Browse thread
[Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch
[
Home
]
[ Index:
by date
|
by threads
]
[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
| Date: | 2004-01-19 (19:16) |
| From: | Markus Mottl <markus@o...> |
| Subject: | Re: [Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch |
On Mon, 19 Jan 2004, David Brown wrote: > On Mon, Jan 19, 2004 at 06:46:40PM +0100, Markus Mottl wrote: > > > All you need to do is create a toplevel using the "-custom"-flag, e.g.: > > > > ocamlmktop -custom -o mytop > > > > This is required under Unix, because only binary executables can be used > > for interpretation due to security concerns. > > Oddly enough, it works anyway on OSX. Should I report this as a > security problem to Apple? Well, there are certainly some risks associated with this "feature". It's much easier to replace scripts (= plain text) than binary executables, i.e. Trojan horses can enter the game more easily. The Linux manpage on "execve" states: execve() executes the program pointed to by filename. filename must be either a binary executable, or a script starting with a line of the form "#! interpreter [arg]". In the latter case, the interpreter must be a valid pathname for an executable which is not itself a script, which will be invoked as interpreter [arg] filename. Having interpreters become Trojan horses is a very bad thing indeed, because they are much more likely to be called by unsuspecting users... Regards, Markus -- Markus Mottl http://www.oefai.at/~markus markus@oefai.at ------------------- To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/ Beginner's list: http://groups.yahoo.com/group/ocaml_beginners