Security Fix(es): sudo: A flaw was found in the way sudo implemented running commands with arbitrary user ID. firefox: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. In any case, I am suspicious that moving from unsigned to signed sizes in C would make things worse.Sudo: Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. That's not an entirely trivial consideration. I would point out that on some machines in some situations using signed types for sizes is not an option unless you're willing to give up half your memory as unaddressable. Maybe they even would be sometimes - who knows? With signed types, explicit checks for underflow could be performed by library functions. A skilled C programmer can navigate this minefield, but mistakes will be made, and they are the kind of mistakes that easily turn into CVEs. To expand a bit, this position is an attempt to work around the somewhat bizarre C implicit promotion rules for signed/unsigned types, combined with the lack of runtime underflow checking when subtracting unsigned values. Performance can be a win, but is generally irrelevant so I don't (in the general case) consider that to be relevant in choosing unsigned/signed while writing C What it does communicate (IMO) is that negative values can not be represented (leading to bugs when someone invariably *does* end up with what should have been a negative number). I find the argument that unsigned communicates that the value can not be negative to be naive. Integer promotion rules in C(++) force signed to be strongly preferred in all calculations for reasons of sanity as introducing a single unsigned value makes entire expressions suspect. If such a simple calculation cannot be written naively, what other unexpected results are unsigned values going to introduce in a code base of any size. Now I am starting to wonder how many percent of CVEs have sloppy type conversion, and magic values (which can be avoided by using enum variants) as the root cause ?Ī naive mean calculation in C(++) ( ) is flawed in a way that is not readily apparent without execution (unlike accumulator overflow with large sums) and generates no warnings. The Microsoft Research blog recently pointed out that a large percentage of CVEs have memory safety issues as root cause. Signed values are cast back and forth to unsigned, and it is not very surprising that the footgun goes off when the magic "(unsigned)-1" value is passed to the kernel. Having gotten used to Rusts stricter type checking, reading the sudo & kernel source code just hurts my head a little bit. Mind you that gid_t is defined to be an unsigned 32 bit integer but 0xffffffff has the magic property that setgid does nothing and whatever you want to run then executes with root privileges that are inherited from sudos suid root. But additionally the Linux kernel syscall code have these lines to effectuate the setgid(): The sudo source code goes out of its way to parse a negative value before it is cast into a an unsigned. We'll do our best to keep these links up to date, but if we fall behind please don't hesitate to shoot us a modmail. This is not an official Rust forum, and cannot fulfill feature requests. Err on the side of giving others the benefit of the doubt.Īvoid re-treading topics that have been long-settled or utterly exhausted. Please create a read-only mirror and link that instead.Ī programming language is rarely worth getting worked up over.īe charitable in intent. If criticizing a project on GitHub, you may not link directly to the project's issue tracker. Post titles should include useful context.įor Rust questions, use the stickied Q&A thread.Īrts-and-crafts posts are permitted on weekends.Ĭriticism is encouraged, though it must be constructive, useful and actionable. For content that does not, use a text post to explain its relevance. Posts must reference Rust or relate to things using Rust. We observe the Rust Project Code of Conduct. Strive to treat others with respect, patience, kindness, and empathy. Please read The Rust Community Code of Conduct The Rust Programming LanguageĪ place for all things related to the Rust programming language-an open-source systems language that emphasizes performance, reliability, and productivity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |