From 71fb2d7e690640b391b76b5432f07b4a81351c8b Mon Sep 17 00:00:00 2001
From: Karel Klic <kklic@redhat.com>
Date: Tue, 12 Jan 2010 14:26:08 +0100
Subject: Fixing /var/cache/abrt/ permissions by allowing users to read, but
 not to change their crash data. Adds abrt user, changes abrt-hook-python to
 use suid instead of sgid bit (uid=abrt), sets /var/cache/abrt and every dump
 subdirectory to be owned by abrt user. Read access for users and their own
 crashes is provided by group (/var/cache/abrt/ccpp-xxxx-xx has user's group).

---
 src/Daemon/Daemon.cpp | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'src/Daemon/Daemon.cpp')

diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
index 0f9c622..09d8ab8 100644
--- a/src/Daemon/Daemon.cpp
+++ b/src/Daemon/Daemon.cpp
@@ -632,7 +632,7 @@ static void start_syslog_logging()
     logmode = LOGMODE_SYSLOG;
 }
 
-static void ensure_writable_dir(const char *dir, mode_t mode, const char *group)
+static void ensure_writable_dir(const char *dir, mode_t mode, const char *user)
 {
     struct stat sb;
 
@@ -641,12 +641,12 @@ static void ensure_writable_dir(const char *dir, mode_t mode, const char *group)
     if (stat(dir, &sb) != 0 || !S_ISDIR(sb.st_mode))
         error_msg_and_die("'%s' is not a directory", dir);
 
-    struct group *gr = getgrnam(group);
-    if (!gr)
-        perror_msg_and_die("Can't find group '%s'", group);
+    struct passwd *pw = getpwnam(user);
+    if (!pw)
+        perror_msg_and_die("Can't find user '%s'", user);
 
-    if ((sb.st_uid != 0 || sb.st_gid != gr->gr_gid) && chown(dir, 0, gr->gr_gid) != 0)
-        perror_msg_and_die("Can't set owner 0:%u on '%s'", (unsigned int)gr->gr_gid, dir);
+    if ((sb.st_uid != pw->pw_uid || sb.st_gid != pw->pw_gid) && chown(dir, pw->pw_uid, pw->pw_gid) != 0)
+        perror_msg_and_die("Can't set owner %u:%u on '%s'", (unsigned int)pw->pw_uid, (unsigned int)pw->pw_gid, dir);
     if ((sb.st_mode & 07777) != mode && chmod(dir, mode) != 0)
         perror_msg_and_die("Can't set mode %o on '%s'", mode, dir);
 }
@@ -657,7 +657,7 @@ static void sanitize_dump_dir_rights()
      * us with thousands of bogus or malicious dumps */
     /* 07000 bits are setuid, setgit, and sticky, and they must be unset */
     /* 00777 bits are usual "rwxrwxrwx" access rights */
-    ensure_writable_dir(DEBUG_DUMPS_DIR, 0775, "abrt");
+    ensure_writable_dir(DEBUG_DUMPS_DIR, 0755, "abrt");
     /* debuginfo cache */
     ensure_writable_dir(DEBUG_DUMPS_DIR"-di", 0755, "root");
     /* temp dir */
-- 
cgit