On Thu, 22 Nov 2012 13:27:46 -0430 Andres Perera wrote: > but jit isn't irreparably interleaved with js >
The latest polkit actually depends on the javascript package. > am i compromising by running luajit in interpreter mode instead of the > reference implementation, moreover, would that imply that lua the > language is insecure or is the specific implementation at fault? > > why would the runtime be attractive for rop? having the javscript package on your system when you otherwise wouldn't can allow an attacker to use code he is likely familiar with return to libc style to modify the capability of code marked executable. This may not generally mean that much but on a small server or embedded system it may mean a lot. The main point is that this is an example of a Redhat developer having free reign to do silly things and actually increased the difficulty of the average human configuring polkit and without evaluating all potential consequences and scenarios. POSIX being influenced by such things is wrong. p.s. When I said polkit is cross-platform, I really meant it's portable.