Re: Attention FreeBSD Gurus

> I received this piece of code in a patch that turns on the FreeBSD http 
> filtering.  I completely missed that it calls /sbin/sysctl directly 
> which means I'm slipping on my auditing.
>
[snip]
>        unless `/sbin/sysctl -nq net.inet.accf.http`.empty?
[snip]
>
> I'd like to know the following from the FreeBSD crew:
>
> 1) Are there any potential malicious potentials to this?  I don't assume 
> any intent, but would like to know if I need to rush out a fix if 
> there's a hackable problem with this (even theoretical).

Looks okay to me, and there's no arguments being passed in.. as long as 
it's not in a loop somewhere :)

> 2) What would be the un-ghetto way to do this same check?

This is probably the easiest, unless you wanted to write a C extension for 
accessing sysctl on freebsd.

http://www.freebsd.org/cgi/man.cgi?query=sysctl&apropos=0&sektion=3&manpath=FreeBSD+6.1-RELEASE&format=html

The only thing I'd keep in mind is this section at the end of the 
sysctl(1) man page:

BUGS
                 The sysctl utility presently exploits an undocumented 
interface to
the kernel sysctl facility to traverse the sysctl tree and to retrieve
format and name information.  This correct interface is being thought
about for the time being.

http://www.freebsd.org/cgi/man.cgi?query=sysctl&apropos=0&sektion=0&manpath=FreeBSD+6.1-RELEASE&format=html

But I've been using freebsd since 1998 and sysctl has always been there 
and for what I use it for (about the same as above) hasn't changed that I 
can recall...

-philip