This is the mail archive of the gdb-patches@sources.redhat.com mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: RFC: Check permissions of .gdbinit files


On Tue, May 31, 2005 at 12:29:24AM +0200, Andreas Schwab wrote:
> Daniel Jacobowitz <drow@false.org> writes:
> 
> > Gentoo recently published a security update for GDB, citing the fact that
> > GDB would load .gdbinit from the current directory even if that was owned by
> > another user.  I'm not sure how I feel about running GDB in an untrusted
> > directory or on untrusted binaries and expecting it to behave sensibly, but
> > this particular issue is easy to fix.  Here's my suggested fix; it's not the
> > same as Gentoo's.  If .gdbinit is world writable or owned by a different
> > user, refuse to open it (and warn the user).
> >
> > Anyone have opinions on this change?
> 
> IMHO you should at least allow the same group owner.

Can you explain why?  I'm trying not to encode too much site policy
into GDB; that's not its business.  Many people still use setups with a
single "users" group for most users.

-- 
Daniel Jacobowitz
CodeSourcery, LLC


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]