From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Mark H Weaver Newsgroups: gmane.lisp.guile.devel Subject: Re: Support open-process and friends on MS-Windows Date: Tue, 05 Jul 2016 03:44:15 -0400 Message-ID: <8760sk34xc.fsf@netris.org> References: <834m8i3off.fsf@gnu.org> <877fde958i.fsf@gnu.org> <83wple1zym.fsf@gnu.org> <83ziq9zl8l.fsf@gnu.org> <87eg7lbnpi.fsf@pobox.com> <83y45tzhyn.fsf@gnu.org> <87twghs9ot.fsf@gnu.org> <83r3blz96w.fsf@gnu.org> <87inwn3aq7.fsf@netris.org> <83y45jqt5y.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1467704719 30265 80.91.229.3 (5 Jul 2016 07:45:19 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 5 Jul 2016 07:45:19 +0000 (UTC) Cc: wingo@pobox.com, ludo@gnu.org, guile-devel@gnu.org To: Eli Zaretskii Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Tue Jul 05 09:45:05 2016 Return-path: Envelope-to: guile-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1bKL2V-0005EZ-8G for guile-devel@m.gmane.org; Tue, 05 Jul 2016 09:45:03 +0200 Original-Received: from localhost ([::1]:52818 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKL2R-0002jL-9w for guile-devel@m.gmane.org; Tue, 05 Jul 2016 03:44:59 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57502) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKL2B-0002jF-P7 for guile-devel@gnu.org; Tue, 05 Jul 2016 03:44:44 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bKL28-0002QP-HZ for guile-devel@gnu.org; Tue, 05 Jul 2016 03:44:43 -0400 Original-Received: from world.peace.net ([50.252.239.5]:52565) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKL28-0002Q0-Dc; Tue, 05 Jul 2016 03:44:40 -0400 Original-Received: from pool-71-174-37-60.bstnma.east.verizon.net ([71.174.37.60] helo=jojen) by world.peace.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1bKL1w-0004aa-Kj; Tue, 05 Jul 2016 03:44:28 -0400 In-Reply-To: <83y45jqt5y.fsf@gnu.org> (Eli Zaretskii's message of "Sun, 03 Jul 2016 06:47:37 +0300") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.95 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 50.252.239.5 X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Original-Sender: "guile-devel" Xref: news.gmane.org gmane.lisp.guile.devel:18463 Archived-At: Eli Zaretskii writes: >> From: Mark H Weaver >> Cc: ludo@gnu.org (Ludovic Court=C3=A8s), wingo@pobox.com, >> guile-devel@gnu.org >> Date: Sat, 02 Jul 2016 19:02:08 -0400 >>=20 >> Eli Zaretskii writes: >> > +# define getuid() (500) /* Local Administrator */ >> > +# define getgid() (513) /* None */ >> > +# define setuid(u) (0) >> > +# define setgid(g) (0) >>=20 >> As I've said before, I'm not comfortable with these definitions. These >> are not operations that can be safely ignored. If we cannot do a job >> that's requested of us, we should raise an exception. We should not >> make numbers up out of thin air and pass them off as fact, nor should we >> claim to have successfully done a job that we are unable to do. >>=20 >> More to the point, we should not assume that the caller's requests are >> unimportant. Feigning success on ignored requests and fabricating >> misinformation might be okay in some cases, but in other cases it is >> likely to lead to security holes and other bugs. For example, a common >> pattern is to use 'setuid' to drop privileges before running some >> untrusted code. We must not silently ignore such requests. > > [...] All other applications ported from Posix platforms that I > know of do something like the above, and I have yet to hear a single > complaint. Most applications do not expose get*id/set*id to other programs as part of their public API. When they are kept private, such hacks are far more defensible, because it is possible to examine every call site and thereby determine whether any harm might be caused by silently ignoring requests and returning bogus results. In the case of Guile, you are asking us to expose these dishonest and potentially dangerous definitions in our public API, and therefore to an unbounded set of programs and use cases, not to mention public scrutiny. Before I would consider doing this, I would need to be convinced of three propositions: (1) that get*id/set*id are used so frequently in Guile programs that it would be unreasonably onerous to examine and modify each call site to handle the MS-Windows case. (2) that security flaws would be extremely unlikely to arise from your definitions. (3) that for the overwhelming majority of call sites, your definitions lead to correct behavior on MS-Windows. I'm skeptical of all three. > Raising exceptions in these cases will simply get in the > way of writing portable Guile programs, because the application > programmer will have to work around the exception in Guile code, That's exactly what *should* be done, because only at the application level is it possible to reliably determine how to properly handle the absence of these operations. Mark