Blame SOURCES/0097-ccpp-harden-dealing-with-UID-GID.patch

8ec399
From b72616471ec52a009904689592f4f69e730a6f56 Mon Sep 17 00:00:00 2001
8ec399
From: Jakub Filak <jfilak@redhat.com>
8ec399
Date: Fri, 17 Apr 2015 14:42:13 +0200
8ec399
Subject: [ABRT PATCH] ccpp: harden dealing with UID/GID
8ec399
8ec399
* Don't fall back to UID 0.
8ec399
* Use fsgid.
8ec399
8ec399
This issue was discovered by Florian Weimer of Red Hat Product Security.
8ec399
8ec399
Signed-off-by: Jakub Filak <jfilak@redhat.com>
8ec399
---
8ec399
 src/hooks/abrt-hook-ccpp.c | 39 ++++++++++++++++++++++++++-------------
8ec399
 1 file changed, 26 insertions(+), 13 deletions(-)
8ec399
8ec399
diff --git a/src/hooks/abrt-hook-ccpp.c b/src/hooks/abrt-hook-ccpp.c
8ec399
index d600bb7..d9f1f5e 100644
8ec399
--- a/src/hooks/abrt-hook-ccpp.c
8ec399
+++ b/src/hooks/abrt-hook-ccpp.c
8ec399
@@ -218,23 +218,27 @@ static char* get_rootdir(pid_t pid)
8ec399
     return malloc_readlink(buf);
8ec399
 }
8ec399
 
8ec399
-static int get_fsuid(void)
8ec399
+static int get_proc_fs_id(char type)
8ec399
 {
8ec399
-    int real, euid, saved;
8ec399
-    /* if we fail to parse the uid, then make it root only readable to be safe */
8ec399
-    int fs_uid = 0;
8ec399
+    const char *scanf_format = "%*cid:\t%d\t%d\t%d\t%d\n";
8ec399
+    char id_type[] = "_id";
8ec399
+    id_type[0] = type;
8ec399
+
8ec399
+    int real, e_id, saved;
8ec399
+    int fs_id = 0;
8ec399
 
8ec399
     char *line = proc_pid_status; /* never NULL */
8ec399
     for (;;)
8ec399
     {
8ec399
-        if (strncmp(line, "Uid", 3) == 0)
8ec399
+        if (strncmp(line, id_type, 3) == 0)
8ec399
         {
8ec399
-            int n = sscanf(line, "Uid:\t%d\t%d\t%d\t%d\n", &real, &euid, &saved, &fs_uid);
8ec399
+            int n = sscanf(line, scanf_format, &real, &e_id, &saved, &fs_id);
8ec399
             if (n != 4)
8ec399
             {
8ec399
-                perror_msg_and_die("Can't parse Uid: line");
8ec399
+                perror_msg_and_die("Can't parse %cid: line", type);
8ec399
             }
8ec399
-            break;
8ec399
+
8ec399
+            return fs_id;
8ec399
         }
8ec399
         line = strchr(line, '\n');
8ec399
         if (!line)
8ec399
@@ -242,7 +246,17 @@ static int get_fsuid(void)
8ec399
         line++;
8ec399
     }
8ec399
 
8ec399
-    return fs_uid;
8ec399
+    perror_msg_and_die("Failed to get file system %cID of the crashed process", type);
8ec399
+}
8ec399
+
8ec399
+static int get_fsuid(void)
8ec399
+{
8ec399
+    return get_proc_fs_id(/*UID*/'U');
8ec399
+}
8ec399
+
8ec399
+static int get_fsgid(void)
8ec399
+{
8ec399
+    return get_proc_fs_id(/*GID*/'G');
8ec399
 }
8ec399
 
8ec399
 static int dump_suid_policy()
8ec399
@@ -278,10 +292,9 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu
8ec399
     if (proc_cwd == NULL)
8ec399
         return -1;
8ec399
 
8ec399
-    struct passwd* pw = getpwuid(uid);
8ec399
-    gid_t gid = pw ? pw->pw_gid : uid;
8ec399
-    //log("setting uid: %i gid: %i", uid, gid);
8ec399
-    xsetegid(gid);
8ec399
+    errno = 0;
8ec399
+
8ec399
+    xsetegid(get_fsgid());
8ec399
     xseteuid(fsuid);
8ec399
 
8ec399
     if (strcmp(core_basename, "core") == 0)
8ec399
-- 
8ec399
1.8.3.1
8ec399