[Mongrel] Attention FreeBSD Gurus

Philip Hallstrom mongrel at philip.pjkh.com
Fri Jan 26 14:38:10 EST 2007

> I received this piece of code in a patch that turns on the FreeBSD http 
> filtering.  I completely missed that it calls /sbin/sysctl directly 
> which means I'm slipping on my auditing.
>        unless `/sbin/sysctl -nq net.inet.accf.http`.empty?
> I'd like to know the following from the FreeBSD crew:
> 1) Are there any potential malicious potentials to this?  I don't assume 
> any intent, but would like to know if I need to rush out a fix if 
> there's a hackable problem with this (even theoretical).

Looks okay to me, and there's no arguments being passed in.. as long as 
it's not in a loop somewhere :)

> 2) What would be the un-ghetto way to do this same check?

This is probably the easiest, unless you wanted to write a C extension for 
accessing sysctl on freebsd.


The only thing I'd keep in mind is this section at the end of the 
sysctl(1) man page:

 		 The sysctl utility presently exploits an undocumented interface to
the kernel sysctl facility to traverse the sysctl tree and to retrieve
format and name information.  This correct interface is being thought
about for the time being.


But I've been using freebsd since 1998 and sysctl has always been there 
and for what I use it for (about the same as above) hasn't changed that I 
can recall...


More information about the Mongrel-users mailing list