rfc/patch: debuginfod client $DEBUGINFOD_PROGRESS env var
Frank Ch. Eigler
fche@redhat.com
Thu Dec 19 00:44:00 GMT 2019
Hi -
> > That's not that serious a category of concern. Environment variables
> > are not under control of untrusted agents. FWIW, $DEBUGINFOD_CACHE is
> > considerably more dangerous in that regard (cache cleaning!).
>
> You have a way to make me even more scared of security issues than less
> :)
>
> It would actually be pretty bad if a user made the mistake to set
> DEBUGINFOD_CACHE to e.g. their home directory by mistake.
Yeah, those bothering to override the default path have to be careful.
> Could we have some extra safeguard there? e.g. If the directory already
> exist check whether it is completely empty or if it isn't empty it
> contains a cache_clean_interval file? Or at least only delete files
> that follow our creation pattern:
> <build-id-hexstring>/[debuginfo|executable|source]?
This sounds prudent. Will work on that.
- FChE
More information about the Elfutils-devel
mailing list