From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Delivered-To: caml-list@yquem.inria.fr Received: from nez-perce.inria.fr (nez-perce.inria.fr [192.93.2.78]) by yquem.inria.fr (Postfix) with ESMTP id C98ACBC48 for ; Sun, 27 Mar 2005 12:29:56 +0200 (CEST) Received: from pauillac.inria.fr (pauillac.inria.fr [128.93.11.35]) by nez-perce.inria.fr (8.13.0/8.13.0) with ESMTP id j2RATuoq005351 for ; Sun, 27 Mar 2005 12:29:56 +0200 Received: from nez-perce.inria.fr (nez-perce.inria.fr [192.93.2.78]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id MAA27851 for ; Sun, 27 Mar 2005 12:29:56 +0200 (MET DST) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by nez-perce.inria.fr (8.13.0/8.13.0) with ESMTP id j2RATtUO005346 for ; Sun, 27 Mar 2005 12:29:55 +0200 Received: from localhost.localdomain (idea.homelinux.org [82.227.14.139]) by postfix3-2.free.fr (Postfix) with ESMTP id 9582AC119; Sun, 27 Mar 2005 12:29:55 +0200 (CEST) Received: from kim by localhost.localdomain with local (Exim 4.50) id 1DFV3n-0003qG-6Y; Sun, 27 Mar 2005 12:31:59 +0200 Subject: Re: [Caml-list] on ocaml and set-user-id programs From: Kim Nguyen To: Stefano Zacchiroli Cc: Inria Ocaml Mailing List In-Reply-To: <20050327100145.GA9332@fistandantilus.takhisis.org> References: <20050327100145.GA9332@fistandantilus.takhisis.org> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Organization: Laboratoire de Recherche en Informatique Date: Sun, 27 Mar 2005 12:31:57 +0200 Message-Id: <1111919517.14376.7.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 X-Miltered: at nez-perce with ID 42468B24.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Miltered: at nez-perce with ID 42468B23.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Spam: no; 0.00; caml-list:01 ocaml:01 lri:01 zacchiroli:01 ocaml:01 bytecode:01 ocamlrun:01 bytecode:01 unices:01 binary:01 byte:01 binary:01 compiler:01 wrote:01 behaviour:01 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on yquem.inria.fr X-Spam-Status: No, score=0.1 required=5.0 tests=FORGED_RCVD_HELO autolearn=disabled version=3.0.2 X-Spam-Level: Le dimanche 27 mars 2005 =E0 12:01 +0200, Stefano Zacchiroli a =E9crit : > I've wrote an ocaml program that needs to be executed set-user-id root. >=20 > I managed to have it being executed with effective user id 0 only > compiling in native code or in custom bytecode. Both executing it as a > script using "ocamlrun ocaml" and compiling it to non-custom bytecode > make the program having effective user id of the user executing it. Yes. The linux kernel (and maybe other unices but i'm not sure) disable the setuid bit for shell scripts since it's really unsecure. Perl circumvents this by having a setuid binary wrapper that does some extra security check and launch the scripts (which inherits the privileges of the setuid wrapper). See perlsec documentation for more details. (This explain why the custom byte code works, since it's a binary that embeds both the script and the interpreter). > This behaviour is annoying and makes impossible to run ocaml set-user-id > programs where the native code compiler isn't available.=20 Indeed. Maybe the ocaml distribution could provide such a wrapper. Hope this helps, --=20 Kim