From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-39749-listarch-gdb-patches=sources.redhat.com@sources.redhat.com>
Received: (qmail 15463 invoked by alias); 30 May 2005 22:29:36 -0000
Mailing-List: contact gdb-patches-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:gdb-patches-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sources.redhat.com>
List-Help: <mailto:gdb-patches-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: gdb-patches-owner@sources.redhat.com
Received: (qmail 15451 invoked by uid 22791); 30 May 2005 22:29:31 -0000
Received: from ns1.suse.de (HELO mx1.suse.de) (195.135.220.2)
    by sourceware.org (qpsmtpd/0.30-dev) with ESMTP; Mon, 30 May 2005 22:29:31 +0000
Received: from hermes.suse.de (hermes-ext.suse.de [195.135.221.8])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(No client certificate requested)
	by mx1.suse.de (Postfix) with ESMTP id EE6B3F214
	for <gdb-patches@sourceware.org>; Tue, 31 May 2005 00:29:24 +0200 (CEST)
From: Andreas Schwab <schwab@suse.de>
To: gdb-patches@sourceware.org
Subject: Re: RFC: Check permissions of .gdbinit files
References: <20050530185201.GA29332@nevyn.them.org>
X-Yow: AIEEEEE!  I am having an UNDULATING EXPERIENCE!
Date: Mon, 30 May 2005 22:42:00 -0000
In-Reply-To: <20050530185201.GA29332@nevyn.them.org> (Daniel Jacobowitz's
	message of "Mon, 30 May 2005 14:52:01 -0400")
Message-ID: <jeekbo1h6j.fsf@sykes.suse.de>
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-SW-Source: 2005-05/txt/msg00652.txt.bz2

Daniel Jacobowitz <drow@false.org> writes:

> Gentoo recently published a security update for GDB, citing the fact that
> GDB would load .gdbinit from the current directory even if that was owned by
> another user.  I'm not sure how I feel about running GDB in an untrusted
> directory or on untrusted binaries and expecting it to behave sensibly, but
> this particular issue is easy to fix.  Here's my suggested fix; it's not the
> same as Gentoo's.  If .gdbinit is world writable or owned by a different
> user, refuse to open it (and warn the user).
>
> Anyone have opinions on this change?

IMHO you should at least allow the same group owner.

Andreas.

-- 
Andreas Schwab, SuSE Labs, schwab@suse.de
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."