[Haskell-cafe] GHC 7.0.1 developer challenges

Brandon S Allbery KF8NH allbery at ece.cmu.edu
Wed Dec 8 16:29:48 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/8/10 02:17 , Anders Kaseorg wrote:
> On Sat, 2010-12-04 at 13:42 -0500, Brandon S Allbery KF8NH wrote:
>> We went over this some time back; the GHC runtime is wrong here, it
>> should only disable flags when running with geteuid() == 0.
> 
> No.  +RTS flags on the command line, at least, need to stay disabled in
> all cases, not just setuid binaries.  There are many situations where
> you can arrange for untrusted command line arguments to be passed to
> normal non-setuid binaries running with different privileges, including
> some that you might not expect, such as CGI scripts.
> 
> We can possibly be more permissive with the GHCRTS environment variable,
> as long as we check that we aren’t setuid or setgid or running with
> elevated capabilities, because it’s harder to cross a privilege boundary
> with arbitrary environment variables.  But, as already demonstrated by
> the replies, this check is hard to get right.

Then build your CGIs restricted.  Restricting the runtime by default,
*especially* when setting runtime options at compile time is so much of a
pain, is just going to cause problems.  I'm already thinking that I may have
to skip ghc7.

- -- 
brandon s. allbery     [linux,solaris,freebsd,perl]      allbery at kf8nh.com
system administrator  [openafs,heimdal,too many hats]  allbery at ece.cmu.edu
electrical and computer engineering, carnegie mellon university      KF8NH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz/pGwACgkQIn7hlCsL25VzGwCfaI7e+WQewAMXHtqTAFhrWzFd
SsQAmwY47A2lPqxmbI+pky7HiXFqwiUy
=hLrC
-----END PGP SIGNATURE-----



More information about the Haskell-Cafe mailing list