Blame SOURCES/0082-setgid-instead-of-setuid-the-abrt-action-install-deb.patch

8e2d79
From 0966d7fd6e3d51fc99088de94343212c5f09e74d Mon Sep 17 00:00:00 2001
8e2d79
From: =?UTF-8?q?Miroslav=20Such=C3=BD?= <msuchy@redhat.com>
8e2d79
Date: Tue, 5 May 2020 18:28:50 +0200
8e2d79
Subject: [PATCH] setgid instead of setuid the
8e2d79
 abrt-action-install-debuginfo-to-abrt-cache [RHBZ 1796245]
8e2d79
8e2d79
OpenSCAP does not like setuid files, we can be setgid instead.
8e2d79
8e2d79
We need to g+w the directories so other run under a different user can be able to write there too.
8e2d79
8e2d79
Resolves:
8e2d79
    https://bugzilla.redhat.com/show_bug.cgi?id=1796245
8e2d79
---
8e2d79
 abrt.spec.in                                      |  4 ++--
8e2d79
 .../abrt-action-install-debuginfo-to-abrt-cache.c | 15 +++------------
8e2d79
 src/plugins/abrt-action-install-debuginfo.in      |  6 ++++++
8e2d79
 3 files changed, 11 insertions(+), 14 deletions(-)
8e2d79
8e2d79
diff --git a/abrt.spec.in b/abrt.spec.in
8e2d79
index 326294008..4c01fffe6 100644
8e2d79
--- a/abrt.spec.in
8e2d79
+++ b/abrt.spec.in
8e2d79
@@ -1015,8 +1015,8 @@ killall abrt-dbus >/dev/null 2>&1 || :
8e2d79
 
8e2d79
 %dir %{_localstatedir}/lib/abrt
8e2d79
 
8e2d79
-# attr(6755) ~= SETUID|SETGID
8e2d79
-%attr(6755, abrt, abrt) %{_libexecdir}/abrt-action-install-debuginfo-to-abrt-cache
8e2d79
+# attr(2755) ~= SETGID
8e2d79
+%attr(2755, abrt, abrt) %{_libexecdir}/abrt-action-install-debuginfo-to-abrt-cache
8e2d79
 
8e2d79
 %{_bindir}/abrt-action-analyze-c
8e2d79
 %{_bindir}/abrt-action-trim-files
8e2d79
diff --git a/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c b/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
8e2d79
index 71967f77a..0f843512e 100644
8e2d79
--- a/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
8e2d79
+++ b/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
8e2d79
@@ -78,7 +78,6 @@ int main(int argc, char **argv)
8e2d79
     const gid_t egid = getegid();
8e2d79
     const gid_t rgid = getgid();
8e2d79
     const uid_t euid = geteuid();
8e2d79
-    const gid_t ruid = getuid();
8e2d79
 
8e2d79
     /* We need to open the build ids file under the caller's UID/GID to avoid
8e2d79
      * information disclosures when reading files with changed UID.
8e2d79
@@ -93,17 +92,11 @@ int main(int argc, char **argv)
8e2d79
         if (setregid(egid, rgid) < 0)
8e2d79
             perror_msg_and_die("setregid(egid, rgid)");
8e2d79
 
8e2d79
-        if (setreuid(euid, ruid) < 0)
8e2d79
-            perror_msg_and_die("setreuid(euid, ruid)");
8e2d79
-
8e2d79
         const int build_ids_fd = open(build_ids, O_RDONLY);
8e2d79
 
8e2d79
         if (setregid(rgid, egid) < 0)
8e2d79
             perror_msg_and_die("setregid(rgid, egid)");
8e2d79
 
8e2d79
-        if (setreuid(ruid, euid) < 0 )
8e2d79
-            perror_msg_and_die("setreuid(ruid, euid)");
8e2d79
-
8e2d79
         if (build_ids_fd < 0)
8e2d79
             perror_msg_and_die("Failed to open file '%s'", build_ids);
8e2d79
 
8e2d79
@@ -155,12 +148,10 @@ int main(int argc, char **argv)
8e2d79
      */
8e2d79
     /* do setregid only if we have to, to not upset selinux needlessly */
8e2d79
     if (egid != rgid)
8e2d79
-        IGNORE_RESULT(setregid(egid, egid));
8e2d79
-    if (euid != ruid)
8e2d79
     {
8e2d79
-        IGNORE_RESULT(setreuid(euid, euid));
8e2d79
-        /* We are suid'ed! */
8e2d79
-        /* Prevent malicious user from messing up with suid'ed process: */
8e2d79
+        IGNORE_RESULT(setregid(egid, egid));
8e2d79
+        /* We are sgid'ed! */
8e2d79
+        /* Prevent malicious user from messing up with sgid'ed process: */
8e2d79
 #if 1
8e2d79
 // We forgot to sanitize PYTHONPATH. And who knows what else we forgot
8e2d79
 // (especially considering *future* new variables of this kind).
8e2d79
diff --git a/src/plugins/abrt-action-install-debuginfo.in b/src/plugins/abrt-action-install-debuginfo.in
8e2d79
index 6269c221e..659a9aa84 100644
8e2d79
--- a/src/plugins/abrt-action-install-debuginfo.in
8e2d79
+++ b/src/plugins/abrt-action-install-debuginfo.in
8e2d79
@@ -248,6 +248,12 @@ if __name__ == "__main__":
8e2d79
                                     repo_pattern=repo_pattern,
8e2d79
                                     releasever=releasever)
8e2d79
             result = downloader.download(missing, download_exact_files=exact_fls)
8e2d79
+
8e2d79
+            # make sure that all downloaded directories are writeable by abrt group
8e2d79
+            for root, dirs, files in os.walk(self.cachedirs[0]):
8e2d79
+                for walked_dir in dirs:
8e2d79
+                    os.chmod(os.path.join(root, walked_dir), 0o775)
8e2d79
+
8e2d79
         except OSError as ex:
8e2d79
             if ex.errno == errno.EPIPE:
8e2d79
                 clean_up(TMPDIR, silent=True)
8e2d79
-- 
8e2d79
2.21.3
8e2d79