Commit Graph

176 Commits

Author SHA1 Message Date
kevans
deeb56f911 vfs: add restrictions to read(2) of a directory [1/2]
Historically, we've allowed read() of a directory and some filesystems will
accommodate (e.g. ufs/ffs, msdosfs). From the history department staffed by
Warner: <<EOF

pdp-7 unix seemed to allow reading directories, but they were weird, special
things there so I'm unsure (my pdp-7 assembler sucks).

1st Edition's sources are lost, mostly. The kernel allows it. The
reconstructed sources from 2nd or 3rd edition read it though.

V6 to V7 changed the filesystem format, and should have been a warning, but
reading directories weren't materially changed.

4.1b BSD introduced readdir because of UFS. UFS broke all directory reading
programs in 1983. ls, du, find, etc all had to be rewritten. readdir() and
friends were introduced here.

SysVr3 picked up readdir() in 1987 for the AT&T fork of Unix. SysVr4 updated
all the directory reading programs in 1988 because different filesystem
types were introduced.

In the 90s, these interfaces became completely ubiquitous as PDP-11s running
V7 faded from view and all the folks that initially started on V7 upgraded
to SysV. Linux never supported this (though I've not done the software
archeology to check) because it has always had a pathological diversity of
filesystems.
EOF

Disallowing read(2) on a directory has the side-effect of masking
application bugs from relying on other implementation's behavior
(e.g. Linux) of rejecting these with EISDIR across the board, but allowing
it has been a vector for at least one stack disclosure bug in the past[0].

By POSIX, this is implementation-defined whether read() handles directories
or not. Popular implementations have chosen to reject them, and this seems
sensible: the data you're reading from a directory is not structured in some
unified way across filesystem implementations like with readdir(2), so it is
impossible for applications to portably rely on this.

With this patch, we will reject most read(2) of a dirfd with EISDIR. Users
that know what they're doing can conscientiously set
bsd.security.allow_read_dir=1 to allow read(2) of directories, as it has
proven useful for debugging or recovery. A future commit will further limit
the sysctl to allow only the system root to read(2) directories, to make it
at least relatively safe to leave on for longer periods of time.

While we're adding logic pertaining to directory vnodes to vn_io_fault, an
additional assertion has also been added to ensure that we're not reaching
vn_io_fault with any write request on a directory vnode. Such request would
be a logical error in the kernel, and must be debugged rather than allowing
it to potentially silently error out.

Commented out shell aliases have been placed in root's chsrc/shrc to promote
awareness that grep may become noisy after this change, depending on your
usage.

A tentative MFC plan has been put together to try and make it as trivial as
possible to identify issues and collect reports; note that this will be
strongly re-evaluated. Tentatively, I will MFC this knob with the default as
it is in HEAD to improve our odds of actually getting reports. The future
priv(9) to further restrict the sysctl WILL NOT BE MERGED BACK, so the knob
will be a faithful reversion on stable/12. We will go into the merge
acknowledging that the sysctl default may be flipped back to restore
historical behavior at *any* point if it's warranted.

[0] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc

PR:		246412
Reviewed by:	mckusick, kib, emaste, jilles, cy, phk, imp (all previous)
Reviewed by:	rgrimes (latest version)
MFC after:	1 month (note the MFC plan mentioned above)
Relnotes:	absolutely, but will amend previous RELNOTES entry
Differential Revision:	https://reviews.freebsd.org/D24596
2020-06-04 18:09:55 +00:00
bdrewery
4432d88efb Fix .depend files to work for build tools.
This is somewhat of a follow-up to r335746.

MFC after:	2 weeks
Sponsored by:	DellEMC
2019-06-15 17:08:13 +00:00
trasz
4b41e850a4 Don't mess with BLOCKSIZE in shell startup files - it's set by login.conf(5);
there's no need to even mention it in shell rc files.  Not that it's wrong;
just pointless and somewhat misleading.

Reviewed by:	jilles
MFC after:	2 weeks
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D18809
2019-01-20 22:08:49 +00:00
brd
208aeda4b2 Finish moving dot.cshrc and dot.profile to bin/csh/ and bin/sh/.
Approved by:	re (gjb), will (mentor)
Differential Revision:	https://reviews.freebsd.org/D16770
2018-08-29 16:59:19 +00:00
brd
31d8fadaeb Fix the install of /root/.login missed as part of r337849.
Approved by:	re (rgrimes)
2018-08-28 22:51:45 +00:00
brd
7793b47479 Revert parts of r337849 and r337857
This fixes the build and I will redo these changes as part of a future review
that organizes them differently.  The way I tried to do it here could be done
better.  Sorry for the noise.

