lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On 11/5/13, Hisham <> wrote:
> On 5 November 2013 01:13, Leo Razoumov <> wrote:
>> I just tried to install the latest luarocks from the Github repo
>> master (SHA1: 143cc28429)
>> on the Mac OSX 10.6.8 (Snow Leopard). 'make build' resulted in error
>> ...
>> '/pkg/lua-5.1.5.LR3-mac/bin/lua' -e "package.path=[[`echo "$PWD" | sed
>> -e 's/\([][]\)\1/]]..'\''\1\1'\''..[[/g' -
>> `/src/?.lua;]]..package.path" src/bin/luarocks make rockspec
>> --tree="/pkg/lua-5.1.5.LR3-mac"
>> sed: -: No such file or directory
>> ...
>> which I was able to trace to a complex and fragile definition of
>> SAFEPWD variable in the main Makefile.
>> SAFEPWD=`echo "$$PWD" | sed -e 's/\([][]\)\1/]]..'\''\1\1'\''..[[/g' -`
>> Removing this variable and replacing it with a regular $$PWD solved the
>> problem.
>> I am curious, what's the point of sanitizing PWD value?
>> Is it an attempt to prevent malicious use of path names:-)
> Yes, because the path is concatenated into a Lua string which is
> evaluated during "make install", which often runs with root
> permissions... so we thought we'd be overcautious with that. I'm not
> good at imagining black-hat scenarios, but you never know how those
> crafty people could come up with a directory name called
> "/home/user/foo]];os.execute('evil');x=[[bar"...
> -- Hisham

If an attacker is capable of tweaking you into running an install script
under root privileges from a random directory named by a string
executable in some
language all the bets are off. Besides, a smart attacker who has a
local privileges already,
(how otherwise he/she was able to craft the path) would most likely find
stealthier ways to call os.execute('evil') without leaving traces in
some build logs.

Anyway, if I am not mistaken, Lua Makefiles do not sanitize the path
or environment variables
that will end up in package.path  and other strings, neither do LuaJIT's.
For truly paranoid, there are always chroot build ghettos and air-gap systems:-)

I think that reverting back to $$PWD or calling $(shell pwd) command
without sed magic
makes installing luarocks more robust.