The python abrt-action-debuginfo-install script has a few problems:
1. it needs to be able to write to /var/cache/abrt-di 2. it needs to be able to read $HOME/.abrt/spool/
so far we're trying to achieve this by running the debuginfo-install script under group ABRT (using SGID) and this approach has a few flaws:
1. it creates /var/cache/abrt-di/usr with owner <user>:abrt - wher <user> is the user who actually ran it and it makes the directory writeable for that user which is not good
2. if we use SUID instead it can't read the $HOME/.abrt/spool/ccpp-*/coredump
solutions:
a) we can split the script into two parts: - first part which will analyse the coredump a gets the build_ids and feed the build_ids to the second part which will be the suided script which donwloads and extracts the packages
b) we open the coredump and pass the file descriptor to the suided install script
- I vote for the first solution as the second one will probably need a selinux policy tweak, because selinux doesn't like leaking fds.
Any other ideas are more than welcome ;)
Thank you, Jirka
crash-catcher@lists.fedorahosted.org