This is the mail archive of the gdb-patches@sources.redhat.com mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: RFC: Check permissions of .gdbinit files


Daniel Jacobowitz <drow@false.org> writes:

> Gentoo recently published a security update for GDB, citing the fact that
> GDB would load .gdbinit from the current directory even if that was owned by
> another user.  I'm not sure how I feel about running GDB in an untrusted
> directory or on untrusted binaries and expecting it to behave sensibly, but
> this particular issue is easy to fix.  Here's my suggested fix; it's not the
> same as Gentoo's.  If .gdbinit is world writable or owned by a different
> user, refuse to open it (and warn the user).
> 
> Anyone have opinions on this change?

I think the "owned by a different user" change is problematic. I've
used build systems that autogenerated .gdbinit files in the build
tree, and it would be entirely sensible for one developer to go and
debug another developer's build.

It does seem reasonable to refuse to execute a world-writable
.gdbinit.

        - Nathan


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]