Paul Janzen <pjan...@foatdi.net> wrote:
> Yeah, I know with pledge() you can't do testing like
> TZ=:/home/pjanzen/dev/usr/share/zoneinfo/testing/2022/America/Kentucky/Monticello
> any more, even though that's a perfectly cromulent and functional TZ on my
> system otherwise. So for the time being, probably any TZ that exists and
> doesn't abort grdc is 38 bytes or shorter. Which works.
I disagree with the full-featured support of tzset() for all TZ paths.
and, of course your private Monticello file is corrupt TZ file, which exercises
a secret bug in the libc/time parser of the file, and you rely upon it to take
over control of this program, and other programs.
I despise this "feature". It basically says that tzset() requires full
filesystem access during the whole program lifetime.
Actually it is worse than that. Most programs do not call tzset(). I would
argue this program should not either.
Because there are 20+ libc API in src/lib/libc/time that will implicitly
do tzset(), whenever they need to.
And there are 10+ other libc API on that will call those libc/time API
And then there probably are thousands of API in other libraries which will
call those, late in a program's lifetime.
Backtracking, I think the idea that programs cannot be filesystem-contained
because of support for a stupid environment variable is dumb, and I think
it should fall back to the localtime or GMT for that program.
Otherwise if we wanted to be perfect, we should add tzset() as the first
function call in main() in ALL programs, which would be far more
repugnant than slowly taking the arbitrary path ability away from TZ, program
by program (in the same way we did for setuid/setgid binaries 20+ years ago).
tzload(const char *name, struct state *sp, int doextend)
...
if (name != NULL && issetugid() != 0) {
if ((name[0] == ':' && (strchr(name, '/') || strstr(name,
".."))) ||
name[0] == '/' || strchr(name, '.'))
name = NULL;
}
I think you will notice noone notices or cares.
I can mock it further by suggesting we add a O_TZ flag to open() which
tzload() can use to bypass the restrictions, because pointing at a private
personal TZ file is a Unix Right.... /sarc
