This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [patch] New set auto-load-local-gdbinit + disable it by default

From: Tom Tromey <tromey at redhat dot com>
To: Eli Zaretskii <eliz at gnu dot org>
Cc: Jan Kratochvil <jan dot kratochvil at redhat dot com>, gdb-patches at sourceware dot org
Date: Tue, 17 Jan 2012 13:19:21 -0700
Subject: Re: [patch] New set auto-load-local-gdbinit + disable it by default
References: <20120117095552.GA6141@host2.jankratochvil.net> <E1Rn6Ac-0005ne-1z@fencepost.gnu.org>

>>>>> "Eli" == Eli Zaretskii <eliz@gnu.org> writes:

Jan> Still at least the setting should go in and then one can then have
Jan> "set auto-load-local-gdbinit off" at least in ~/.gdbinit.  Anyway I
Jan> would file a FESCo (Fedora Engineering Steering Committee) ticket
Jan> for such "off" in /etc/gdbinit at least in distro and IMHO it needs
Jan> to get approved (but maybe not, it would be another fork from
Jan> upstream).

Eli> I think this is a draconian measure.  It prevents me from having a
Eli> .gdbinit file loaded automatically as appropriate for a program I'm
Eli> debugging.  Prominent examples include GDB itself and Emacs, which
Eli> both come with a .gdbinit file that makes debugging much easier.

Jan> And "gdb -x ./.gdbinit" is a pretty simple way to do what one wants to do.

Eli> "gdb -x .gdbinit" is much longer than just "gdb".

You can also put the setting into your ~/.gdbinit and get the old
behavior back.

I read through this thread and, while I agree that this change is
inconvenient, I think the inconvenience is outweighed by the security
implications.  I consider this to be similar to putting "." in PATH.
We're just lucky that it hasn't been exploited yet (or at least that we
haven't gotten the blame).

Well, I "agree" with it -- I am not happy about it by a long stretch.
I'm tempted by the idea that gdb should be insecure by default and we
should require "-safe"... but on balance this seems irresponsible to me,
as I think that tools should generally be secure by default.

FWIW, I think this patch doesn't go far enough :-(
Some other topics for consideration; perhaps the new option could cover
all such cases.

* Auto-loading of Python code from the filesystem.
  Perhaps we could have a set of trusted directories; but I wonder if
  there are issues with sysroots starting with "remote:".

* Auto-loading of Python code from objfiles.
  Even more dangerous.

* The JIT interface.
  I'm not sure whether this can be exploited or not.

FWIW, I will probably set the new parameter in my own .gdbinit and use
"-safe" in those rare instances that I do something other than debug
programs that I built myself.

Tom

References:
- [patch] New set auto-load-local-gdbinit + disable it by default
  - From: Jan Kratochvil
- Re: [patch] New set auto-load-local-gdbinit + disable it by default
  - From: Eli Zaretskii

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]