Markus Wanner wrote:
@Markus: maybe you want to try my net.venge.monotone.stripped branch,
which links against a system provided lua 5.1 library. That one should
be capable of loading dynamic libraries. (And I'm curious if you can get
nvm.stripped to compile on MacOS X. ;-) )
Okay, I will try that out. What else is special about this stripped
branch? Any other changes (despite the fact that it uses external lua)
compared to the standard version?
I don't see the security problem so far.
Daniel Carosone wrote:
> IIRC, the concern was about people running lua code from within
> a repository from a malicious committer.
Can anyone show a real-life attack for this? After all the Lua code (and
the libraries it might use) have the same restrictions (e.g. file
permissions, other system restriction) as someone would have on command
line anyway. To me a security problem only arises if an attacker could
that way execute code he could otherwise not execute. However Lua will
not be able to access a dynamic library a user isn't able to access
anyway, either by using a stand-alone Lua copy or by compiling a tiny
piece of C code that links against the library and execute it on the
machine.
A case where this can be used to circumvent system restrictions seems
rather "constructed" to me. Okay, if I was on a system that forbids any
access to external data sources (no USB sticks, no CDs) and also won't
allow me downloading anything from the Internet, nor does it offer a C
compiler, I may not be able to get a custom executable there to load a
certain library and use it (no stand-alone Lua, no own C executable) -
in that case I could abuse Lua of montone to make this possible anyway.
One might argue how useful such a restricted system is anyway and if a
user of it should have access to monotone itself in the first place
(since if I can use monotone, I can checkout source containing a custom
executable I should not have on this system - smuggling the binary
through a monotone repository sync onto the system, checking out and
using it).
Kindest regards,
Markus
_______________________________________________
Monotone-devel mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/monotone-devel
