On Wednesday, 17 March 2004, at 10:44:26 (-0300), Gustavo Niemeyer wrote: > I don't understand the statement above. How will you manage to load > a RH7.3 *library* in an FC2 *application*? The only thing using the > rpm environment is Lua itself. If you start an application it'll be > using the environment from the chroot. Right. And IMHO, if you've got RH 7.3 libraries sitting around in your FC2 buildroot, you have far bigger problems than what script interpreter is interpreting your scripts. > If rpm has bugs and is segfaulting, nothing is separating it from > itself. One of our tasks is preventing this, by fixing bugs in the > provided functionality. OTOH, if you're afraid that someone will try > to break RPM intentionally, that's something hard to prevent. I can > easily break rpm with a hacked database, for example. There are *many* ways to compromise systems through rogue RPM's. Having an embedded interpreter like Lua allows for more ability to lock down what scripts can/can't do. Plus, the requirements of the chroot jail can drop significantly (depending on the package). > You seem to be using a heavily hacked environment, with preloaded > execv() on top of rpm and other custom protections. This means, as I > expected, that the standard rpm is not safe for you either. Besides that, it's already been proven that vserver, like anything else, can have as-yet-undiscovered vulnerabilities. So you pick your poison and accept the consequences. > Which ones!? loadlib? os.date? They may easily be locally disabled > or replaced by something you trust. What else? I'm definitely against loading shared libs from the chroot. IMHO, all LUA scripts should be prescanned for imports, and those shlibs should be loaded by rpm outside the jail. That, or disallow them entirely. The bottom line is this: How does Lua allow attack vectors that sh doesn't already allow? What avenues does it gain you that running /bin/sh and all shell tools doesn't? Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ <mej@xxxxxxxxx> n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "Speak confidently what you believe each and every day, though it contradict everything you said the day before." -- Ralph Waldo Emerson _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/rpm-list
