Re: [Monotone-devel] Lua loading dynamic libraries not possible in monot

monotone-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] Lua loading dynamic libraries not possible in monot

From:	Markus Hanauska
Subject:	Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?
Date:	Mon, 27 Oct 2008 11:54:52 +0100
User-agent:	Thunderbird 2.0.0.17 (Macintosh/20080914)

Markus Wanner wrote:

@Markus: maybe you want to try my net.venge.monotone.stripped branch,
which links against a system provided lua 5.1 library. That one should
be capable of loading dynamic libraries. (And I'm curious if you can get
nvm.stripped to compile on MacOS X. ;-) )

Okay, I will try that out. What else is special about this strippedbranch? Any other changes (despite the fact that it uses external lua)compared to the standard version?


I don't see the security problem so far.

Daniel Carosone wrote:

> IIRC, the concern was about people running lua code from within
> a repository from a malicious committer.

Can anyone show a real-life attack for this? After all the Lua code (andthe libraries it might use) have the same restrictions (e.g. filepermissions, other system restriction) as someone would have on commandline anyway. To me a security problem only arises if an attacker couldthat way execute code he could otherwise not execute. However Lua willnot be able to access a dynamic library a user isn't able to accessanyway, either by using a stand-alone Lua copy or by compiling a tinypiece of C code that links against the library and execute it on themachine.

A case where this can be used to circumvent system restrictions seemsrather "constructed" to me. Okay, if I was on a system that forbids anyaccess to external data sources (no USB sticks, no CDs) and also won'tallow me downloading anything from the Internet, nor does it offer a Ccompiler, I may not be able to get a custom executable there to load acertain library and use it (no stand-alone Lua, no own C executable) -in that case I could abuse Lua of montone to make this possible anyway.One might argue how useful such a restricted system is anyway and if auser of it should have access to monotone itself in the first place(since if I can use monotone, I can checkout source containing a customexecutable I should not have on this system - smuggling the binarythrough a monotone repository sync onto the system, checking out andusing it).


Kindest regards,
Markus

[Prev in Thread]

Current Thread

[Next in Thread]

[Monotone-devel] Lua loading dynamic libraries not possible in monotone?, Markus Hanauska, 2008/10/24
- Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?, Alex Sandro Queiroz e Silva, 2008/10/24
  - Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?, Markus Wanner, 2008/10/24
    - Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?, Zack Weinberg, 2008/10/24
    - Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?, Nathaniel Smith, 2008/10/24
    - Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?, Daniel Carosone, 2008/10/25
    - Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?, Markus Hanauska <=
    - Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?, Markus Wanner, 2008/10/27

Prev by Date: Re: [Monotone-devel] compilation failure on Win32 MinGW
Next by Date: Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?
Previous by thread: Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?
Next by thread: Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone?
Index(es):
- Date
- Thread