From 0641129e214fa1cd2a67740c3193944285781819 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Miroslav=20Such=C3=BD?= <msuchy@redhat.com>

Date: Wed, 6 May 2020 19:10:48 +0200

Subject: [PATCH] setgid instead of setuid the

 abrt-action-install-debuginfo-to-abrt-cache [RHBZ 1796245]

This is called by abrt-action-install-debuginfo-to-abrt-cache which used to be setuid and now is setgid binary.

Therefore we do not need to setuid and we neither need it.

Resolves:

https://bugzilla.redhat.com/show_bug.cgi?id=1796245

---

 src/client-python/reportclient/debuginfo.py | 25 +++++++++------------

 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/src/client-python/reportclient/debuginfo.py b/src/client-python/reportclient/debuginfo.py

index 561de52f..560629cc 100644

--- a/src/client-python/reportclient/debuginfo.py

+++ b/src/client-python/reportclient/debuginfo.py

@@ -35,41 +35,38 @@ from reportclient import (_, log1, log2, RETURN_OK, RETURN_FAILURE,

                           error_msg)

-def ensure_abrt_uid(fn):

+def ensure_abrt_gid(fn):

     """

-    Ensures that the function is called using abrt's uid and gid

+    Ensures that the function is called using abrt's gid

     Returns:

         Either an unchanged function object or a wrapper function object for

         the function.

     """

-    current_uid = os.getuid()

     current_gid = os.getgid()

     abrt = pwd.getpwnam("abrt")

     # if we're are already running as abrt, don't do anything

-    if abrt.pw_uid == current_uid and abrt.pw_gid == current_gid:

+    if abrt.pw_gid == current_gid:

         return fn

     def wrapped(*args, **kwargs):

         """

         Wrapper function around the called function.

-        Sets up uid and gid to match abrt's and after the function finishes

-        rolls its uid and gid back.

+        Sets up gid to match abrt's and after the function finishes

+        rolls its gid back.

         Returns:

             Return value of the wrapped function.

         """

-        # switch to abrt

+        # switch to abrt group

         os.setegid(abrt.pw_gid)

-        os.seteuid(abrt.pw_uid)

         # extract the files as abrt:abrt

         retval = fn(*args, **kwargs)

         # switch back to whatever we were

-        os.seteuid(current_uid)

         os.setegid(current_gid)

         return retval

@@ -79,7 +76,7 @@ def ensure_abrt_uid(fn):

 # TODO: unpack just required debuginfo and not entire rpm?

 # ..that can lead to: foo.c No such file and directory

 # files is not used...

-@ensure_abrt_uid

+@ensure_abrt_gid

 def unpack_rpm(package_full_path, files, tmp_dir, destdir, exact_files=False):

     """

     Unpacks a single rpm located in tmp_dir into destdir.

@@ -265,7 +262,7 @@ class DebugInfoDownload(object):

             else:

                 print("ERR: unmute called without mute?")

-    @ensure_abrt_uid

+    @ensure_abrt_gid

     def setup_tmp_dirs(self):

         if not os.path.exists(self.tmpdir):

             try:

@@ -406,9 +403,9 @@ class DebugInfoDownload(object):

                     s = os.stat(self.cachedir)

                     abrt = pwd.getpwnam("abrt")

-                    if (s.st_uid != abrt.pw_uid) or (s.st_gid != abrt.pw_gid):

-                        print(_("'{0}' must be owned by abrt. "

-                                "Please run '# chown -R abrt.abrt {0}' "

+                    if s.st_gid != abrt.pw_gid:

+                        print(_("'{0}' must be owned by group abrt. "

+                                "Please run '# chown -R :abrt {0}' "

                                 "to fix the issue.").format(self.cachedir))

                     clean_up(self.tmpdir)

-- 

2.21.3