From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 31086 invoked by alias); 30 May 2005 21:55:01 -0000 Mailing-List: contact gdb-patches-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sources.redhat.com Received: (qmail 31072 invoked by uid 22791); 30 May 2005 21:54:56 -0000 Received: from legolas.inter.net.il (HELO legolas.inter.net.il) (192.114.186.24) by sourceware.org (qpsmtpd/0.30-dev) with ESMTP; Mon, 30 May 2005 21:54:56 +0000 Received: from HOME-C4E4A596F7 (IGLD-84-228-240-218.inter.net.il [84.228.240.218]) by legolas.inter.net.il (MOS 3.5.8-GR) with ESMTP id EML44908 (AUTH halo1); Tue, 31 May 2005 00:54:41 +0300 (IDT) Date: Mon, 30 May 2005 22:29:00 -0000 Message-Id: From: Eli Zaretskii To: gdb-patches@sourceware.org In-reply-to: <20050530185201.GA29332@nevyn.them.org> (message from Daniel Jacobowitz on Mon, 30 May 2005 14:52:01 -0400) Subject: Re: RFC: Check permissions of .gdbinit files Reply-to: Eli Zaretskii References: <20050530185201.GA29332@nevyn.them.org> X-SW-Source: 2005-05/txt/msg00650.txt.bz2 > Date: Mon, 30 May 2005 14:52:01 -0400 > From: Daniel Jacobowitz > > Gentoo recently published a security update for GDB, citing the fact that > GDB would load .gdbinit from the current directory even if that was owned by > another user. I'm not sure how I feel about running GDB in an untrusted > directory or on untrusted binaries and expecting it to behave sensibly, but > this particular issue is easy to fix. Here's my suggested fix; it's not the > same as Gentoo's. If .gdbinit is world writable or owned by a different > user, refuse to open it (and warn the user). > > Anyone have opinions on this change? Hmm... bother. This change might break some of the non-Posix platforms. Perhaps I missed something, but AFAICS MinGW lacks the definition of S_IWOTH, so this will fail to compile for MinGW. But even if it did compile, the MinGW version of `fstat' returns the S_IWOTH bit set for all files, so the MinGW port will probably always display the warning. The DJGPP port will not be affected: it does have S_IWOTH and it reports the S_IWOTH bit as reset. Can't easily check Cygwin here, but I'm guessing it will do TRT here as well. > + error (_("source command requires pathname of file to source.")); I think the message text should begin with a capital letter (yes, I know the original didn't do it, either). > - stream = fopen (file, FOPEN_RT); > - if (!stream) > + fd = open (file, O_RDONLY); > + if (fd != -1) > + stream = fdopen (fd, FOPEN_RT); Could you please tell why you replaced `fopen' with `open'+`fdopen'? > + if (statbuf.st_uid != getuid () || (statbuf.st_mode & S_IWOTH)) Shouldn't we allow this to go unnoticed for root? > + warning (_("not using untrusted file \"%s\""), file); I think the message text should begin with a capital letter. Last, but not least: if we decide to make such a change (which to my HO sounds like a good idea, in general), we should describe this subtlety (and the warning it could produce) in the user's manual.