RFC: Check permissions of .gdbinit files
Daniel Jacobowitz
drow@false.org
Mon May 30 19:53:00 GMT 2005
On Mon, May 30, 2005 at 03:01:28PM -0400, Nathan J. Williams wrote:
> Daniel Jacobowitz <drow@false.org> writes:
>
> > Gentoo recently published a security update for GDB, citing the fact that
> > GDB would load .gdbinit from the current directory even if that was owned by
> > another user. I'm not sure how I feel about running GDB in an untrusted
> > directory or on untrusted binaries and expecting it to behave sensibly, but
> > this particular issue is easy to fix. Here's my suggested fix; it's not the
> > same as Gentoo's. If .gdbinit is world writable or owned by a different
> > user, refuse to open it (and warn the user).
> >
> > Anyone have opinions on this change?
>
> I think the "owned by a different user" change is problematic. I've
> used build systems that autogenerated .gdbinit files in the build
> tree, and it would be entirely sensible for one developer to go and
> debug another developer's build.
Well that's the whole point. You'll get a warning; would you be
happier if the warning explicitly suggested "source .gdbinit"?
--
Daniel Jacobowitz
CodeSourcery, LLC
More information about the Gdb-patches
mailing list