diff options
| author | Karel Klic <kklic@redhat.com> | 2009-11-12 15:26:33 +0100 |
|---|---|---|
| committer | Karel Klic <kklic@redhat.com> | 2009-11-12 15:26:33 +0100 |
| commit | cb3c80e309ca3d679a381ec419ec8658a6109144 (patch) | |
| tree | 1214e994968a9311d6959a54049ee146a63da2d7 /src/Daemon | |
| parent | 08157f4636719a55a0ed05fb95ccbb8fb00d4193 (diff) | |
| download | abrt-cb3c80e309ca3d679a381ec419ec8658a6109144.tar.gz abrt-cb3c80e309ca3d679a381ec419ec8658a6109144.tar.xz abrt-cb3c80e309ca3d679a381ec419ec8658a6109144.zip | |
Daemon properly checks /var/cache/abrt attributes
Diffstat (limited to 'src/Daemon')
| -rw-r--r-- | src/Daemon/Daemon.cpp | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp index 3ceab47c..53c44d3f 100644 --- a/src/Daemon/Daemon.cpp +++ b/src/Daemon/Daemon.cpp @@ -658,29 +658,36 @@ static void start_syslog_logging() logmode = LOGMODE_SYSLOG; } -static void ensure_root_writable_dir(const char *dir) +static void ensure_writable_dir(const char *dir, mode_t mode, const char *group) { struct stat sb; - if (mkdir(dir, 0755) != 0 && errno != EEXIST) + if (mkdir(dir, mode) != 0 && errno != EEXIST) perror_msg_and_die("Can't create '%s'", dir); if (stat(dir, &sb) != 0 || !S_ISDIR(sb.st_mode)) error_msg_and_die("'%s' is not a directory", dir); - if ((sb.st_uid != 0 || sb.st_gid != 0) && chown(dir, 0, 0) != 0) + + struct group *gr = getgrnam(group); + if (!gr) + perror_msg_and_die("Can't find group '%s'", group); + + if ((sb.st_uid != 0 || sb.st_gid != gr->gr_gid) && chown(dir, 0, gr->gr_gid) != 0) perror_msg_and_die("Can't set owner 0:0 on '%s'", dir); - /* We can't allow anyone to create dumps: otherwise users can flood - * us with thousands of bogus or malicious dumps */ - /* 07000 bits are setuid, setgit, and sticky, and they must be unset */ - /* 00777 bits are usual "rwxrwxrwx" access rights */ - if ((sb.st_mode & 07777) != 0755 && chmod(dir, 0755) != 0) - perror_msg_and_die("Can't set mode rwxr-xr-x on '%s'", dir); + if ((sb.st_mode & 07777) != mode && chmod(dir, mode) != 0) + perror_msg_and_die("Can't set mode %o on '%s'", mode, dir); } static void sanitize_dump_dir_rights() { - ensure_root_writable_dir(DEBUG_DUMPS_DIR); - ensure_root_writable_dir(DEBUG_DUMPS_DIR"-di"); /* debuginfo cache */ - ensure_root_writable_dir(VAR_RUN"/abrt"); /* temp dir */ + /* We can't allow anyone to create dumps: otherwise users can flood + * us with thousands of bogus or malicious dumps */ + /* 07000 bits are setuid, setgit, and sticky, and they must be unset */ + /* 00777 bits are usual "rwxrwxrwx" access rights */ + ensure_writable_dir(DEBUG_DUMPS_DIR, 0775, "abrt"); + /* debuginfo cache */ + ensure_writable_dir(DEBUG_DUMPS_DIR"-di", 0755, "root"); + /* temp dir */ + ensure_writable_dir(VAR_RUN"/abrt", 0755, "root"); } int main(int argc, char** argv) @@ -794,11 +801,6 @@ int main(int argc, char** argv) pMainloop = g_main_loop_new(NULL, FALSE); /* Watching DEBUG_DUMPS_DIR for new files... */ VERB1 log("Initializing inotify"); -// Enabled again since we have new abrt-pyhook-helper, remove comment when verified to work - /* FIXME: python hook runs with ordinary user privileges, - * so it fails if everyone doesn't have write acces - * to DEBUG_DUMPS_DIR - */ sanitize_dump_dir_rights(); errno = 0; int inotify_fd = inotify_init(); |