On Tue, 6 Dec 2005, Michalis Kamburelis wrote:
Tom Verhoeff wrote:
[...]
I was thinking of adding a remote FreePascal service along the following
lines. You go to its web interface, browse for your source files
(possibly a whole zip archive) on your local machine, enter command-line
options, and let our server compile your stuff with a (selectable)
version of fpc (under Linux), then you get back the results (possibly
also in a zip archive). Mabye we can support cross compiles as well.
Great idea. I played a little and found two security issues :
1. Consider the following program, that let's the attacker know what's the
default display manager on your system:
----------------
program get_file_contents;
const
usr = 1;
bin = 1;
gdm = 10;
xdm = 100;
kdm = 1000;
const
Marker = 1 {$I /etc/X11/default-display-manager};
begin
Writeln(Marker);
end.
----------------
As you can see, this is achieved by using {$I ...} with an absolute path.
This way I can include arbitrary file, and do some tricks (like above
creating constants "usr", "bin" ... and then a constant "Marker" that has
different value depending on your display manager). This way I can
investigate various things about your system.
(Wow, it was fun creating this program :) )
Conclusion: be extra-careful about what people include with $I in their
submitted programs. So you have to either scan source files, or maybe run
within chroot. Or you must be sure that you don't have any sensitive
information readable by fpc process on your system.
I think that running the compiler must absolutely be done in a chroot()
environment, with adapted environment settings and using appropriate
setrlimit() settings to avoid memory and CPU hogs.
In Belgium there is a linux distribution for schools, and they run all
network related processes in chroot() environments. Takes some work to
set up, but is the most safe. For a service as this, I think it's
definitely needed.
Michael.
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
