From: Tom Tromey <tromey@redhat.com>
To: Doug Evans <dje@google.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>, gdb-patches@sourceware.org
Subject: Re: [RFA] Add $pdir as entry for libthread-db-search-path.
Date: Fri, 06 May 2011 18:40:00 -0000 [thread overview]
Message-ID: <m339krwu3l.fsf@fleche.redhat.com> (raw)
In-Reply-To: <BANLkTim6cAbsJXhN6-x4mJL_Mywyk7NN+w@mail.gmail.com> (Doug Evans's message of "Mon, 2 May 2011 12:50:48 -0700")
>>>>> "Doug" == Doug Evans <dje@google.com> writes:
Doug> Thanks, but I'm still stuck ...
I have gone back and forth on this a few times.
On the one hand, I think people running gdb on an untrusted executable
are acting naively. I think this is true even for a python-less build
using -nx -- I just don't think gdb or bfd has had enough scrutiny along
these lines to warrant trust.
On the other hand, I think it makes sense to aim for trustworthiness as
a goal, because gdb is a powerful tool for inspecting executables.
I think my overall preference would be for gdb to run securely by
default, with some runtime settings to let users override this.
Also I don't have any problem recognizing that different organizations
build gdb in different ways for their own reasons, and making
accommodations for that. That is, a configure option to make $pdir the
default seems fine to me, if you want something like that.
Doug> Question for the group at large (and I it doesn't matter to me which
Doug> way we go, I just want to make forward progress ...).
Doug> Do we enforce such security concerns in FSF gdb?
IMO, yes.
Doug> Second,
Doug> If we address these security concerns what is the solution?
Doug> One proposal is on the table.
Doug> [Maintain a list of trusted paths in gdb and have a flag for
Doug> permissive/restrictive mode.
Doug> If in restrictive mode libthread_db and autoloaded python/gdbinit code
Doug> has to come from a trusted path.
Doug> I think one could take this further though.]
It seems reasonable to me.
Doug> Last,
Doug> Do we need to address this before adding my $pdir patch?
IMO, no, but it would be nicer that way.
Tom
next prev parent reply other threads:[~2011-05-06 18:40 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-29 3:59 Doug Evans
2011-04-29 12:36 ` Jan Kratochvil
2011-04-29 16:49 ` Doug Evans
2011-04-29 17:08 ` Jan Kratochvil
[not found] ` <BANLkTinagVcXZqvOg80eoFMnyaw9T0OYUw@mail.gmail.com>
2011-05-01 18:34 ` Doug Evans
2011-05-02 19:15 ` Jan Kratochvil
2011-05-02 19:51 ` Doug Evans
2011-05-06 18:40 ` Tom Tromey [this message]
2011-05-09 22:30 ` Doug Evans
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m339krwu3l.fsf@fleche.redhat.com \
--to=tromey@redhat.com \
--cc=dje@google.com \
--cc=gdb-patches@sourceware.org \
--cc=jan.kratochvil@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox