional.com/title/0321483502 -- The Mongrel Book
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.


More information about the Mongrel-users mailing list