diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/Daemon/Daemon.cpp | 36 | ||||
-rw-r--r-- | src/Hooks/Makefile.am | 4 | ||||
-rw-r--r-- | src/Hooks/abrt-pyhook-helper.cpp | 4 |
3 files changed, 21 insertions, 23 deletions
diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp index 3ceab47c..53c44d3f 100644 --- a/src/Daemon/Daemon.cpp +++ b/src/Daemon/Daemon.cpp @@ -658,29 +658,36 @@ static void start_syslog_logging() logmode = LOGMODE_SYSLOG; } -static void ensure_root_writable_dir(const char *dir) +static void ensure_writable_dir(const char *dir, mode_t mode, const char *group) { struct stat sb; - if (mkdir(dir, 0755) != 0 && errno != EEXIST) + if (mkdir(dir, mode) != 0 && errno != EEXIST) perror_msg_and_die("Can't create '%s'", dir); if (stat(dir, &sb) != 0 || !S_ISDIR(sb.st_mode)) error_msg_and_die("'%s' is not a directory", dir); - if ((sb.st_uid != 0 || sb.st_gid != 0) && chown(dir, 0, 0) != 0) + + struct group *gr = getgrnam(group); + if (!gr) + perror_msg_and_die("Can't find group '%s'", group); + + if ((sb.st_uid != 0 || sb.st_gid != gr->gr_gid) && chown(dir, 0, gr->gr_gid) != 0) perror_msg_and_die("Can't set owner 0:0 on '%s'", dir); - /* We can't allow anyone to create dumps: otherwise users can flood - * us with thousands of bogus or malicious dumps */ - /* 07000 bits are setuid, setgit, and sticky, and they must be unset */ - /* 00777 bits are usual "rwxrwxrwx" access rights */ - if ((sb.st_mode & 07777) != 0755 && chmod(dir, 0755) != 0) - perror_msg_and_die("Can't set mode rwxr-xr-x on '%s'", dir); + if ((sb.st_mode & 07777) != mode && chmod(dir, mode) != 0) + perror_msg_and_die("Can't set mode %o on '%s'", mode, dir); } static void sanitize_dump_dir_rights() { - ensure_root_writable_dir(DEBUG_DUMPS_DIR); - ensure_root_writable_dir(DEBUG_DUMPS_DIR"-di"); /* debuginfo cache */ - ensure_root_writable_dir(VAR_RUN"/abrt"); /* temp dir */ + /* We can't allow anyone to create dumps: otherwise users can flood + * us with thousands of bogus or malicious dumps */ + /* 07000 bits are setuid, setgit, and sticky, and they must be unset */ + /* 00777 bits are usual "rwxrwxrwx" access rights */ + ensure_writable_dir(DEBUG_DUMPS_DIR, 0775, "abrt"); + /* debuginfo cache */ + ensure_writable_dir(DEBUG_DUMPS_DIR"-di", 0755, "root"); + /* temp dir */ + ensure_writable_dir(VAR_RUN"/abrt", 0755, "root"); } int main(int argc, char** argv) @@ -794,11 +801,6 @@ int main(int argc, char** argv) pMainloop = g_main_loop_new(NULL, FALSE); /* Watching DEBUG_DUMPS_DIR for new files... */ VERB1 log("Initializing inotify"); -// Enabled again since we have new abrt-pyhook-helper, remove comment when verified to work - /* FIXME: python hook runs with ordinary user privileges, - * so it fails if everyone doesn't have write acces - * to DEBUG_DUMPS_DIR - */ sanitize_dump_dir_rights(); errno = 0; int inotify_fd = inotify_init(); diff --git a/src/Hooks/Makefile.am b/src/Hooks/Makefile.am index 4eb25e2d..e581c25b 100644 --- a/src/Hooks/Makefile.am +++ b/src/Hooks/Makefile.am @@ -57,7 +57,3 @@ abrt_exception_handler.py: # RPM fix: we need to regenerate abrt_exception_handler.py, because it has the default ddir install-data-local: sed s,@DEBUG_DUMP_DIR@,$(DEBUG_DUMPS_DIR),g abrt_exception_handler.py.in > abrt_exception_handler.py - -install-data-hook: - chmod u+s,g+s $(DESTDIR)$(bindir)/abrt-pyhook-helper - diff --git a/src/Hooks/abrt-pyhook-helper.cpp b/src/Hooks/abrt-pyhook-helper.cpp index 24f08d35..348fbc72 100644 --- a/src/Hooks/abrt-pyhook-helper.cpp +++ b/src/Hooks/abrt-pyhook-helper.cpp @@ -108,8 +108,8 @@ int main(int argc, char** argv) if (uuid) dd.SaveText("uuid", uuid); - char uid[16]; - snprintf(uid, 16, "%d", (int)getuid()); + char uid[sizeof(int) * 3 + 2]; + sprintf(uid, "%d", (int)getuid()); dd.SaveText("uid", uid); dd.SaveText("backtrace", bt); |