Paul Eggert via tz <tz@iana.org> writes:
Dag-Erling Smørgrav <des@FreeBSD.org> writes:
We never asked you to add it. That's OK, you don't need to use it: you can continue to maintain a separate version of the code, a version that has exactly the same behavior as what's in tzcode.
I'm starting to doubt your good faith here, Paul.
Though I still hope for an explanation that gives a realistic scenario showing why the openat + O_RESOLVE_BENEATH approach, which is less efficient, provides extra security in practice. I would like to put such an explanation into tzcode as a comment, as it's not obvious.
The goal is to allow TZ to point to anything inside TZDIR, either absolutely or relatively, and nothing else, in the setugid case; there's also a check that handles the weird-but-not-unheard-of case where TZ points to TZDEFAULT (I've encountered downstream code that sets TZ to ":/etc/localtime"; I don't know why, and I'm afraid to ask, but it needs to work). We previously had something lifted from OpenBSD which would simply reject anything that contained a dot. This seemed overly restrictive, so I wrote what we currently have instead. It does add a couple of syscalls, but I can't think of an alternative that doesn't add even more. DES -- Dag-Erling Smørgrav - des@des.no