The python abrt-action-debuginfo-install script has a few problems:
1. it needs to be able to write to /var/cache/abrt-di
2. it needs to be able to read $HOME/.abrt/spool/
so far we're trying to achieve this by running the debuginfo-install
script under group ABRT (using SGID) and this approach has a few flaws:
1. it creates /var/cache/abrt-di/usr with owner <user>:abrt
- wher <user> is the user who actually ran it and it makes the directory
writeable for that user which is not good
2. if we use SUID instead it can't read the
$HOME/.abrt/spool/ccpp-*/coredump
solutions:
a) we can split the script into two parts:
- first part which will analyse the coredump a gets the build_ids and
feed the build_ids to the second part which will be the suided script
which donwloads and extracts the packages
b) we open the coredump and pass the file descriptor to the suided
install script
- I vote for the first solution as the second one will probably need a
selinux policy tweak, because selinux doesn't like leaking fds.
Any other ideas are more than welcome ;)
Thank you,
Jirka
Show replies by date