Blame SOURCES/0097-ccpp-harden-dealing-with-UID-GID.patch

a60cd7
From b72616471ec52a009904689592f4f69e730a6f56 Mon Sep 17 00:00:00 2001
a60cd7
From: Jakub Filak <jfilak@redhat.com>
a60cd7
Date: Fri, 17 Apr 2015 14:42:13 +0200
a60cd7
Subject: [ABRT PATCH] ccpp: harden dealing with UID/GID
a60cd7
a60cd7
* Don't fall back to UID 0.
a60cd7
* Use fsgid.
a60cd7
a60cd7
This issue was discovered by Florian Weimer of Red Hat Product Security.
a60cd7
a60cd7
Signed-off-by: Jakub Filak <jfilak@redhat.com>
a60cd7
---
a60cd7
 src/hooks/abrt-hook-ccpp.c | 39 ++++++++++++++++++++++++++-------------
a60cd7
 1 file changed, 26 insertions(+), 13 deletions(-)
a60cd7
a60cd7
diff --git a/src/hooks/abrt-hook-ccpp.c b/src/hooks/abrt-hook-ccpp.c
a60cd7
index d600bb7..d9f1f5e 100644
a60cd7
--- a/src/hooks/abrt-hook-ccpp.c
a60cd7
+++ b/src/hooks/abrt-hook-ccpp.c
a60cd7
@@ -218,23 +218,27 @@ static char* get_rootdir(pid_t pid)
a60cd7
     return malloc_readlink(buf);
a60cd7
 }
a60cd7
 
a60cd7
-static int get_fsuid(void)
a60cd7
+static int get_proc_fs_id(char type)
a60cd7
 {
a60cd7
-    int real, euid, saved;
a60cd7
-    /* if we fail to parse the uid, then make it root only readable to be safe */
a60cd7
-    int fs_uid = 0;
a60cd7
+    const char *scanf_format = "%*cid:\t%d\t%d\t%d\t%d\n";
a60cd7
+    char id_type[] = "_id";
a60cd7
+    id_type[0] = type;
a60cd7
+
a60cd7
+    int real, e_id, saved;
a60cd7
+    int fs_id = 0;
a60cd7
 
a60cd7
     char *line = proc_pid_status; /* never NULL */
a60cd7
     for (;;)
a60cd7
     {
a60cd7
-        if (strncmp(line, "Uid", 3) == 0)
a60cd7
+        if (strncmp(line, id_type, 3) == 0)
a60cd7
         {
a60cd7
-            int n = sscanf(line, "Uid:\t%d\t%d\t%d\t%d\n", &real, &euid, &saved, &fs_uid);
a60cd7
+            int n = sscanf(line, scanf_format, &real, &e_id, &saved, &fs_id);
a60cd7
             if (n != 4)
a60cd7
             {
a60cd7
-                perror_msg_and_die("Can't parse Uid: line");
a60cd7
+                perror_msg_and_die("Can't parse %cid: line", type);
a60cd7
             }
a60cd7
-            break;
a60cd7
+
a60cd7
+            return fs_id;
a60cd7
         }
a60cd7
         line = strchr(line, '\n');
a60cd7
         if (!line)
a60cd7
@@ -242,7 +246,17 @@ static int get_fsuid(void)
a60cd7
         line++;
a60cd7
     }
a60cd7
 
a60cd7
-    return fs_uid;
a60cd7
+    perror_msg_and_die("Failed to get file system %cID of the crashed process", type);
a60cd7
+}
a60cd7
+
a60cd7
+static int get_fsuid(void)
a60cd7
+{
a60cd7
+    return get_proc_fs_id(/*UID*/'U');
a60cd7
+}
a60cd7
+
a60cd7
+static int get_fsgid(void)
a60cd7
+{
a60cd7
+    return get_proc_fs_id(/*GID*/'G');
a60cd7
 }
a60cd7
 
a60cd7
 static int dump_suid_policy()
a60cd7
@@ -278,10 +292,9 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu
a60cd7
     if (proc_cwd == NULL)
a60cd7
         return -1;
a60cd7
 
a60cd7
-    struct passwd* pw = getpwuid(uid);
a60cd7
-    gid_t gid = pw ? pw->pw_gid : uid;
a60cd7
-    //log("setting uid: %i gid: %i", uid, gid);
a60cd7
-    xsetegid(gid);
a60cd7
+    errno = 0;
a60cd7
+
a60cd7
+    xsetegid(get_fsgid());
a60cd7
     xseteuid(fsuid);
a60cd7
 
a60cd7
     if (strcmp(core_basename, "core") == 0)
a60cd7
-- 
a60cd7
1.8.3.1
a60cd7