Approved by:	will (mentor)
Differential Revision:	https://reviews.freebsd.org/D16737
2018-08-15 23:18:34 +00:00
brd
b56fc406ef Fix build after r337849
This moves the symlink creation to after where the files are installed.

This also inverts the shell change so that it only happens if MK_TCSH is on.

Approved by:	will (mentor)
Differential Revision:	https://reviews.freebsd.org/D16725
2018-08-15 16:22:12 +00:00
brd
553d7626fc Move all sh and csh files into bin/sh/ or bin/csh/
This simplifies pkgbase by migrating these to CONFS so they are properly
tagged as config files.

Approved by:	will (mentor)
Differential Revision:	https://reviews.freebsd.org/D16708
2018-08-15 14:41:24 +00:00
bdrewery
ee7076ae8a Don't use CCACHE for linking.
MFC after:	2 weeks
Sponsored by:	Dell EMC
2018-06-27 19:29:15 +00:00
bdrewery
a598c4b809 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
dchagin
99d35efa75 Update to tcsh 6.20.00 2017-03-25 13:32:28 +00:00
ngie
c52aabb8ad bin: normalize paths using SRCTOP-relative paths or :H when possible
This simplifies make logic/output

MFC after:	1 month
Sponsored by:	Dell EMC Isilon
2017-03-04 11:31:08 +00:00
bdrewery
055864c022 WITH_META_MODE: Fix bin/csh rebuilding tc.const.h
This is the same issue as r297997, but was missed in it.

The WARNS value changes between 'build-tools' (MK_WARNS=no) and
'everything' resulting in a rebuild of this file.

Approved by:	re (implicit)
Sponsored by:	EMC / Isilon Storage Division
2016-06-14 16:19:49 +00:00
bdrewery
ed7b299662 DIRDEPS_BUILD: Run the staged bootstrap-tools version of build-tools.
This avoids running target binaries.

Sponsored by:	EMC / Isilon Storage Division
2016-05-09 22:21:09 +00:00
andrew
392b4907a4 Stop using sbrk in csh. This is a legacy interface and its use within csh
is invalid. It is used to find the size of allocated memory. As malloc may
allocate memory with mmap it will fail to take this memory into account.

Obtained from:	brooks
2016-04-26 11:39:32 +00:00
gjb
6549ef7d12 MFH
Sponsored by:	The FreeBSD Foundation
2016-04-16 02:32:12 +00:00
bdrewery
b40d5fe0a7 META_MODE: Don't rebuild build-tools targets during normal build.
This avoids 'build command changed' due to CFLAGS/CC changes during the
normal build.  Without this the build-tools targets end up rebuilding
for the *target* rather than keeping the native versions built in
build-tools.

Sponsored by:	EMC / Isilon Storage Division
2016-04-14 21:06:10 +00:00
gjb
e0e3598ce1 MFH
Sponsored by:	The FreeBSD Foundation
2016-04-11 15:24:59 +00:00
mp
be3e91df09 Revert r296416 by removing SAVESIGVEC and switching to fork instead. This
fixes usage with system libraries which maintain their own signal state.

PR:             208132
Obtained from:  kib
MFC after:	3 days
2016-04-07 14:25:15 +00:00
gjb
1dc4c40e3b MFH
Sponsored by:	The FreeBSD Foundation
2016-04-04 23:55:32 +00:00
bdrewery
33d187376d CCACHE_BUILD: Don't use ccache when generating some files with CC -E.
At least for ncurses this fixes a build error due to it trying to run
'ccache --version' to work around a gcc 5 bug using the fix in r287205.

Sponsored by:	EMC / Isilon Storage Division
2016-03-24 21:48:13 +00:00
gjb
f4bd2481be MFH
Sponsored by:	The FreeBSD Foundation
2016-03-06 04:13:17 +00:00
mp
9e883b407e Signal handling within tcsh vfork code path will conflict with some system
libraries (such as libthr) which maintain their own signal state. This
change adds the tcsh SAVESIGVEC option to save and restore the sigvecs for
the signals the child modifies before it execs.

Reviewed by:	kib, rwatson
Reported by:	kib
2016-03-05 19:55:42 +00:00
gjb
955ce29ea3 MFH
Sponsored by:	The FreeBSD Foundation
2016-03-02 16:14:46 +00:00
bdrewery
2a891f1feb DIRDEPS_BUILD: Regenerate without local dependencies.
These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.

Sponsored by:	EMC / Isilon Storage Division
2016-02-24 17:20:11 +00:00
gjb
ee23b7758f Explicitly add unmarked bin/ binaries to the runtime package.
Note: tcsh(1) has a MK_TCSH=no test, so this should be a separate
package, which requires pre-install/post-install scripts, to be
added later.

Sponsored by:	The FreeBSD Foundation
2016-02-09 16:58:50 +00:00
bdrewery
f053f5a5d6 Don't link /usr/share/nls/de_DE.UTF-8/tcsh.cat to itself.
Sponsored by:	EMC / Isilon Storage Division
2016-02-03 23:37:24 +00:00
ume
9b1e693666 The charset of NLS catalogs were converted to UTF-8
since r231990.
2016-02-03 11:44:43 +00:00
ume
08d60f77fa Make dynamic link of libiconv from ports work again.
The symbols of libiconv from ports were changed to
have prefixed.
Since we have iconv in our libc these days, we don't
need it on 10.X and later.  However, 9.X still need
this.

Spotted by:	Yoshihiko Sarumaru
MFC after:	1 days
2016-02-02 11:51:18 +00:00
eadler
21a3003f8f Fix a ton of speelling errors
arc lint is helpful

Reviewed By: allanjude, wblock, #manpages, chris@bsdjunk.com
Differential Revision: https://reviews.freebsd.org/D3337
2015-10-21 05:37:09 +00:00
sjg
008d7c831f Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
sjg
75a137820d dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
sjg
65145fa4c8 Merge sync of head 2015-05-27 01:19:58 +00:00
tijl
82726adc4d Fix build after r281550 when WITHOUT_ICONV is defined.
Reported by:	adrian
MFC after:	2 weeks
2015-04-16 07:17:00 +00:00
tijl
b0813ee288 Remove the const qualifier from iconv(3) to comply with POSIX:
http://pubs.opengroup.org/onlinepubs/9699919799/functions/iconv.html

Adjust all code that calls iconv.

PR:		199099
Exp-run by:	antoine
MFC after:	2 weeks
2015-04-15 09:09:20 +00:00
will
afad9375d8 Add a ${CP} alias for copying files in the build.
Some users build FreeBSD as non-root in Perforce workspaces.  By default,
Perforce sets files read-only unless they're explicitly being edited.
As a result, the -f argument must be used to cp in order to override the
read-only flag when copying source files to object directories.  Bare use of
'cp' should be avoided in the future.

Update all current users of 'cp' in the src tree.

Reviewed by:	emaste
MFC after:	1 week
Sponsored by:	Spectra Logic
2015-01-16 21:39:08 +00:00
bapt
53c2ff7734 Convert bin/ to LIBADD, reduce overlinking allow to build all components as
static
2014-11-25 11:15:40 +00:00
sjg
b137080f19 Merge from head@274682 2014-11-19 01:07:58 +00:00
will
8fbdaa50ea Fix incremental builds involving non-root users with read-only source files.
Makefiles should not assume that source files can be overwritten.  This is the
common case for Perforce source trees.

This is a followup commit to r211243 in the same vein.

MFC after:	1 month
Sponsored by:	Spectra Logic
MFSpectraBSD:	r1036319 on 2014/01/29, r1046711 on 2014/03/06
2014-09-18 14:41:57 +00:00
sjg
d7cd1d425c Merge head from 7/28 2014-08-19 06:50:54 +00:00
brooks
ea5a037d1f Replace all uses of libncurses and libtermcap with their wide character
variants.  This allows usable file system images (i.e. those with both a
shell and an editor) to be created with only one copy of the curses library.

Exp-run:	antoine
PR:		189842
Discussed with:	bapt
Sponsored by:	DARPA, AFRL
2014-07-17 18:24:34 +00:00
sjg
5860f0d106 Updated dependencies 2014-05-16 14:09:51 +00:00
sjg
1a7e48acf1 Updated dependencies 2014-05-10 05:16:28 +00:00
sjg
ed3fc70bf5 Merge from head 2014-05-08 23:54:15 +00:00
imp
2118f42afd Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.
2014-05-06 04:22:01 +00:00
sjg
292ec5d301 Updated dependencies 2013-10-13 00:24:00 +00:00
sjg
6d37b86f2b Updated dependencies 2013-03-11 17:21:52 +00:00
sjg
0ee5295509 Updated dependencies 2013-02-16 01:23:54 +00:00
marcel
9dd41e3647 Sync FreeBSD's bmake branch with Juniper's internal bmake branch.
Requested by: Simon Gerraty <sjg@juniper.net>
2012-08-22 19:25:57 +00:00
mp
3ee51a00f3 Update to tcsh 6.18.01. 2012-02-22 03:36:15 +00:00