Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1213408

Summary: abrt: root should own problem report directories, switch back to /var/spool/abrt from /var/tmp/abrt
Product: Red Hat Enterprise Linux 7 Reporter: Florian Weimer <fweimer>
Component: abrtAssignee: abrt <abrt-devel-list>
Status: CLOSED ERRATA QA Contact: Martin Kyral <mkyral>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: herrold, jfilak, mkyral
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: abrt-2.1.11-22.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 14:32:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1211224, 1213409, 1214172    

Description Florian Weimer 2015-04-20 13:42:48 UTC 
The choice of /var/tmp/abrt as the base directory for problem report directories makes it quite hard to write correct code to access problem directories because all access needs to obtain a stable reference to the problem directory (using openat) in a way that is race-free with an ownership check on /var/tmp/abrt (it must be owned by root:root).

It is much easier to switch back to /var/spool/abrt, where the directory can be packaged directly in the RPM with appropriate ownership.

/var/spool/abrt is also more or less required for proper path-based SELinux labeling, a subdirectory of a 1777 directory really isn't cut out for that.

In the past, it has been alleged that user-owned files under /var/spool are not FHS-compliant, but existing practice (such as mailboxes and crontabs) flatly contradicts that.  In any case, FHS compliance is not a sufficient justification to drive up code complexity and risk having a prolonged streak of security vulnerabilities.  But with the move towards problem directory ownership by root:abrt, this objection no longer applies anyway.
Comment 2 Florian Weimer 2015-04-22 08:51:14 UTC 
This bug should also capture the switch to root:abrt ownership of problem report directories, with permissions 0750.  This addresses both race conditions and information leaks.
Comment 3 R P Herrold 2015-04-23 20:59:46 UTC 
http://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html#VARSPOOLAPPLICATIONSPOOLDATA

/var/spool states:

/var/spool : Application spool data
Purpose

/var/spool contains data which is awaiting some kind of later processing. Data in /var/spool represents work to be done in the future (by a program, user, or administrator); often data is deleted after it has been processed. 

======

whoever is asserting user owned files done belong there has not read the spec
Comment 4 Mats Wichmann 2015-04-23 21:00:14 UTC 
Is there a pointer to the claims that user-owner files are not allowed here by FHS?  Could be worth disambiguating...
Comment 5 Florian Weimer 2015-04-27 13:49:11 UTC 
(In reply to Mats Wichmann from comment #4)
> Is there a pointer to the claims that user-owner files are not allowed here
> by FHS?  Could be worth disambiguating...

No, this was internal communication, and it's now difficult to trace back.  I think it was just an incorrect analysis of the overall situation (see comment 0).

R P Herrold, thanks for digging out this reference.

We tried a version with root:abrt ownership, 0770 permissions, and this does not address bug 1212861 completely: abrt can still escalate privileges to root.  We're now trying 0750 permissions, as requested in comment 2.
Comment 6 Jakub Filak 2015-07-09 10:34:21 UTC 
Fixed in distgit commit:

commit 5050e2a0eb82c167150af65e712a775bf9a1f447
Author: Jakub Filak <jfilak>
Date:   Tue May 5 15:42:37 2015 +0200

    Fix symlink, race-conditions and other security flaws
    
    Resolves: #1211969, #1212819, #1212863, #1212869
    Resolves: #1214453, #1214610, #1216973, #1218583
Comment 9 errata-xmlrpc 2015-11-19 14:32:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2097.html