From 10bea037a2ad82616b3698d07d07d287481e1bed Mon Sep 17 00:00:00 2001

From: Jakub Filak <jfilak@redhat.com>

Date: Wed, 6 May 2015 14:04:42 +0200

Subject: [ABRT PATCH] daemon: harden against race conditions in DELETE

There is a race between checking dump dir accessibility and deleting it

in abrt-server.

Related: #1214457.

Signed-off-by: Jakub Filak <jfilak@redhat.com>

---

 src/daemon/abrt-server.c | 21 +++++++++++++++++++--

 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/daemon/abrt-server.c b/src/daemon/abrt-server.c

index 1030461..130c24a 100644

--- a/src/daemon/abrt-server.c

+++ b/src/daemon/abrt-server.c

@@ -91,8 +91,16 @@ static int delete_path(const char *dump_dir_name)

         error_msg("Problem directory '%s' isn't owned by root:abrt or others are not restricted from access", dump_dir_name);

         return 400; /*  */

     }

-    if (!dump_dir_accessible_by_uid(dump_dir_name, client_uid))

+

+    int dir_fd = dd_openfd(dump_dir_name);

+    if (dir_fd < 0)

+    {

+        perror_msg("Can't open problem directory '%s'", dump_dir_name);

+        return 400;

+    }

+    if (!fdump_dir_accessible_by_uid(dir_fd, client_uid))

     {

+        close(dir_fd);

         if (errno == ENOTDIR)

         {

             error_msg("Path '%s' isn't problem directory", dump_dir_name);

@@ -102,7 +110,16 @@ static int delete_path(const char *dump_dir_name)

         return 403; /* Forbidden */

     }

-    delete_dump_dir(dump_dir_name);

+    struct dump_dir *dd = dd_fdopendir(dir_fd, dump_dir_name, /*flags:*/ 0);

+    if (dd)

+    {

+        if (dd_delete(dd) != 0)

+        {

+            error_msg("Failed to delete problem directory '%s'", dump_dir_name);

+            dd_close(dd);

+            return 400;

+        }

+    }

     return 0; /* success */

 }

-- 

1.8.3.1