[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Discover default package.path, package.cpath?
- From: Sean Conner <sean@...>
- Date: Wed, 2 Jan 2019 17:00:11 -0500
It was thus said that the Great Norman Ramsey once stated:
> From within a Lua process that has already launched, is there a way to
> discover the *default* paths, especially package.cpath?
> Context: I have to treat the LUA_CPATH environment variable as if it
> were controlled by an adversary, and I do not have the ability to
> launch Lua with the -E option. My choices will be either to put some
> kind of wrapper around my Lua binary or to launch a separate process
> to determine the default path. Neither of these choices is ideal.
> A solution for 5.1 would be perfect, but if it's doable even using a
> later version, I might be able to retrofit.
First, what is your thread model? Is it *just* LUA_CPATH and not
LUA_PATH? Or LUA_INIT? If it's just to prevent an adversary from loading a
custom version of a C-based module, all they need to do is call
package.loadlib() directly to load a C-based module.
Second, is modifying Lua an option? If so, you could always modify
loadlib.c:setpath() to not query LUA_CPATH (and even LUA_PATH) and to
prevent package.loadlib() from being included in the Lua state. But there
might be more you will have to do depending upon your threat model.
-spc (Did I just say "threat model?" Sheesh ... )