guile-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Support open-process and friends on MS-Windows

From: Mark H Weaver
Subject: Re: Support open-process and friends on MS-Windows
Date: Tue, 05 Jul 2016 03:44:15 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.95 (gnu/linux) 
Eli Zaretskii <address@hidden> writes:

>> From: Mark H Weaver <address@hidden>
>> Cc: address@hidden (Ludovic Courtès),  address@hidden,
>>   address@hidden
>> Date: Sat, 02 Jul 2016 19:02:08 -0400
>> 
>> Eli Zaretskii <address@hidden> writes:
>> > +# define getuid()              (500) /* Local Administrator */
>> > +# define getgid()              (513) /* None */
>> > +# define setuid(u)             (0)
>> > +# define setgid(g)             (0)
>> 
>> As I've said before, I'm not comfortable with these definitions.  These
>> are not operations that can be safely ignored.  If we cannot do a job
>> that's requested of us, we should raise an exception.  We should not
>> make numbers up out of thin air and pass them off as fact, nor should we
>> claim to have successfully done a job that we are unable to do.
>> 
>> More to the point, we should not assume that the caller's requests are
>> unimportant.  Feigning success on ignored requests and fabricating
>> misinformation might be okay in some cases, but in other cases it is
>> likely to lead to security holes and other bugs.  For example, a common
>> pattern is to use 'setuid' to drop privileges before running some
>> untrusted code.  We must not silently ignore such requests.
>
> [...]  All other applications ported from Posix platforms that I
> know of do something like the above, and I have yet to hear a single
> complaint.

Most applications do not expose get*id/set*id to other programs as part
of their public API.  When they are kept private, such hacks are far
more defensible, because it is possible to examine every call site and
thereby determine whether any harm might be caused by silently ignoring
requests and returning bogus results.

In the case of Guile, you are asking us to expose these dishonest and
potentially dangerous definitions in our public API, and therefore to an
unbounded set of programs and use cases, not to mention public scrutiny.

Before I would consider doing this, I would need to be convinced of
three propositions:

(1) that get*id/set*id are used so frequently in Guile programs that it
    would be unreasonably onerous to examine and modify each call site
    to handle the MS-Windows case.

(2) that security flaws would be extremely unlikely to arise from your
    definitions.

(3) that for the overwhelming majority of call sites, your definitions
    lead to correct behavior on MS-Windows.

I'm skeptical of all three.

> Raising exceptions in these cases will simply get in the
> way of writing portable Guile programs, because the application
> programmer will have to work around the exception in Guile code,

That's exactly what *should* be done, because only at the application
level is it possible to reliably determine how to properly handle the
absence of these operations.

      Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]