unstable-book: split sanitizers into testing and production ones #108942
Conversation
The Rust Unstable Book lists compiler sanitizers that can be used in Rust programs. However, it does not say whether it is okay to use certain sanitizers on production or not, which may suggest that its okay to do so. I believe that none of ASAN/TSAN/MSAN/LeakSAN should be used on production. There was an old thread on oss-security that provided more details here: https://www.openwall.com/lists/oss-security/2016/02/17/9 but one example to not use those sanitizers on production is the fact that some of them use environment variables that control things like "path to the binary that will be used to get the symbol names for stack traces". As a result, if a sanitized binary has suid, an attacker can use the specific environment variable to run their own program and escalate their privileges this way.
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @GuillaumeGomez (or someone else) soon. Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (
|
rustbot
added
the
S-waiting-on-review
|
r? rust-lang/compiler |
|
Thanks, adding some disambiguation is great! I think this is correct but I'm not entirely sure, I'd rather let someone who knows more about this approve it. |
|
This change is probably fine, although I think it might be a little out of scope for the Rust Unstable Book. It seems reasonable for us to say "these are sanitizers you can use" and direct people to further documentation on those sanitizers to evaluate whether it makes sense to use it in production or just testing. |
Co-authored-by: est31 <[email protected]>
|
Maybe we should have then a sentence or two at the beginning explaining what a sanitizer is, that would explain something along the lines that they are compiler plugins which enable additional instrumentation of the code that may be useful for testing/security testing and sometimes for production, depending on the sanitizer. |
|
I am personally in favor of a little bit or verbiage (maybe with a link?) explaining what a sanitizer is. @disconnect3d can you update this patch with a proposal? |
|
Marking this as waiting on author so @disconnect3d can resolve conflicts and add a small note about what a sanitizer is. @rustbot author |
rustbot
added
S-waiting-on-author
|
@disconnect3d any updates on this? thanks |
|
@apiraino @eholk @Dylan-DPC Updated! |
This comment has been minimized.
This comment has been minimized.
|
thanks @disconnect3d . As mentioned in a previous comment, I'll switch to waiting on a review to signal that this PR is ready for a review. (For the record, merge commits are not allowed in PRs -- see https://rustc-dev-guide.rust-lang.org/git.html#no-merge-policy) @rustbot review |
rustbot
added
S-waiting-on-review
Dylan-DPC
added
S-waiting-on-author
|
@disconnect3d can you remove the merge commit and rebase instead? After that we will get it reviewed |
|
@disconnect3d @rustbot label: +S-inactive |
rustbot
added
the
S-inactive
unstable-book: Separate testing and production sanitizers This is a redo of [this PR](rust-lang#108942). Left the commit as before (except for reflowing to 80-width), since it already got approved.
unstable-book: Separate testing and production sanitizers This is a redo of [this PR](rust-lang#108942). Left the commit as before (except for reflowing to 80-width), since it already got approved.
Rollup merge of rust-lang#121195 - D0liphin:master, r=ehuss unstable-book: Separate testing and production sanitizers This is a redo of [this PR](rust-lang#108942). Left the commit as before (except for reflowing to 80-width), since it already got approved.
|
@JohnCSimon just to be sure, how do I reopen this? |
unstable-book: Separate testing and production sanitizers This is a redo of [this PR](rust-lang/rust#108942). Left the commit as before (except for reflowing to 80-width), since it already got approved.
|
I clicked "reopen pull request" |
unstable-book: Separate testing and production sanitizers This is a redo of [this PR](rust-lang/rust#108942). Left the commit as before (except for reflowing to 80-width), since it already got approved.
JohnCSimon
removed
the
S-inactive
|
It seems like these changes were merged in #121195, so I'll close this. |
The Rust Unstable Book lists compiler sanitizers that can be used in Rust programs. However, it does not say whether it is okay to use certain sanitizers on production or not, which may suggest that its okay to do so.
I believe that none of ASAN/TSAN/MSAN/LeakSAN should be used on production.
There was an old thread on oss-security that provided more details here: https://www.openwall.com/lists/oss-security/2016/02/17/9 but one example to not use those sanitizers on production is the fact that some of them use environment variables that control things like "path to the binary that will be used to get the symbol names for stack traces". As a result, if a sanitized binary has suid, an attacker can use the specific environment variable to run their own program and escalate their privileges this way.