This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [RFA] Add $pdir as entry for libthread-db-search-path.

From: Doug Evans <dje at google dot com>
To: Tom Tromey <tromey at redhat dot com>
Cc: Jan Kratochvil <jan dot kratochvil at redhat dot com>, gdb-patches at sourceware dot org
Date: Mon, 9 May 2011 15:29:58 -0700
Subject: Re: [RFA] Add $pdir as entry for libthread-db-search-path.
References: <20110429035837.9A1EA24619F@ruffy.mtv.corp.google.com> <20110429123634.GA23843@host1.jankratochvil.net> <BANLkTinAR8yLHhR7KF8ROLTVQskA6fLQdg@mail.gmail.com> <20110429170824.GA6107@host1.jankratochvil.net> <BANLkTinagVcXZqvOg80eoFMnyaw9T0OYUw@mail.gmail.com> <BANLkTin84GeKykSDmc=heySNtCypMqWgdA@mail.gmail.com> <20110502191455.GA6481@host1.jankratochvil.net> <BANLkTim6cAbsJXhN6-x4mJL_Mywyk7NN+w@mail.gmail.com> <m339krwu3l.fsf@fleche.redhat.com>

On Fri, May 6, 2011 at 11:40 AM, Tom Tromey <tromey@redhat.com> wrote:
>>>>>> "Doug" == Doug Evans <dje@google.com> writes:
>
> Doug> Thanks, but I'm still stuck ...
>
> I have gone back and forth on this a few times.
>
> On the one hand, I think people running gdb on an untrusted executable
> are acting naively. ?I think this is true even for a python-less build
> using -nx -- I just don't think gdb or bfd has had enough scrutiny along
> these lines to warrant trust.
>
> On the other hand, I think it makes sense to aim for trustworthiness as
> a goal, because gdb is a powerful tool for inspecting executables.
>
> I think my overall preference would be for gdb to run securely by
> default, with some runtime settings to let users override this.
>
> Also I don't have any problem recognizing that different organizations
> build gdb in different ways for their own reasons, and making
> accommodations for that. ?That is, a configure option to make $pdir the
> default seems fine to me, if you want something like that.
>
> Doug> Question for the group at large (and I it doesn't matter to me which
> Doug> way we go, I just want to make forward progress ...).
> Doug> Do we enforce such security concerns in FSF gdb?
>
> IMO, yes.
>
> Doug> Second,
> Doug> If we address these security concerns what is the solution?
> Doug> One proposal is on the table.
> Doug> [Maintain a list of trusted paths in gdb and have a flag for
> Doug> permissive/restrictive mode.
> Doug> If in restrictive mode libthread_db and autoloaded python/gdbinit code
> Doug> has to come from a trusted path.
> Doug> I think one could take this further though.]
>
> It seems reasonable to me.
>
> Doug> Last,
> Doug> Do we need to address this before adding my $pdir patch?
>
> IMO, no, but it would be nicer that way.

If I also add $sdir to specify a plain dlopen (LIBTHREAD_DB) and put
that ahead of $pdir ("s" for system), then I can have $pdir and not
change the current behaviour (though I still think $pdir should come
first - we can move it first after whatever security model is added).

References:
- Re: [RFA] Add $pdir as entry for libthread-db-search-path.
  - From: Doug Evans
- Re: [RFA] Add $pdir as entry for libthread-db-search-path.
  - From: Jan Kratochvil
- Re: [RFA] Add $pdir as entry for libthread-db-search-path.
  - From: Doug Evans
- Re: [RFA] Add $pdir as entry for libthread-db-search-path.
  - From: Tom Tromey

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]