Fixing /var/cache/abrt/ permissions by allowing users to read, but not to change their crash data. Adds abrt user, changes abrt-hook-python to use suid instead of sgid bit (uid=abrt), sets /var/cache/abrt and every dump subdirectory to be owned by abrt user. Read access for users and their own crashes is provided by group (/var/cache/abrt/ccpp-xxxx-xx has user's group).

1 files changed, 3 insertions, 2 deletions

diff --git a/abrt.spec b/abrt.spec
index 85038e68..630e54c8 100644
--- a/abrt.spec
+++ b/abrt.spec
@@ -250,6 +250,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %pre
 getent group abrt >/dev/null || groupadd -f --system abrt
+getent passwd abrt >/dev/null || useradd --system -g abrt -d /etc/abrt -s /sbin/nologin abrt
 exit 0
 
 %post
@@ -279,7 +280,7 @@ fi
 %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/dbus-%{name}.conf
 %{_initrddir}/%{name}d
-%dir %attr(0775, root, abrt) %{_localstatedir}/cache/%{name}
+%dir %attr(0755, abrt, abrt) %{_localstatedir}/cache/%{name}
 %dir /var/run/%{name}
 %dir %{_sysconfdir}/%{name}
 %dir %{_sysconfdir}/%{name}/plugins
@@ -386,7 +387,7 @@ fi
 
 %files addon-python
 %defattr(-,root,root,-)
-%attr(2755, root, abrt) %{_libexecdir}/abrt-hook-python
+%attr(4755, abrt, abrt) %{_libexecdir}/abrt-hook-python
 %{_libdir}/%{name}/libPython.so*
 %{python_site}/*.py*