Paul Eggert via tz <[email protected]> writes: > Dag-Erling Smørgrav <[email protected]> writes: > > We never asked you to add it. > That's OK, you don't need to use it: you can continue to maintain a > separate version of the code, a version that has exactly the same > behavior as what's in tzcode.
I'm starting to doubt your good faith here, Paul. > Though I still hope for an explanation that gives a realistic scenario > showing why the openat + O_RESOLVE_BENEATH approach, which is less > efficient, provides extra security in practice. I would like to put > such an explanation into tzcode as a comment, as it's not obvious. The goal is to allow TZ to point to anything inside TZDIR, either absolutely or relatively, and nothing else, in the setugid case; there's also a check that handles the weird-but-not-unheard-of case where TZ points to TZDEFAULT (I've encountered downstream code that sets TZ to ":/etc/localtime"; I don't know why, and I'm afraid to ask, but it needs to work). We previously had something lifted from OpenBSD which would simply reject anything that contained a dot. This seemed overly restrictive, so I wrote what we currently have instead. It does add a couple of syscalls, but I can't think of an alternative that doesn't add even more. DES -- Dag-Erling Smørgrav - [email protected]
