1. 30 Oct, 2011 1 commit
  2. 27 Oct, 2011 5 commits
    • Duncan Coutts's avatar
      Allow the -t -T -s -S flags (without <file> arg!) in -rtsopts=some mode · 6dfd9016
      Duncan Coutts authored
      Without any <file> arg, these flags just dump info to stderr so
      are at most a mild information disclosure danger. We disallow
      a <file> arg in the default -rtsopts=some mode since that will
      overwrite the given file.
      6dfd9016
    • Duncan Coutts's avatar
      Change what +RTS options are available by default · 8c7ad0bd
      Duncan Coutts authored
      Ticket #3910 originally pointed out that the RTS options are a potential
      security problem. For example the -t -s or -S flags can be used to
      overwrite files. This would be bad in the context of CGI scripts or
      setuid binaries. So we introduced a system where +RTS processing is more
      or less disabled unless you pass the -rtsopts flag at link time.
      
      This scheme is safe enough but it also really annoies users. They have
      to use -rtsopts in many circumstances: with -threaded to use -N, with
      -eventlog to use -l, with -prof to use any of the profiling flags. Many
      users just set -rtsopts globally or in project .cabal files. Apart from
      annoying users it reduces security because it means that deployed
      binaries will have all RTS options enabled rather than just profiling
      ones.
      
      This patch relaxes the set of RTS options that are available in the
      default -rtsopts=some case. For "deployment" ways like vanilla and
      -threaded we remain quite conservative. Only --info -? --help are
      allowed for vanilla. For -threaded, -N and -N<x> are allowed with a
      check that x <= num cpus.
      
      For "developer" ways like -debug, -eventlog, -prof, we allow all the
      options that are special to that way. Some of these allow writing files,
      but the file written is not directly under the control of the attacker.
      For the setuid case (where the attacker would have control over binary
      name, current dir, local symlinks etc) we check if the process is
      running setuid/setgid and refuse all RTS option processing. Users would
      need to use -rtsopts=all in this case.
      
      We are making the assumption that developers will not deploy binaries
      built in the -debug, -eventlog, -prof ways. And even if they do, the
      damage should be limited to DOS, information disclosure and writing
      files like <progname>.eventlog, not arbitrary files.
      8c7ad0bd
    • Duncan Coutts's avatar
      Use signed comparison for +RTS -N x <= 0 test · 43a92710
      Duncan Coutts authored
      Otherwise we can use +RTS -N-1 and get 2^32 or 2^64 capabilities
      which doesn't work out so well...
      43a92710
    • Duncan Coutts's avatar
    • Duncan Coutts's avatar
      Add an RTS eventlog tracing class for user messages · aaaaf67b
      Duncan Coutts authored
      Enables people to turn them on/off. Defaults to on.
      aaaaf67b
  3. 26 Oct, 2011 12 commits
  4. 25 Oct, 2011 18 commits
  5. 24 Oct, 2011 4 commits