Blob Blame History Raw
From 0966d7fd6e3d51fc99088de94343212c5f09e74d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20Such=C3=BD?= <msuchy@redhat.com>
Date: Tue, 5 May 2020 18:28:50 +0200
Subject: [PATCH] setgid instead of setuid the
 abrt-action-install-debuginfo-to-abrt-cache [RHBZ 1796245]

OpenSCAP does not like setuid files, we can be setgid instead.

We need to g+w the directories so other run under a different user can be able to write there too.

Resolves:
    https://bugzilla.redhat.com/show_bug.cgi?id=1796245
---
 abrt.spec.in                                      |  4 ++--
 .../abrt-action-install-debuginfo-to-abrt-cache.c | 15 +++------------
 src/plugins/abrt-action-install-debuginfo.in      |  6 ++++++
 3 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/abrt.spec.in b/abrt.spec.in
index 326294008..4c01fffe6 100644
--- a/abrt.spec.in
+++ b/abrt.spec.in
@@ -1015,8 +1015,8 @@ killall abrt-dbus >/dev/null 2>&1 || :
 
 %dir %{_localstatedir}/lib/abrt
 
-# attr(6755) ~= SETUID|SETGID
-%attr(6755, abrt, abrt) %{_libexecdir}/abrt-action-install-debuginfo-to-abrt-cache
+# attr(2755) ~= SETGID
+%attr(2755, abrt, abrt) %{_libexecdir}/abrt-action-install-debuginfo-to-abrt-cache
 
 %{_bindir}/abrt-action-analyze-c
 %{_bindir}/abrt-action-trim-files
diff --git a/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c b/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
index 71967f77a..0f843512e 100644
--- a/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
+++ b/src/plugins/abrt-action-install-debuginfo-to-abrt-cache.c
@@ -78,7 +78,6 @@ int main(int argc, char **argv)
     const gid_t egid = getegid();
     const gid_t rgid = getgid();
     const uid_t euid = geteuid();
-    const gid_t ruid = getuid();
 
     /* We need to open the build ids file under the caller's UID/GID to avoid
      * information disclosures when reading files with changed UID.
@@ -93,17 +92,11 @@ int main(int argc, char **argv)
         if (setregid(egid, rgid) < 0)
             perror_msg_and_die("setregid(egid, rgid)");
 
-        if (setreuid(euid, ruid) < 0)
-            perror_msg_and_die("setreuid(euid, ruid)");
-
         const int build_ids_fd = open(build_ids, O_RDONLY);
 
         if (setregid(rgid, egid) < 0)
             perror_msg_and_die("setregid(rgid, egid)");
 
-        if (setreuid(ruid, euid) < 0 )
-            perror_msg_and_die("setreuid(ruid, euid)");
-
         if (build_ids_fd < 0)
             perror_msg_and_die("Failed to open file '%s'", build_ids);
 
@@ -155,12 +148,10 @@ int main(int argc, char **argv)
      */
     /* do setregid only if we have to, to not upset selinux needlessly */
     if (egid != rgid)
-        IGNORE_RESULT(setregid(egid, egid));
-    if (euid != ruid)
     {
-        IGNORE_RESULT(setreuid(euid, euid));
-        /* We are suid'ed! */
-        /* Prevent malicious user from messing up with suid'ed process: */
+        IGNORE_RESULT(setregid(egid, egid));
+        /* We are sgid'ed! */
+        /* Prevent malicious user from messing up with sgid'ed process: */
 #if 1
 // We forgot to sanitize PYTHONPATH. And who knows what else we forgot
 // (especially considering *future* new variables of this kind).
diff --git a/src/plugins/abrt-action-install-debuginfo.in b/src/plugins/abrt-action-install-debuginfo.in
index 6269c221e..659a9aa84 100644
--- a/src/plugins/abrt-action-install-debuginfo.in
+++ b/src/plugins/abrt-action-install-debuginfo.in
@@ -248,6 +248,12 @@ if __name__ == "__main__":
                                     repo_pattern=repo_pattern,
                                     releasever=releasever)
             result = downloader.download(missing, download_exact_files=exact_fls)
+
+            # make sure that all downloaded directories are writeable by abrt group
+            for root, dirs, files in os.walk(self.cachedirs[0]):
+                for walked_dir in dirs:
+                    os.chmod(os.path.join(root, walked_dir), 0o775)
+
         except OSError as ex:
             if ex.errno == errno.EPIPE:
                 clean_up(TMPDIR, silent=True)
-- 
2.21.3