On Sat, 2010-12-04 at 13:42 -0500, Brandon S Allbery KF8NH wrote:
We went over this some time back; the GHC runtime is wrong here, it should only disable flags when running with geteuid() == 0.
No. +RTS flags on the command line, at least, need to stay disabled in all cases, not just setuid binaries. There are many situations where you can arrange for untrusted command line arguments to be passed to normal non-setuid binaries running with different privileges, including some that you might not expect, such as CGI scripts. We can possibly be more permissive with the GHCRTS environment variable, as long as we check that we aren’t setuid or setgid or running with elevated capabilities, because it’s harder to cross a privilege boundary with arbitrary environment variables. But, as already demonstrated by the replies, this check is hard to get right. Anders