Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unix.cma ignores the sticky bit. #7651

Closed
vicuna opened this issue Oct 5, 2017 · 1 comment
Closed

unix.cma ignores the sticky bit. #7651

vicuna opened this issue Oct 5, 2017 · 1 comment

Comments

@vicuna
Copy link

vicuna commented Oct 5, 2017

Original bug ID: 7651
Reporter: ksk
Status: resolved (set by @xavierleroy on 2017-10-05T08:33:16Z)
Resolution: not a bug
Priority: normal
Severity: minor
OS: Mac OS X
OS Version: 10.12.6
Version: 4.05.0
Category: standard library
Monitored by: @gasche

Bug description

When the executable file is compiled with unix.cma,
Unix.getuid and Unix.geteuid return the same value
even if the file has the sticky bit and is run by a non-owner.
Unix.geteuid must return the owner's uid.

This can be observed even for a Linux platform CentOS 6.

Steps to reproduce

  1. Save the following program as suidtest.ml
    let () = Format.printf "uid=%d@.euid=%d@." (Unix.getuid()) (Unix.geteuid())

  2. Compile with unix.cma and set the sticky bit to it.
    ocamlc -o suidtest unix.cma suidtest.ml
    chmod u+s suidtest

  3. Execute it as the root.
    sudo ./suidtest

Then the output is:
uid=0
euid=0

If it is compiled with unix.cmxa as a native code like:
ocamlopt -o suidtest unix.cmxa suidtest.ml
then the result is correctly
uid=0
euid=503

@vicuna
Copy link
Author

vicuna commented Oct 5, 2017

Comment author: @xavierleroy

Bytecode executables generated by ocamlc are #!-scripts for the ocamlrun bytecode interpreter. Most if not all Unix kernels ignore setuid bits on scripts, and probably for good security reasons.

If you want to write a setuid application in OCaml, compile it to a real executable using "ocamlopt" or even "ocamlc -custom".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant