From Fedora Project Wiki

 
(15 intermediate revisions by 3 users not shown)
Line 17: Line 17:
<pre>
<pre>
% export DEBUGINFOD_PROGRESS=1
% export DEBUGINFOD_PROGRESS=1
</pre>
If you want to see exactly which network requests are being made and which cached files are used you can set $DEBUGINFOD_VERBOSE ('''warning:''' very verbose):
<pre>
% export DEBUGINFOD_VERBOSE=1
</pre>
If you want to limit download times and/or sizes, and are running elfutils version 0.186+, you can set these variables:
<pre>
% export DEBUGINFOD_MAXTIME=10      # seconds
% export DEBUGINFOD_MAXSIZE=10000000 # bytes
</pre>
</pre>


Line 23: Line 36:
== Disabling ==
== Disabling ==


If you wish to completely opt out of this service, simply set $DEBUGINFOD_URLS to an empty string.
If you wish to completely opt out of this service, clear $DEBUGINFOD_URLS. You can do this in your '''.bashrc''' file, depending on shell.
 
<pre>
unset DEBUGINFOD_URLS
</pre>
 
You may also disable it exclusively on GDB by adding the following command on your '''.gdbinit''', or using it before starting your debug session:
 
<pre>
set debuginfod enabled off
</pre>


If you have a local debuginfod cache that you'd like to use, but don't want to attempt any upstream debuginfod queries, set $DEBUGINFOD_URLS to something non-empty but ineffective, such as /dev/null.
If you have a local debuginfod cache that you'd like to use, but don't want to attempt any upstream debuginfod queries, set $DEBUGINFOD_URLS to something non-empty but ineffective, such as /dev/null.


== Security FAQ ==
Clients automatically clean the cache of files not accessed in a while.  You may also remove the debuginfod cache directory '''$HOME/.cache/debuginfod_client''' at any time.
 
== Security ==
 
While we intend to operate the fedora debuginfod server in a secure manner, some concerns naturally arise.
 
'''Integrity'''
 
The fedora debuginfod server extracts files verbatim from koji-built RPMs, usually signed RPMs.  However, until Fedora 39, no per-file signature facilities were in effect, so debuginfod could really assure the clients that the files are correct.  (RPM signatures operate at the RPM package level, not at the file level.)  Crafted or modified debuginfo files could in theory lead consumer tools to perform unintended or dangerous operations.
 
''2024-10 UPDATE'' Fedora 41 updates elfutils to version 0.192, which adds debuginfod support for extracting and passing per-file IMA signatures from koji-signed RPMS to clients.  The Fedora servers now return this information for older (Fedora 39+) signed RPMs too.  Users may experiment with activate client-side signature-checking enforcement by:
<pre>
export DEBUGINFOD_URLS="ima:enforcing https://debuginfod.fedoraproject.org/"
export DEBUGINFOD_IMA_CERT_PATH="/etc/keys/ima"
# export DEBUGINFOD_VERBOSE=1 # for a look behind the scenes
</pre>
This configuration may be included in future versions of Fedora.
 
On the other hand, integrity in transit is protected by HTTPS (TLS).  Integrity of the files at rest is improved by conservative file permissions to prevent accidental modification.  We constantly monitor and update the server itself, so that we can reduce the risk of its exploitation.
 
'''Privacy'''
 
Whenever a debuginfod client tool needs information it cannot find locally, it sends an HTTPS request containing:
* inherently, the client machine's IP address
* the hexadecimal buildid of the binary it is interested in
* if requesting a source file (usually if the debuginfo has already been found), then that source file's name
* a User-Agent: string identifying its version of fedora and elfutils, and the architecture name
 
This could disclose the existence of debugging activity to the servers.  It is stored temporarily in the general logs in fedora infrastructure.  These logs are not made public.
 
Note that once debuginfo information is cached locally, or if installed debuginfo is found, no HTTPS requests are made at all.


(tbd)
'''See also'''
* https://www.mankier.com/8/debuginfod#Security
* https://www.mankier.com/1/debuginfod-find#Security
* https://fedoraproject.org/wiki/Changes/DebuginfodByDefault#Security_FAQ
* [https://inbox.sourceware.org/elfutils-devel/CAJDtP-T3+gXqHWp3T0mejWWbPr0_1tHetEXwfB67-o+zz7ShiA@mail.gmail.com/T/#u elfutils 0.192 release notes]
* [[Changes/Signed_RPM_Contents]]


== See Also ==
== See Also ==


For more information see [https://sourceware.org/elfutils/Debuginfod.html elfutils status page] and [[Changes/DebuginfodByDefault]].
For more information see [https://sourceware.org/elfutils/Debuginfod.html elfutils status page] and [[Changes/DebuginfodByDefault]].  What made all this possible: [[Releases/FeatureBuildId]].

