|
|
8e2d79 |
From 0966d7fd6e3d51fc99088de94343212c5f09e74d Mon Sep 17 00:00:00 2001
|
|
|
8e2d79 |
From: =?UTF-8?q?Miroslav=20Such=C3=BD?= <msuchy@redhat.com>
|
|
|
8e2d79 |
Date: Tue, 5 May 2020 18:28:50 +0200
|
|
|
8e2d79 |
Subject: [PATCH] setgid instead of setuid the
|
|
|
8e2d79 |
abrt-action-install-debuginfo-to-abrt-cache [RHBZ 1796245]
|
|
|
8e2d79 |
|
|
|
8e2d79 |
OpenSCAP does not like setuid files, we can be setgid instead.
|
|
|
8e2d79 |
|
|
|
8e2d79 |
We need to g+w the directories so other run under a different user can be able to write there too.
|
|
|
8e2d79 |
|
|
|
8e2d79 |
Resolves:
|
|
|
8e2d79 |
https://bugzilla.redhat.com/show_bug.cgi?id=1796245
|
|
|
8e2d79 |
---
|
|
|
8e2d79 |
abrt.spec.in | 4 ++--
|
|
|
8e2d79 |
.../abrt-action-install-debuginfo-to-abrt-cache.c | 15 +++------------
|
|
|
8e2d79 |
src/plugins/abrt-action-install-debuginfo.in | 6 ++++++
|
|
|
8e2d79 |
3 files changed, 11 insertions(+), 14 deletions(-)
|
|
|
8e2d79 |
|
|
|
8e2d79 |
diff --git a/abrt.spec.in b/abrt.spec.in
|
|
|
8e2d79 |
index 326294008..4c01fffe6 100644
|
|
|
8e2d79 |
--- a/abrt.spec.in
|
|
|
8e2d79 |
+++ b/abrt.spec.in
|
|
|
8e2d79 |
@@ -1015,8 +1015,8 @@ killall abrt-dbus >/dev/null 2>&1 || :
|
|
|
8e2d79 |
|
|
|
8e2d79 |
%dir %{_localstatedir}/lib/abrt
|
|
|
8e2d79 |
|
|
|
8e2d79 |
-# attr(6755) ~= SETUID|SETGID
|
|
|
8e2d79 |
-%attr(6755, abrt, abrt) %{_libexecdir}/abrt-action-install-debuginfo-to-abrt-cache
|
|
|
8e2d79 |
+# attr(2755) ~= SETGID
|
|
|
8e2d79 |
+%attr(2755, abrt, abrt) %{_libexecdir}/abrt-action-install-debuginfo-to-abrt-cache
|
|
|
8e2d79 |
|
|
|
8e2d79 |
%{_bindir}/abrt-action-analyze-c
|
|
|
8e2d79 |
%{_bindir}/abrt-action-trim-files
|
|
|
8e2d79 |
diff --git a/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c b/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
|
|
|
8e2d79 |
index 71967f77a..0f843512e 100644
|
|
|
8e2d79 |
--- a/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
|
|
|
8e2d79 |
+++ b/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
|
|
|
8e2d79 |
@@ -78,7 +78,6 @@ int main(int argc, char **argv)
|
|
|
8e2d79 |
const gid_t egid = getegid();
|
|
|
8e2d79 |
const gid_t rgid = getgid();
|
|
|
8e2d79 |
const uid_t euid = geteuid();
|
|
|
8e2d79 |
- const gid_t ruid = getuid();
|
|
|
8e2d79 |
|
|
|
8e2d79 |
/* We need to open the build ids file under the caller's UID/GID to avoid
|
|
|
8e2d79 |
* information disclosures when reading files with changed UID.
|
|
|
8e2d79 |
@@ -93,17 +92,11 @@ int main(int argc, char **argv)
|
|
|
8e2d79 |
if (setregid(egid, rgid) < 0)
|
|
|
8e2d79 |
perror_msg_and_die("setregid(egid, rgid)");
|
|
|
8e2d79 |
|
|
|
8e2d79 |
- if (setreuid(euid, ruid) < 0)
|
|
|
8e2d79 |
- perror_msg_and_die("setreuid(euid, ruid)");
|
|
|
8e2d79 |
-
|
|
|
8e2d79 |
const int build_ids_fd = open(build_ids, O_RDONLY);
|
|
|
8e2d79 |
|
|
|
8e2d79 |
if (setregid(rgid, egid) < 0)
|
|
|
8e2d79 |
perror_msg_and_die("setregid(rgid, egid)");
|
|
|
8e2d79 |
|
|
|
8e2d79 |
- if (setreuid(ruid, euid) < 0 )
|
|
|
8e2d79 |
- perror_msg_and_die("setreuid(ruid, euid)");
|
|
|
8e2d79 |
-
|
|
|
8e2d79 |
if (build_ids_fd < 0)
|
|
|
8e2d79 |
perror_msg_and_die("Failed to open file '%s'", build_ids);
|
|
|
8e2d79 |
|
|
|
8e2d79 |
@@ -155,12 +148,10 @@ int main(int argc, char **argv)
|
|
|
8e2d79 |
*/
|
|
|
8e2d79 |
/* do setregid only if we have to, to not upset selinux needlessly */
|
|
|
8e2d79 |
if (egid != rgid)
|
|
|
8e2d79 |
- IGNORE_RESULT(setregid(egid, egid));
|
|
|
8e2d79 |
- if (euid != ruid)
|
|
|
8e2d79 |
{
|
|
|
8e2d79 |
- IGNORE_RESULT(setreuid(euid, euid));
|
|
|
8e2d79 |
- /* We are suid'ed! */
|
|
|
8e2d79 |
- /* Prevent malicious user from messing up with suid'ed process: */
|
|
|
8e2d79 |
+ IGNORE_RESULT(setregid(egid, egid));
|
|
|
8e2d79 |
+ /* We are sgid'ed! */
|
|
|
8e2d79 |
+ /* Prevent malicious user from messing up with sgid'ed process: */
|
|
|
8e2d79 |
#if 1
|
|
|
8e2d79 |
// We forgot to sanitize PYTHONPATH. And who knows what else we forgot
|
|
|
8e2d79 |
// (especially considering *future* new variables of this kind).
|
|
|
8e2d79 |
diff --git a/src/plugins/abrt-action-install-debuginfo.in b/src/plugins/abrt-action-install-debuginfo.in
|
|
|
8e2d79 |
index 6269c221e..659a9aa84 100644
|
|
|
8e2d79 |
--- a/src/plugins/abrt-action-install-debuginfo.in
|
|
|
8e2d79 |
+++ b/src/plugins/abrt-action-install-debuginfo.in
|
|
|
8e2d79 |
@@ -248,6 +248,12 @@ if __name__ == "__main__":
|
|
|
8e2d79 |
repo_pattern=repo_pattern,
|
|
|
8e2d79 |
releasever=releasever)
|
|
|
8e2d79 |
result = downloader.download(missing, download_exact_files=exact_fls)
|
|
|
8e2d79 |
+
|
|
|
8e2d79 |
+ # make sure that all downloaded directories are writeable by abrt group
|
|
|
8e2d79 |
+ for root, dirs, files in os.walk(self.cachedirs[0]):
|
|
|
8e2d79 |
+ for walked_dir in dirs:
|
|
|
8e2d79 |
+ os.chmod(os.path.join(root, walked_dir), 0o775)
|
|
|
8e2d79 |
+
|
|
|
8e2d79 |
except OSError as ex:
|
|
|
8e2d79 |
if ex.errno == errno.EPIPE:
|
|
|
8e2d79 |
clean_up(TMPDIR, silent=True)
|
|
|
8e2d79 |
--
|
|
|
8e2d79 |
2.21.3
|
|
|
8e2d79 |
|