From: Doug Evans <dje@google.com>
To: Tom Tromey <tromey@redhat.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>, gdb-patches@sourceware.org
Subject: Re: [RFA] Add $pdir as entry for libthread-db-search-path.
Date: Mon, 09 May 2011 22:30:00 -0000 [thread overview]
Message-ID: <BANLkTims7pbk_dKPu2OpuuGLWx+_RZ8tww@mail.gmail.com> (raw)
In-Reply-To: <m339krwu3l.fsf@fleche.redhat.com>
On Fri, May 6, 2011 at 11:40 AM, Tom Tromey <tromey@redhat.com> wrote:
>>>>>> "Doug" == Doug Evans <dje@google.com> writes:
>
> Doug> Thanks, but I'm still stuck ...
>
> I have gone back and forth on this a few times.
>
> On the one hand, I think people running gdb on an untrusted executable
> are acting naively. I think this is true even for a python-less build
> using -nx -- I just don't think gdb or bfd has had enough scrutiny along
> these lines to warrant trust.
>
> On the other hand, I think it makes sense to aim for trustworthiness as
> a goal, because gdb is a powerful tool for inspecting executables.
>
> I think my overall preference would be for gdb to run securely by
> default, with some runtime settings to let users override this.
>
> Also I don't have any problem recognizing that different organizations
> build gdb in different ways for their own reasons, and making
> accommodations for that. That is, a configure option to make $pdir the
> default seems fine to me, if you want something like that.
>
> Doug> Question for the group at large (and I it doesn't matter to me which
> Doug> way we go, I just want to make forward progress ...).
> Doug> Do we enforce such security concerns in FSF gdb?
>
> IMO, yes.
>
> Doug> Second,
> Doug> If we address these security concerns what is the solution?
> Doug> One proposal is on the table.
> Doug> [Maintain a list of trusted paths in gdb and have a flag for
> Doug> permissive/restrictive mode.
> Doug> If in restrictive mode libthread_db and autoloaded python/gdbinit code
> Doug> has to come from a trusted path.
> Doug> I think one could take this further though.]
>
> It seems reasonable to me.
>
> Doug> Last,
> Doug> Do we need to address this before adding my $pdir patch?
>
> IMO, no, but it would be nicer that way.
If I also add $sdir to specify a plain dlopen (LIBTHREAD_DB) and put
that ahead of $pdir ("s" for system), then I can have $pdir and not
change the current behaviour (though I still think $pdir should come
first - we can move it first after whatever security model is added).
prev parent reply other threads:[~2011-05-09 22:30 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-29 3:59 Doug Evans
2011-04-29 12:36 ` Jan Kratochvil
2011-04-29 16:49 ` Doug Evans
2011-04-29 17:08 ` Jan Kratochvil
[not found] ` <BANLkTinagVcXZqvOg80eoFMnyaw9T0OYUw@mail.gmail.com>
2011-05-01 18:34 ` Doug Evans
2011-05-02 19:15 ` Jan Kratochvil
2011-05-02 19:51 ` Doug Evans
2011-05-06 18:40 ` Tom Tromey
2011-05-09 22:30 ` Doug Evans [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BANLkTims7pbk_dKPu2OpuuGLWx+_RZ8tww@mail.gmail.com \
--to=dje@google.com \
--cc=gdb-patches@sourceware.org \
--cc=jan.kratochvil@redhat.com \
--cc=tromey@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox