Description of problem: Customer is running ABRT on the OpenShift Online public cloud and they would like to select specifically users they want to collect core dumps from. This is due to fact that non-paid user could DDoS their nodes by generating a large number of dumps and crash abrt itself. Also, it is not sufficient to have this handling in the event hooks, as these are run only after the coredump is generated and saved.
Version-Release number of selected component (if applicable): abrt-2.0.8-30
ABRT allows all the users to collect coredumps.
ABRT should allow selecting specific users to collect coredumps from.
What about implement the user whitelisting by adding a new group? The coredumps will be collected only form the users which are in the group.
The solution offers better manipulation and readability than add a list of users to the CCpp.conf file. Also, in the case there are a lot of whitelisted users, the solution with list in CCpp.conf will be slower.
Create a new group (something like "abrt_dumpable"). If there are no users in the group, coredumps will be collected from all users. If there are some users in the group, coredumps will be collected only from these users.
Are you ok with this approach?
Well, such approach would be a little bit confusing and error prone. I would rather switch from user whitelisting to group whitelisting.
How about to enable both user and group white listing?
AllowedUsers = root
AllowedGroups = wheel
The logic would be the following:
- if both options are not-defined or empty keep all core dumps
- else if crashed UID is in the list of users keep the core dump
- else if crashed UID belongs to a group in the list of groups keep the core dump
Created attachment 1114349 [details]
Move back to the POST status, because of the missing dependency to right libreport's version.
The customer is ready to accept the proposed workaround.
Thanks & Regards,
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.