Version française
Home     About     Download     Resources     Contact us    

This site is updated infrequently. For up-to-date information, please visit the new OCaml website at

Browse thread
[Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: 2004-01-19 (19:16)
From: Markus Mottl <markus@o...>
Subject: Re: [Caml-list] ANNOUNCE: mod_caml 1.0.6 - includes security patch
On Mon, 19 Jan 2004, David Brown wrote:
> On Mon, Jan 19, 2004 at 06:46:40PM +0100, Markus Mottl wrote:
> > All you need to do is create a toplevel using the "-custom"-flag, e.g.:
> > 
> >   ocamlmktop -custom -o mytop
> > 
> > This is required under Unix, because only binary executables can be used
> > for interpretation due to security concerns.
> Oddly enough, it works anyway on OSX.  Should I report this as a
> security problem to Apple?

Well, there are certainly some risks associated with this "feature".  It's
much easier to replace scripts (= plain text) than binary executables,
i.e. Trojan horses can enter the game more easily. The Linux manpage on
"execve" states:

  execve() executes the program pointed to by filename.  filename must
  be either  a  binary  executable,  or a script starting with a line of
  the form "#! interpreter [arg]".  In the latter case, the interpreter
  must be  a  valid  pathname  for an executable which is not itself a
  script, which will be invoked as interpreter [arg] filename.

Having interpreters become Trojan horses is a very bad thing indeed,
because they are much more likely to be called by unsuspecting users...


Markus Mottl

To unsubscribe, mail Archives:
Bug reports: FAQ:
Beginner's list: