This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: ~/.localtime ?

From: Roland McGrath <roland at hack dot frob dot com>
To: Andreas Jaeger <aj at suse dot com>
Cc: "libc-alpha" <libc-alpha at sourceware dot org>, meissner at suse dot de, lnussel at suse dot de
Date: Fri, 30 Mar 2012 19:52:11 -0700 (PDT)
Subject: Re: ~/.localtime ?
References: <4F4F2DBD.7010206@suse.com><20120301191544.24DF52C112@topped-with-meat.com><201203291557.19019.aj@suse.com>

I don't like the idea of that being built-in behavior, for mutltiple
reasons.  One is the extra syscall to attempt to open the missing file
first before opening /etc/localtime.  Another is the security concern.
There are many security experts to weigh in, not just yours.  And even
supposed security experts can overlook things.  (Admittedly, a third reason
is just me being reactionary about new things we haven't ever needed since
1987 so why do we need them now?)

For every security person I've come across, I think the notion of adding to
the set of files--especially ones whose exact names vary and are affected
by environment variables--that are opened by more or less every random
program would be an immediate red flag to consider very carefully.
Are we going to ignore the file under __libc_enable_secure?
Are we going to add HOME to UNSECURE_ENVVARS?  etc.

Anyway, the fact that I can't accept your proposal doesn't mean we can't
implement the functionality that you actually want.

What seems entirely reasonable to me is to extend or change our
implementation-defined behavior for values of TZ starting with :.
(Currently we just ignore the :, so it might be either a zoneinfo file name
or POSIX.1 TZ syntax.)  If we don't care that much about compatibility with
dubiously-useful existing uses of the syntax, then an obvious thing is to
make it:

	TZ=:FILE[:FILE]...

i.e., a search list of files to use, the first that's opened being taken.
The list, rather than the individual file previously chosen, would be
reevaluated from scratch at tzset time, in case a file earlier in the list
didn't exist before and now does.

Then a user's environment, presumably set by default in the desktop system
or /etc/profile or whatnot, could contain:

	TZ=:$HOME/.localtime:/etc/localtime

Of course, nothing today stops you from putting into /etc/profile:

	test -e $HOME/.localtime || ln -snf /etc/localtime $HOME/.localtime
	TZ=:$HOME/.localtime

But the search-list feature seems nicer (if not necessarily the exact
syntax I used in my examples).  It's already the case that TZ settings can
cause a program to read any named file (i.e. "TZ=:/dev/rst0 something-suid"
might rewind the tape drive), so the security situation is unchanged by
adding this feature.


Thanks,
Roland

References:
- ~/.localtime ?
  - From: Andreas Jaeger
- Re: ~/.localtime ?
  - From: Roland McGrath
- Re: ~/.localtime ?
  - From: Andreas Jaeger

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]