[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] Lua loading dynamic libraries not possible in monot
|
From: |
Markus Wanner |
|
Subject: |
Re: [Monotone-devel] Lua loading dynamic libraries not possible in monotone? |
|
Date: |
Mon, 27 Oct 2008 13:57:23 +0100 |
|
User-agent: |
Thunderbird 2.0.0.16 (X11/20080916) |
Hi,
Markus Hanauska wrote:
> Okay, I will try that out. What else is special about this stripped
> branch? Any other changes (despite the fact that it uses external lua)
> compared to the standard version?
It links monotone against the system's libraries, instead of bundling
required libraries. You thus need development packages for:
PCRE
Lua
Botan
SQLite
AFAICR I've already changed the INSTALL document somewhat, please
consult that.
> Can anyone show a real-life attack for this? After all the Lua code (and
> the libraries it might use) have the same restrictions (e.g. file
> permissions, other system restriction) as someone would have on command
> line anyway. To me a security problem only arises if an attacker could
> that way execute code he could otherwise not execute. However Lua will
> not be able to access a dynamic library a user isn't able to access
> anyway, either by using a stand-alone Lua copy or by compiling a tiny
> piece of C code that links against the library and execute it on the
> machine.
Agreed.
Regards
Markus Wanner