Latest revision as of 17:13, 31 October 2024

DEBUGINFOD server

This server provides ELF or DWARF debugging information, plus associated source code, covering all packages and architectures of recent versions of Fedora. It works by periodically indexing all relevant RPMs from Koji, and extracting any needed file on the fly. Debugger-type tools automatically request files one by one. After being downloaded, each file is stored in a cache under your home directory, where the tools can immediately use it.

Configuration

On Fedora 32 or later, set an environment variable.

% export DEBUGINFOD_URLS=https://debuginfod.fedoraproject.org/

On Fedora 35 (rawhide) or later, this environment variable is automatically set via /etc/profile.d/debuginfod.* files.

If you operate your own debuginfod server for local projects, add its URL to $DEBUGINFOD_URLS (space-separated). If you'd like to see progress diagnostics during downloads, set:

% export DEBUGINFOD_PROGRESS=1

If you want to see exactly which network requests are being made and which cached files are used you can set $DEBUGINFOD_VERBOSE (warning: very verbose):

% export DEBUGINFOD_VERBOSE=1

If you want to limit download times and/or sizes, and are running elfutils version 0.186+, you can set these variables:

% export DEBUGINFOD_MAXTIME=10       # seconds
% export DEBUGINFOD_MAXSIZE=10000000 # bytes

Then, enjoy using gdb, stap, perf, eu-stack, and many other debugging-related tools without the interruption of % sudo yum debuginfo-install XYZZY.

Disabling

If you wish to completely opt out of this service, clear $DEBUGINFOD_URLS. You can do this in your .bashrc file, depending on shell.

unset DEBUGINFOD_URLS

You may also disable it exclusively on GDB by adding the following command on your .gdbinit, or using it before starting your debug session:

set debuginfod enabled off

If you have a local debuginfod cache that you'd like to use, but don't want to attempt any upstream debuginfod queries, set $DEBUGINFOD_URLS to something non-empty but ineffective, such as /dev/null.

Clients automatically clean the cache of files not accessed in a while. You may also remove the debuginfod cache directory $HOME/.cache/debuginfod_client at any time.

Security

While we intend to operate the fedora debuginfod server in a secure manner, some concerns naturally arise.

Integrity

The fedora debuginfod server extracts files verbatim from koji-built RPMs, usually signed RPMs. However, until Fedora 39, no per-file signature facilities were in effect, so debuginfod could really assure the clients that the files are correct. (RPM signatures operate at the RPM package level, not at the file level.) Crafted or modified debuginfo files could in theory lead consumer tools to perform unintended or dangerous operations.

2024-10 UPDATE Fedora 41 updates elfutils to version 0.192, which adds debuginfod support for extracting and passing per-file IMA signatures from koji-signed RPMS to clients. The Fedora servers now return this information for older (Fedora 39+) signed RPMs too. Users may experiment with activate client-side signature-checking enforcement by:

export DEBUGINFOD_URLS="ima:enforcing https://debuginfod.fedoraproject.org/"
export DEBUGINFOD_IMA_CERT_PATH="/etc/keys/ima"
# export DEBUGINFOD_VERBOSE=1 # for a look behind the scenes

This configuration may be included in future versions of Fedora.

On the other hand, integrity in transit is protected by HTTPS (TLS). Integrity of the files at rest is improved by conservative file permissions to prevent accidental modification. We constantly monitor and update the server itself, so that we can reduce the risk of its exploitation.

Privacy

Whenever a debuginfod client tool needs information it cannot find locally, it sends an HTTPS request containing:

  • inherently, the client machine's IP address
  • the hexadecimal buildid of the binary it is interested in
  • if requesting a source file (usually if the debuginfo has already been found), then that source file's name
  • a User-Agent: string identifying its version of fedora and elfutils, and the architecture name

This could disclose the existence of debugging activity to the servers. It is stored temporarily in the general logs in fedora infrastructure. These logs are not made public.

Note that once debuginfo information is cached locally, or if installed debuginfo is found, no HTTPS requests are made at all.

See also

See Also

For more information see elfutils status page and Changes/DebuginfodByDefault. What made all this possible: Releases/FeatureBuildId.