-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some tweaks for MPR#7557 #1213
Some tweaks for MPR#7557 #1213
Conversation
@lefessan @dra27 @mshinwell @lpw25 @avsm @stedolan @alainfrisch @gasche |
What's the possible escalation with custom runtimes ? Why can't it be fixed
?
…On Tue, Jun 27, 2017 at 2:45 PM Damien Doligez ***@***.***> wrote:
@lefessan <https://github.com/lefessan> @dra27 <https://github.com/dra27>
@mshinwell <https://github.com/mshinwell> @lpw25
<https://github.com/lpw25> @avsm <https://github.com/avsm> @stedolan
<https://github.com/stedolan> @alainfrisch
<https://github.com/alainfrisch> @gasche <https://github.com/gasche>
quick review?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1213 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAfbjULB_7D7etnccaM4bk5bhuBHRZTcks5sIPlLgaJpZM4OFbdX>
.
|
6a7f392
to
a9b511b
Compare
@lefessan |
OK |
@@ -169,6 +169,10 @@ chapter~\ref{c:intf-c}. | |||
Never use the "strip" command on executables produced by "ocamlc -custom", | |||
this would remove the bytecode part of the executable. | |||
\end{unix} | |||
\begin{unix} | |||
Security warning: never set the "setuid" or "setgid" bits on executables |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The double quotes around "setuid" causes this word to be typeset in \tt font. This is probably not what you want. Consider ``setuid'' instead. Likewise for setgid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually that's what I wanted but you're right, it's probably not a good idea.
Looks good to me. |
I've tested this on a CentOS 6 container and confirmed that __secure_getenv is found and used.
|
FWIW, I'd define However, it all looks good to me, even with a triple underscore! |
It's probably worth doing the same in |
otherlibs/unix/unix.mli
Outdated
programmer of a setuid program must be careful to prevent execution | ||
of arbitrary commands through manipulation of the environment | ||
programmer of a setuid or setgid program must be careful to prevent | ||
execution of arbitrary commands through manipulation of the environment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is considered unsafe because the programmer of a setuid or setgid program must be careful to prevent execution of arbitrary commands through manipulation of the environment variables.
I think this message is not scary enough! Preventing direct execution of arbitrary commands is not enough: the usual attacks are more subtle things like attacker-controlled filenames or temporary directories. I'd suggest:
It is considered unsafe because the programmer of a setuid or setgid program must be careful to avoid using maliciously crafted environment variables in the search path for executables, the locations for temporary files or logs, and the like.
@dra27 I don't really like the idea of a |
a9b511b
to
80c6841
Compare
@damiendoligez - |
@dra27 Just because it exists in the system doesn't mean I have to like it. In any case, it's too small of a difference to justify the (small) amount of work to change it. (And I still think it's better as it is now.) |
80c6841
to
3347018
Compare
@stedolan Done for AFL and also for GC instrumentation, just in case. |
this patch looks fine to me. Will the default runtime in 4.05 still have this |
@hannesm It will because I'm trying to release today. Let's have a relaxed discussion (in a new PR!) about disabling it for 4.06, but I don't want to delay 4.05.0 yet again. |
9a0f06b
to
6c3ef9b
Compare
* fall back to __secure_getenv when secure_getenv is not available * use secure_getenv for instrumented runtimes * documentation: warn against setting the setuid or setgid bits on custom bytecode executables
merged to 4.05 and cherry-picked to trunk (fee0110) |
* fall back to __secure_getenv when secure_getenv is not available * use secure_getenv for instrumented runtimes * documentation: warn against setting the setuid or setgid bits on custom bytecode executables
* fall back to __secure_getenv when secure_getenv is not available * use secure_getenv for instrumented runtimes * documentation: warn against setting the setuid or setgid bits on custom bytecode executables
…ghlighted. (ocaml#1213) * Replaced text in the profiling guide that refers to highlighted code with the code from the code snippet to make the text consistent. * Removed mention of highlighted code that was not highlighted from labels section. * Undo prettier formatting. --------- Co-authored-by: Paul Bacchus <paulbacchus@M35-117.local>
For the first commit, @setharnold pointed out in 38e2cd6#commitcomment-22736369 that
secure_getenv
is a "relatively new" addition to glibc (introduced in 2012 with glibc 2.17). This PR adds a fall-back to__secure_getenv
, which dates back (at least) to 2002 with glibc 2.2.5.references:
__secure_getenv
was in glibc 2.2.5The second commit secures one more call to
getenv
in the Spacetime code. Although you'd be crazy to set the setuid bit on a program compiled with instrumentation, I think it's better to fix this potential vulnerability (reported privately by Eric Milliken).The third commit is a change in the manual to warn users against setting the setuid bit on a custom-mode bytecode executable because this configuration is always vulnerable to privilege escalation attacks.