classification
Title: test_gdb is disallowed by default security settings in Fedora 17
Type: enhancement Stage: resolved
Components: Devguide, Tests Versions:
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: dmalcolm, ezio.melotti, ncoghlan, python-dev, r.david.murray, skrah
Priority: normal Keywords: patch

Created on 2012-06-11 12:48 by ncoghlan, last changed 2012-11-29 21:40 by dmalcolm. This issue is now closed.

Files
File name Uploaded Description Edit
test_gdb_security.patch r.david.murray, 2012-10-27 16:42
Messages (16)
msg162610 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2012-06-11 12:48
Running test_gdb on Fedora 17 produces a litany of the following error:

- warning: File "/home/ncoghlan/devel/py3k/python-gdb.py" auto-loading has been declined by your `auto-load safe-path' set to "/usr/share/gdb/auto-load:/usr/lib/debug:/usr/bin/mono-gdb.py".

Presumably some security features in gdb have either been added, or enabled by default, with the F17 update.

The devguide needs to be updated with a reference to the relevant gdb security settings so contributors can get it running again.
msg162611 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2012-06-11 12:51
In addition, we should probably report this as a test skip rather than as a litany of test failures.
msg163037 - (view) Author: Roundup Robot (python-dev) Date: 2012-06-17 09:00
New changeset 2db5010a610c by Nick Coghlan in branch '3.2':
Issue #15043: skip test_gdb if the custom hooks can't be loaded
http://hg.python.org/cpython/rev/2db5010a610c
msg163038 - (view) Author: Roundup Robot (python-dev) Date: 2012-06-17 09:04
New changeset ac2f5067c220 by Nick Coghlan in branch '2.7':
Issue #15043: skip test_gdb if the custom hooks can't be loaded (backport from 3.x)
http://hg.python.org/cpython/rev/ac2f5067c220
msg163042 - (view) Author: Roundup Robot (python-dev) Date: 2012-06-17 09:20
New changeset 9456591d0761 by Nick Coghlan in branch 'default':
Merge from 3.2 (Issue #15043: skip test_gdb if the custom hooks can't be loaded)
http://hg.python.org/cpython/rev/9456591d0761
msg163046 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2012-06-17 09:34
Added new section to devguide in http://hg.python.org/devguide/rev/9fee8e6c2619
msg163051 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2012-06-17 10:15
Also added an FAQ with the specific ~/.gdbinit entry needed to get it running in http://hg.python.org/devguide/rev/1d81501be702

I did try adding a similar command directly to the gdb invocation, but, as far as I can tell, any commands specified as arguments run too late to allow python-gdb.py to be loaded with the current command line invocation.
msg173939 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2012-10-27 16:42
It does seem to be possible to do this at command invocation.  Patch attached.
msg173950 - (view) Author: Roundup Robot (python-dev) Date: 2012-10-27 17:38
New changeset b71cda2f48c6 by R David Murray in branch '3.2':
#15043: Improve test_gdb support of gdb >= 7.4.
http://hg.python.org/cpython/rev/b71cda2f48c6

New changeset 6f064689b8c0 by R David Murray in branch '3.3':
merge #15043: Improve test_gdb support of gdb >= 7.4.
http://hg.python.org/cpython/rev/6f064689b8c0

New changeset b9141239a5b4 by R David Murray in branch 'default':
merge #15043: Improve test_gdb support of gdb >= 7.4.
http://hg.python.org/cpython/rev/b9141239a5b4
msg173951 - (view) Author: Roundup Robot (python-dev) Date: 2012-10-27 17:48
New changeset 1b1ead5cecae by R David Murray in branch '2.7':
#15043: Improve test_gdb support of gdb >= 7.4.
http://hg.python.org/cpython/rev/1b1ead5cecae
msg173952 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2012-10-27 17:56
Committed.  Also deleted the paragraph from the devguide faq, since it is no longer needed.
msg176586 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2012-11-28 23:09
The test still seems to fail on Fedora 16:

http://buildbot.python.org/all/builders/AMD64%20Fedora%20without%20threads%202.7/builds/906/steps/test/logs/stdio
msg176617 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2012-11-29 03:16
Since it looks like that is your buildbot, can you do some command line testing to see what is going wrong with the gdb invocation?  I'm wondering if perhaps this feature was backported as a security patch, so that the gdb version check is an insufficient check :(

Or it could be that I got the version check wrong.
msg176638 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2012-11-29 11:43
The gdb version is "GNU gdb (GDB) Fedora (7.3.50.20110722-16.fc16)", which
looks like either a pre-release of 7.4 or a patched version.

Testing for (gdb_major_version, gdb_minor_version) >= (7, 3) would fix the
specific failure on Fedora 16, but I don't know if it would break other
7.3.x versions.
msg176673 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2012-11-29 21:29
I'm using the .gdbinit solution on the Fedora buildbot now. Trying to
categorize gdb pre-releases and patched versions is probably not a good
use of time. ;)
msg176674 - (view) Author: Dave Malcolm (dmalcolm) (Python committer) Date: 2012-11-29 21:40
In my Fedora Python packages I've been applying this patch:
http://pkgs.fedoraproject.org/cgit/python.git/plain/00156-gdb-autoload-safepath.patch

which uses this code fragment to detect if gdb has the autoload safe path code, rather than trying to guess it from version numbers (which I *think* is failing for Stefan due to a backport of the autoload stuff in that gdb):

def gdb_has_autoload_safepath():
    # Recent GDBs will only auto-load scripts from certain safe
    # locations, so we will need to turn off this protection.
    # However, if the GDB doesn't have it, then the following
    # command will generate noise on stderr (rhbz#817072):
    cmd = "--eval-command=set auto-load safe-path /"
    p = subprocess.Popen(["gdb", "--batch", cmd],
                         stderr=subprocess.PIPE)
    _, stderr = p.communicate()
    return '"on" or "off" expected.' not in stderr
    
HAS_AUTOLOAD_SAFEPATH = gdb_has_autoload_safepath()

(etc)
History
Date User Action Args
2012-11-29 21:40:40dmalcolmsetmessages: + msg176674
2012-11-29 21:29:20skrahsetmessages: + msg176673
2012-11-29 11:43:06skrahsetmessages: + msg176638
2012-11-29 03:16:00r.david.murraysetmessages: + msg176617
2012-11-28 23:09:02skrahsetnosy: + skrah
messages: + msg176586
2012-10-27 17:56:24r.david.murraysetstatus: open -> closed

messages: + msg173952
2012-10-27 17:48:07python-devsetmessages: + msg173951
2012-10-27 17:38:08python-devsetmessages: + msg173950
2012-10-27 16:42:48r.david.murraysetstatus: closed -> open
files: + test_gdb_security.patch

nosy: + r.david.murray
messages: + msg173939

keywords: + patch
2012-06-17 10:15:41ncoghlansetmessages: + msg163051
2012-06-17 09:34:55ncoghlansetstatus: open -> closed
resolution: fixed
messages: + msg163046

stage: resolved
2012-06-17 09:20:00python-devsetmessages: + msg163042
2012-06-17 09:04:08python-devsetmessages: + msg163038
2012-06-17 09:00:49python-devsetnosy: + python-dev
messages: + msg163037
2012-06-11 12:51:13ncoghlansetmessages: + msg162611
components: + Tests
2012-06-11 12:48:39ncoghlancreate