How to pick up crash reports owned by system users?

Martin Pitt martin.pitt at ubuntu.com
Tue Jan 9 08:35:11 GMT 2007 

Hi all,

Currently apport-gtk only displays crash reports that belong to you.
That means that reports from programs that ran as root or a system
user will never be shown. This includes things like 'synaptic'.

Robert and I started a discussion how to handle those reports, but
more input would be appreciated.

Robert Collins [2007-01-08 20:11 +1100]:
> Subject: Re: [Bug 72250] Re: After 'filing a bug' for a program that ran as
> 	root, apport-gtk crashes
> From: Robert Collins <robertc at robertcollins.net>
> To: Martin Pitt <martin.pitt at ubuntu.com>
> Date: Wed, 03 Jan 2007 08:22:16 +1100
> 
> On Tue, 2007-01-02 at 07:18 +0100, Martin Pitt wrote:
> 
> > We already have a bug, #62316. I totally agree that we have to find a
> > solution for this, but until we have, I prefered consistency and the
> > better-safe-than-sorry approach.
> 
> Cool.
> 
> Well some brainstorming ...
> 
> we could use group membership or user name as a key, and either
> whitelist or blacklist from that.
> 
> for instance we could ensure that all users are in a 'user' group by
> default, and blacklist that group - all other users would get world
> readable crashdumps. This particular case would mean existing installs
> would need to change their group memberships, but perhaps the upgrade
> could do that.
> 
> Should we take this to ubuntu-devel?

For the records: At the moment, crash reports are stored as $UID:$GID
0600 for privacy reasons.

I do not want to introduce more groups, since we must not change group
memberships on upgrade, and we only need a pretty coarse separation:
show crash reports from uid >= 1000 should only be displayed to the
user it happened to and reports from system users (<= 1000) should
additionally be accessible to 'administrators'.

I see the following options:

 * Store system crash reports as $UID:admin 0660. 'adm' is not strong
   enough since new users (if created with users-admin) are in that
   group by default. This would immediately make them work with
   apport-gtk; however, crash reports with sensitive data are
   immediately exposed to all programs runnin in the user's session,
   I'm a bit nervous about this.

 * Change apport-checkreports to check for the existence of system
   crash reports if the user is in 'admin', and have apport-gtk gksu
   itself if there is a system crash report it cannot read. This would
   be the safe option, but requires some ugly hardcoding of group
   names and semantics into apport. However, this hardcoding could
   eventually be moved into the update-notifier apport code (when
   we'll finally get event-notifier, this will be much cleaner).

I favor the latter option.

Robert, others, what do you think?

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20070109/c786911e/attachment.pgp

More information about the ubuntu-devel mailing list