Re: ghc HEAD

newer
ANNOUNCE: grammar-combinators 0.1...

older
Re: [Haskell-cafe] Re: Crypto-API...

Johannes Waldmann

7 Sep 2010 7 Sep '10

10:38 a.m.

Yuras Shumovich writes:

...

http://hackage.haskell.org/trac/ghc/ticket/3910

So what is the magic "link-time flag to en/disable the RTS options"? It seems it would be needed for all things multi-core, since you'd want to modify +RTS -Nx J.W.

Show replies by date

Edward Z. Yang

7 Sep 7 Sep

10:51 a.m.

New subject: ghc HEAD

Excerpts from Johannes Waldmann's message of Tue Sep 07 10:38:47 -0400 2010:

...

Yuras Shumovich writes:

...
http://hackage.haskell.org/trac/ghc/ticket/3910

So what is the magic "link-time flag to en/disable the RTS options"?

As you mentioned earlier, -rtsopts.

...

It seems it would be needed for all things multi-core, since you'd want to modify +RTS -Nx

This is a good point: if RTS options are disabled, there should probably be a mechanism for specifying what RTS options should be baked in. Cheers, Edward

Brandon S Allbery KF8NH

12:37 p.m.

New subject: ghc HEAD

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/7/10 10:51 , Edward Z. Yang wrote:

...

Excerpts from Johannes Waldmann's message of Tue Sep 07 10:38:47 -0400 2010:

...
It seems it would be needed for all things multi-core, since you'd want to modify +RTS -Nx

This is a good point: if RTS options are disabled, there should probably be a mechanism for specifying what RTS options should be baked in.

I'd call this incomplete because programs compiled with RTS options enabled are still insecure. The correct fix is to ignore GHCRTS and die on +RTS *when setuid*. Since this isn't something that can be changed in a running process (well, not without some fairly evil kernel memory poking) there are no race conditions to watch out for; just ignore the RTS options when getuid() != geteuid() and getuid() != 0 (and similar for setgid/setegid, although those are less critical because gid is really only useful for filesystem permissions). A better fix would be to identify "safe" settings and only allow those (and only via +RTS) when setuid. OTOH that's pretty much the system configuration version of the Halting Problem :) - -- brandon s. allbery [linux,solaris,freebsd,perl] allbery@kf8nh.com system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyGakwACgkQIn7hlCsL25UjmgCghMw4kmTsTxcCTYKYYLxGU8Yl 6HQAoIGA9axL8zqCwDpaR2PL/BGTEnpk =XlOo -----END PGP SIGNATURE-----

Bulat Ziganshin

12:57 p.m.

New subject: Re[2]: Re: ghc HEAD

Hello Brandon, Tuesday, September 7, 2010, 8:37:32 PM, you wrote:

...

I'd call this incomplete because programs compiled with RTS options enabled are still insecure.

...

The correct fix is to ignore GHCRTS and die on +RTS *when setuid*. Since

i strongly agree -- Best regards, Bulat mailto:Bulat.Ziganshin@gmail.com

Ivan Lazar Miljenovic

9:51 p.m.

New subject: ghc HEAD

On 8 September 2010 02:37, Brandon S Allbery KF8NH wrote:

...

A better fix would be to identify "safe" settings and only allow those (and only via +RTS) when setuid. OTOH that's pretty much the system configuration version of the Halting Problem :)

Or optionally, allow the developer to specify which flags are safe (e.g. "users are allowed to specify -N"). -- Ivan Lazar Miljenovic Ivan.Miljenovic@gmail.com IvanMiljenovic.wordpress.com

James Andrew Cook

8 Sep 8 Sep

8:40 a.m.

New subject: ghc HEAD

In many cases it would make quite a lot of sense for the developer to be able to specify default flags as well, preferably without resorting to including a C file. Generally, the developer will know better than the user whether it makes sense to include -N, the various thread affinity options, the default stack/heap size, etc. Bonus points for a sensible monoid allowing each library to contribute to the decision for an executable with no declared preference :). Ideally, the user would be able to specify constraints on those sorts of things globally, once for all, perhaps in their cabal configuration (since I for one don't want any program to give itself a default stack size of 2G without my knowledge just because the author couldn't be bothered to track down a space leak). The packages would specify what they want, and cabal would give it to them, within the bounds of the user's constraints. It certainly would not be a trivial undertaking to define the proper behavior of such a system, but if I were gonna wish for a miracle in this area, I think that's the direction I'd be dreaming in. -- James On Sep 7, 2010, at 9:51 PM, Ivan Lazar Miljenovic wrote:

...

On 8 September 2010 02:37, Brandon S Allbery KF8NH wrote:

...
A better fix would be to identify "safe" settings and only allow those (and only via +RTS) when setuid. OTOH that's pretty much the system configuration version of the Halting Problem :)

Or optionally, allow the developer to specify which flags are safe (e.g. "users are allowed to specify -N").

-- Ivan Lazar Miljenovic Ivan.Miljenovic@gmail.com IvanMiljenovic.wordpress.com _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe

5369

Age (days ago)

5370

Last active (days ago)

List overview

Download

5 comments

6 participants

participants (6)

Brandon S Allbery KF8NH
Bulat Ziganshin
Edward Z. Yang
Ivan Lazar Miljenovic
James Andrew Cook
Johannes Waldmann

Re: ghc HEAD

Johannes Waldmann

Edward Z. Yang

Brandon S Allbery KF8NH

Bulat Ziganshin

Ivan Lazar Miljenovic

James Andrew Cook

tags

participants (6)