-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/7/10 10:51 , Edward Z. Yang wrote:
Excerpts from Johannes Waldmann's message of Tue Sep 07 10:38:47 -0400 2010:
It seems it would be needed for all things multi-core, since you'd want to modify +RTS -Nx
This is a good point: if RTS options are disabled, there should probably be a mechanism for specifying what RTS options should be baked in.
I'd call this incomplete because programs compiled with RTS options enabled are still insecure. The correct fix is to ignore GHCRTS and die on +RTS *when setuid*. Since this isn't something that can be changed in a running process (well, not without some fairly evil kernel memory poking) there are no race conditions to watch out for; just ignore the RTS options when getuid() != geteuid() and getuid() != 0 (and similar for setgid/setegid, although those are less critical because gid is really only useful for filesystem permissions). A better fix would be to identify "safe" settings and only allow those (and only via +RTS) when setuid. OTOH that's pretty much the system configuration version of the Halting Problem :) - -- brandon s. allbery [linux,solaris,freebsd,perl] allbery@kf8nh.com system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyGakwACgkQIn7hlCsL25UjmgCghMw4kmTsTxcCTYKYYLxGU8Yl 6HQAoIGA9axL8zqCwDpaR2PL/BGTEnpk =XlOo -----END PGP SIGNATURE-----