Hi,
here is a patch that fixes /var/cache/abrt/* permissions by allowing users to read, but not to change their crash data. It adds abrt user, changes abrt-hook-python to use suid instead of sgid bit (uid=abrt), sets /var/cache/abrt and every dump subdirectory to be owned by abrt user. Read access for users and their own crashes is provided by group (/var/cache/abrt/ccpp-xxxx-xx has user's group).
Current git version is broken. We create a debug dump directory without write access for user, and applications run by that user (abrt-python-hook) cannot create files in that directory, even when they run with the right group (=abrt group, which has the write access) Furthermore, user can chmod directories he owns, so he can add write access himself. So abrt group is useless in this case.
The only problem with this patch is that it assumes that "private groups" are used on the system. That is, a user "karel" belongs to group "karel", and not to a common group "users". I do not know whether this is true for all desktop and server deployments. (If all users share the same group, they will also be able to read other user's crashes, and we do not want that.)
An alternative to this patch is setting the option MakeCompatCore default and make everything in /var/cache/abrt/ readable only by ABRT, as it was proposed by Jiri
Jiri, Denys, Nikola, what do you think about it?
Karel