From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-39750-listarch-gdb-patches=sources.redhat.com@sources.redhat.com>
Received: (qmail 16911 invoked by alias); 30 May 2005 22:33:10 -0000
Mailing-List: contact gdb-patches-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:gdb-patches-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sources.redhat.com>
List-Help: <mailto:gdb-patches-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: gdb-patches-owner@sources.redhat.com
Received: (qmail 16902 invoked by uid 22791); 30 May 2005 22:33:08 -0000
Received: from nevyn.them.org (HELO nevyn.them.org) (66.93.172.17)
    by sourceware.org (qpsmtpd/0.30-dev) with ESMTP; Mon, 30 May 2005 22:33:08 +0000
Received: from drow by nevyn.them.org with local (Exim 4.50)
	id 1Dcsok-0000jL-7s; Mon, 30 May 2005 18:33:06 -0400
Date: Mon, 30 May 2005 22:49:00 -0000
From: Daniel Jacobowitz <drow@false.org>
To: Andreas Schwab <schwab@suse.de>
Cc: gdb-patches@sourceware.org
Subject: Re: RFC: Check permissions of .gdbinit files
Message-ID: <20050530223305.GA2727@nevyn.them.org>
Mail-Followup-To: Andreas Schwab <schwab@suse.de>,
	gdb-patches@sourceware.org
References: <20050530185201.GA29332@nevyn.them.org> <jeekbo1h6j.fsf@sykes.suse.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <jeekbo1h6j.fsf@sykes.suse.de>
User-Agent: Mutt/1.5.8i
X-SW-Source: 2005-05/txt/msg00653.txt.bz2

On Tue, May 31, 2005 at 12:29:24AM +0200, Andreas Schwab wrote:
> Daniel Jacobowitz <drow@false.org> writes:
> 
> > Gentoo recently published a security update for GDB, citing the fact that
> > GDB would load .gdbinit from the current directory even if that was owned by
> > another user.  I'm not sure how I feel about running GDB in an untrusted
> > directory or on untrusted binaries and expecting it to behave sensibly, but
> > this particular issue is easy to fix.  Here's my suggested fix; it's not the
> > same as Gentoo's.  If .gdbinit is world writable or owned by a different
> > user, refuse to open it (and warn the user).
> >
> > Anyone have opinions on this change?
> 
> IMHO you should at least allow the same group owner.

Can you explain why?  I'm trying not to encode too much site policy
into GDB; that's not its business.  Many people still use setups with a
single "users" group for most users.

-- 
Daniel Jacobowitz
CodeSourcery, LLC