From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 28983 invoked by alias); 9 May 2011 22:30:17 -0000 Received: (qmail 28973 invoked by uid 22791); 9 May 2011 22:30:16 -0000 X-SWARE-Spam-Status: No, hits=-2.4 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_HELO_PASS,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from smtp-out.google.com (HELO smtp-out.google.com) (74.125.121.67) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 09 May 2011 22:30:01 +0000 Received: from hpaq12.eem.corp.google.com (hpaq12.eem.corp.google.com [172.25.149.12]) by smtp-out.google.com with ESMTP id p49MU0RV028244 for ; Mon, 9 May 2011 15:30:00 -0700 Received: from gxk8 (gxk8.prod.google.com [10.202.11.8]) by hpaq12.eem.corp.google.com with ESMTP id p49MRSQS029706 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for ; Mon, 9 May 2011 15:29:59 -0700 Received: by gxk8 with SMTP id 8so2123121gxk.9 for ; Mon, 09 May 2011 15:29:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.91.33.1 with SMTP id l1mr6326867agj.207.1304980198500; Mon, 09 May 2011 15:29:58 -0700 (PDT) Received: by 10.90.72.6 with HTTP; Mon, 9 May 2011 15:29:58 -0700 (PDT) In-Reply-To: References: <20110429035837.9A1EA24619F@ruffy.mtv.corp.google.com> <20110429123634.GA23843@host1.jankratochvil.net> <20110429170824.GA6107@host1.jankratochvil.net> <20110502191455.GA6481@host1.jankratochvil.net> Date: Mon, 09 May 2011 22:30:00 -0000 Message-ID: Subject: Re: [RFA] Add $pdir as entry for libthread-db-search-path. From: Doug Evans To: Tom Tromey Cc: Jan Kratochvil , gdb-patches@sourceware.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2011-05/txt/msg00235.txt.bz2 On Fri, May 6, 2011 at 11:40 AM, Tom Tromey wrote: >>>>>> "Doug" =3D=3D Doug Evans writes: > > Doug> Thanks, but I'm still stuck ... > > I have gone back and forth on this a few times. > > On the one hand, I think people running gdb on an untrusted executable > are acting naively. =A0I think this is true even for a python-less build > using -nx -- I just don't think gdb or bfd has had enough scrutiny along > these lines to warrant trust. > > On the other hand, I think it makes sense to aim for trustworthiness as > a goal, because gdb is a powerful tool for inspecting executables. > > I think my overall preference would be for gdb to run securely by > default, with some runtime settings to let users override this. > > Also I don't have any problem recognizing that different organizations > build gdb in different ways for their own reasons, and making > accommodations for that. =A0That is, a configure option to make $pdir the > default seems fine to me, if you want something like that. > > Doug> Question for the group at large (and I it doesn't matter to me which > Doug> way we go, I just want to make forward progress ...). > Doug> Do we enforce such security concerns in FSF gdb? > > IMO, yes. > > Doug> Second, > Doug> If we address these security concerns what is the solution? > Doug> One proposal is on the table. > Doug> [Maintain a list of trusted paths in gdb and have a flag for > Doug> permissive/restrictive mode. > Doug> If in restrictive mode libthread_db and autoloaded python/gdbinit c= ode > Doug> has to come from a trusted path. > Doug> I think one could take this further though.] > > It seems reasonable to me. > > Doug> Last, > Doug> Do we need to address this before adding my $pdir patch? > > IMO, no, but it would be nicer that way. If I also add $sdir to specify a plain dlopen (LIBTHREAD_DB) and put that ahead of $pdir ("s" for system), then I can have $pdir and not change the current behaviour (though I still think $pdir should come first - we can move it first after whatever security model is added).