From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 27817 invoked by alias); 6 May 2011 18:40:49 -0000 Received: (qmail 27809 invoked by uid 22791); 6 May 2011 18:40:48 -0000 X-SWARE-Spam-Status: No, hits=-6.9 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 06 May 2011 18:40:33 +0000 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p46IeW23021098 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 6 May 2011 14:40:32 -0400 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p46IeVQP014313; Fri, 6 May 2011 14:40:32 -0400 Received: from opsy.redhat.com (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id p46IeUvS020220; Fri, 6 May 2011 14:40:31 -0400 Received: by opsy.redhat.com (Postfix, from userid 500) id 9BE6F378303; Fri, 6 May 2011 12:40:30 -0600 (MDT) From: Tom Tromey To: Doug Evans Cc: Jan Kratochvil , gdb-patches@sourceware.org Subject: Re: [RFA] Add $pdir as entry for libthread-db-search-path. References: <20110429035837.9A1EA24619F@ruffy.mtv.corp.google.com> <20110429123634.GA23843@host1.jankratochvil.net> <20110429170824.GA6107@host1.jankratochvil.net> <20110502191455.GA6481@host1.jankratochvil.net> Date: Fri, 06 May 2011 18:40:00 -0000 In-Reply-To: (Doug Evans's message of "Mon, 2 May 2011 12:50:48 -0700") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2011-05/txt/msg00202.txt.bz2 >>>>> "Doug" == Doug Evans writes: Doug> Thanks, but I'm still stuck ... I have gone back and forth on this a few times. On the one hand, I think people running gdb on an untrusted executable are acting naively. I think this is true even for a python-less build using -nx -- I just don't think gdb or bfd has had enough scrutiny along these lines to warrant trust. On the other hand, I think it makes sense to aim for trustworthiness as a goal, because gdb is a powerful tool for inspecting executables. I think my overall preference would be for gdb to run securely by default, with some runtime settings to let users override this. Also I don't have any problem recognizing that different organizations build gdb in different ways for their own reasons, and making accommodations for that. That is, a configure option to make $pdir the default seems fine to me, if you want something like that. Doug> Question for the group at large (and I it doesn't matter to me which Doug> way we go, I just want to make forward progress ...). Doug> Do we enforce such security concerns in FSF gdb? IMO, yes. Doug> Second, Doug> If we address these security concerns what is the solution? Doug> One proposal is on the table. Doug> [Maintain a list of trusted paths in gdb and have a flag for Doug> permissive/restrictive mode. Doug> If in restrictive mode libthread_db and autoloaded python/gdbinit code Doug> has to come from a trusted path. Doug> I think one could take this further though.] It seems reasonable to me. Doug> Last, Doug> Do we need to address this before adding my $pdir patch? IMO, no, but it would be nicer that way. Tom