From 0641129e214fa1cd2a67740c3193944285781819 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20Such=C3=BD?= <msuchy@redhat.com>
Date: Wed, 6 May 2020 19:10:48 +0200
Subject: [PATCH] setgid instead of setuid the
 abrt-action-install-debuginfo-to-abrt-cache [RHBZ 1796245]

This is called by abrt-action-install-debuginfo-to-abrt-cache which used to be setuid and now is setgid binary.
Therefore we do not need to setuid and we neither need it.

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1796245
---
 src/client-python/reportclient/debuginfo.py | 25 +++++++++------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/src/client-python/reportclient/debuginfo.py b/src/client-python/reportclient/debuginfo.py
index 561de52f..560629cc 100644
--- a/src/client-python/reportclient/debuginfo.py
+++ b/src/client-python/reportclient/debuginfo.py
@@ -35,41 +35,38 @@ from reportclient import (_, log1, log2, RETURN_OK, RETURN_FAILURE,
                           error_msg)
 
 
-def ensure_abrt_uid(fn):
+def ensure_abrt_gid(fn):
     """
-    Ensures that the function is called using abrt's uid and gid
+    Ensures that the function is called using abrt's gid
 
     Returns:
         Either an unchanged function object or a wrapper function object for
         the function.
     """
 
-    current_uid = os.getuid()
     current_gid = os.getgid()
     abrt = pwd.getpwnam("abrt")
 
     # if we're are already running as abrt, don't do anything
-    if abrt.pw_uid == current_uid and abrt.pw_gid == current_gid:
+    if abrt.pw_gid == current_gid:
         return fn
 
     def wrapped(*args, **kwargs):
         """
         Wrapper function around the called function.
 
-        Sets up uid and gid to match abrt's and after the function finishes
-        rolls its uid and gid back.
+        Sets up gid to match abrt's and after the function finishes
+        rolls its gid back.
 
         Returns:
             Return value of the wrapped function.
         """
 
-        # switch to abrt
+        # switch to abrt group
         os.setegid(abrt.pw_gid)
-        os.seteuid(abrt.pw_uid)
         # extract the files as abrt:abrt
         retval = fn(*args, **kwargs)
         # switch back to whatever we were
-        os.seteuid(current_uid)
         os.setegid(current_gid)
         return retval
 
@@ -79,7 +76,7 @@ def ensure_abrt_uid(fn):
 # TODO: unpack just required debuginfo and not entire rpm?
 # ..that can lead to: foo.c No such file and directory
 # files is not used...
-@ensure_abrt_uid
+@ensure_abrt_gid
 def unpack_rpm(package_full_path, files, tmp_dir, destdir, exact_files=False):
     """
     Unpacks a single rpm located in tmp_dir into destdir.
@@ -265,7 +262,7 @@ class DebugInfoDownload(object):
             else:
                 print("ERR: unmute called without mute?")
 
-    @ensure_abrt_uid
+    @ensure_abrt_gid
     def setup_tmp_dirs(self):
         if not os.path.exists(self.tmpdir):
             try:
@@ -406,9 +403,9 @@ class DebugInfoDownload(object):
 
                     s = os.stat(self.cachedir)
                     abrt = pwd.getpwnam("abrt")
-                    if (s.st_uid != abrt.pw_uid) or (s.st_gid != abrt.pw_gid):
-                        print(_("'{0}' must be owned by abrt. "
-                                "Please run '# chown -R abrt.abrt {0}' "
+                    if s.st_gid != abrt.pw_gid:
+                        print(_("'{0}' must be owned by group abrt. "
+                                "Please run '# chown -R :abrt {0}' "
                                 "to fix the issue.").format(self.cachedir))
 
                     clean_up(self.tmpdir)
-- 
2.21.3