This is the mail archive of the
gdb-patches@sources.redhat.com
mailing list for the GDB project.
Re: RFC: Check permissions of .gdbinit files
- From: "Nathan J. Williams" <nathanw at wasabisystems dot com>
- To: Daniel Jacobowitz <drow at false dot org>
- Cc: gdb-patches at sourceware dot org
- Date: 30 May 2005 15:01:28 -0400
- Subject: Re: RFC: Check permissions of .gdbinit files
- References: <20050530185201.GA29332@nevyn.them.org>
Daniel Jacobowitz <drow@false.org> writes:
> Gentoo recently published a security update for GDB, citing the fact that
> GDB would load .gdbinit from the current directory even if that was owned by
> another user. I'm not sure how I feel about running GDB in an untrusted
> directory or on untrusted binaries and expecting it to behave sensibly, but
> this particular issue is easy to fix. Here's my suggested fix; it's not the
> same as Gentoo's. If .gdbinit is world writable or owned by a different
> user, refuse to open it (and warn the user).
>
> Anyone have opinions on this change?
I think the "owned by a different user" change is problematic. I've
used build systems that autogenerated .gdbinit files in the build
tree, and it would be entirely sensible for one developer to go and
debug another developer's build.
It does seem reasonable to refuse to execute a world-writable
.gdbinit.
- Nathan