Version française
Home     About     Download     Resources     Contact us    
Browse thread
[Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: -- (:)
From: Markus Mottl <markus@o...>
Subject: Re: [Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch
On Mon, 19 Jan 2004, David Brown wrote:
> On Mon, Jan 19, 2004 at 06:46:40PM +0100, Markus Mottl wrote:
> 
> > All you need to do is create a toplevel using the "-custom"-flag, e.g.:
> > 
> >   ocamlmktop -custom -o mytop
> > 
> > This is required under Unix, because only binary executables can be used
> > for interpretation due to security concerns.
> 
> Oddly enough, it works anyway on OSX.  Should I report this as a
> security problem to Apple?

Well, there are certainly some risks associated with this "feature".  It's
much easier to replace scripts (= plain text) than binary executables,
i.e. Trojan horses can enter the game more easily. The Linux manpage on
"execve" states:

  execve() executes the program pointed to by filename.  filename must
  be either  a  binary  executable,  or a script starting with a line of
  the form "#! interpreter [arg]".  In the latter case, the interpreter
  must be  a  valid  pathname  for an executable which is not itself a
  script, which will be invoked as interpreter [arg] filename.

Having interpreters become Trojan horses is a very bad thing indeed,
because they are much more likely to be called by unsuspecting users...

Regards,
Markus

-- 
Markus Mottl          http://www.oefai.at/~markus          markus@oefai.at

-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners