[cmake-developers] Security in CMake
Tobias Hunger
tobias.hunger at gmail.com
Sat Aug 20 17:25:53 EDT 2016
Hi Egor,
Am 20.08.2016 13:48 schrieb "Egor Pugin" <egor.pugin at gmail.com>:
>
> Hi,
>
> I'm working on a package manager based on cmake.
> And some cmake instructions are downloaded with user packages.
> I'd like to have an ability to deny some cmake features in such
> external untrusted insertions.
I am no CMake expert, but you are talking about securing a program that is
meant to take arbitrary input and run user-defined commands on that to
produce possibly executable output.
I do not see any safe subset of CMake commands that is still able to do
anything useful.
I can see a way for "insertions" to be useful, that does not involve them
changing the configuration (e.g. for a cross compiler), involve running
some 3rd party program (e.g. to add support for a new documentation system,
parser generator or whatnot), or the production of build artifacts (e.g.
build some library for the developer to use).
*All* of these are inheritently unsafe.
Configuration change: Change the C compiler to rm and pass force -rf -- /
as flags.
3rd party program: Run rm -rf / when some certain input file is seen.
Build artifacts: Put running rm -rf / into the binary/library so that this
is run during normal development workflow.
I would try to run my package manager in an environment where running rm
-rf is harmless to the overall system health. Virtual machines or
containers spring to mind there. Not sure that is feasible.
Or come up with insertions signing, etc. so that users can at least know
they got what was uploaded and know whom to blame when their systems get
wiped.
Beat Regards,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/cmake-developers/attachments/20160820/c8c952e3/attachment.html>
More information about the cmake-developers
mailing list