Version française
Home     About     Download     Resources     Contact us    
Browse thread
on ocaml and set-user-id programs
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: -- (:)
From: Richard Jones <rich@a...>
Subject: Re: [Caml-list] on ocaml and set-user-id programs
On Sun, Mar 27, 2005 at 03:34:23PM +0200, Stefano Zacchiroli wrote:
> On Sun, Mar 27, 2005 at 12:31:57PM +0200, Kim Nguyen wrote:
> > Indeed. Maybe the ocaml distribution could provide such a wrapper.
> Yes, it would be cool.

There are many pitfalls to calling a setuid process (in general, not
just scripts).  For instance several years ago I wrote a setuid
program and I was pretty sure I'd covered every base.  But then I
discovered that signal handler masks actually get inherited across
exec(2), so if your program depends on signals, then it could fail if
someone passed an unexpected signal mask.  There are so many of these
strange dependencies (IFS, PATH, signals, BSD resources, ...) that I
like the userv[1] approach which bypasses the problems entirely.
Either that, or use sudo which is at least well understood.

Rich.

[1] http://www.chiark.greenend.org.uk/~ian/userv/

-- 
Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Team Notepad - intranets and extranets for business - http://team-notepad.com