diff mbox series

[3/3] fstests: test restricted file access sysctls

Message ID 8e007b9f-9fdb-c9dd-c2b0-dd273d24a517@redhat.com (mailing list archive)
State New, archived
Headers show
Series fstests: test restricted file access sysctls | expand

Commit Message

Eric Sandeen May 5, 2020, 8:21 p.m. UTC
This tests the fs.protected_regular and fs.protected_fifos
sysctls which restrict access behavior in sticky world-writable
directories as documented in the kernel at 
Documentation/admin-guide/sysctl/fs.rst

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---

Comments

Bill O'Donnell May 6, 2020, 6:47 p.m. UTC | #1
On Tue, May 05, 2020 at 03:21:54PM -0500, Eric Sandeen wrote:
> This tests the fs.protected_regular and fs.protected_fifos
> sysctls which restrict access behavior in sticky world-writable
> directories as documented in the kernel at 
> Documentation/admin-guide/sysctl/fs.rst
> 
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> ---
> 
> diff --git a/tests/generic/901 b/tests/generic/901
> new file mode 100755
> index 00000000..5906b53c
> --- /dev/null
> +++ b/tests/generic/901
> @@ -0,0 +1,127 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (c) 2020 Red Hat, Inc.  All Rights Reserved.
> +#
> +# FS QA Test 900
> +#
> +# Test protected_regular and protected_fifos sysctls
> +#
> +seq=`basename $0`
> +seqres=$RESULT_DIR/$seq
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1	# failure is the default!
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +_cleanup()
> +{
> +	rm -rf $TEST_DIR/$seq
> +	sysctl -qw fs.protected_regular=$REGULAR_PROTECTION
> +	sysctl -qw fs.protected_fifos=$FIFO_PROTECTION
> +	cd /
> +	rm -f $tmp.*
> +}
> +
> +# get standard environment, filters and checks
> +. ./common/rc
> +. ./common/filter
> +
> +# remove previous $seqres.full before test
> +rm -f $seqres.full
> +
> +# real QA test starts here
> +
> +# Modify as appropriate.
> +_supported_fs generic
> +_supported_os Linux
> +_require_test
> +_require_sysctl fs.protected_regular
> +_require_sysctl fs.protected_fifos
> +_require_user fsgqa
> +_require_user fsgqa2
> +
> +USER1=fsgqa
> +USER2=fsgqa2

See my fsgqa2 question in previous patch. ;)
-Bill

> +
> +# Save current system state to reset when done
> +REGULAR_PROTECTION=`sysctl -n fs.protected_regular`
> +FIFO_PROTECTION=`sysctl -n fs.protected_fifos`
> +
> +test_access()
> +{
> +	FILENAME=$1
> +
> +	# sticky dir is world & group writable:
> +	echo "= group & world writable dir"
> +	chmod og+w $TEST_DIR/$seq/sticky_dir
> +	# "open -f" opens O_CREAT
> +	result=`sudo -u $USER2 $XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/$FILENAME" 2>&1` \
> +		&& echo "successfully opened $FILENAME" \
> +		|| echo $result | _filter_test_dir
> +	# sticky dir is only group writable:
> +	echo "= only group writable dir"
> +	chmod o-w $TEST_DIR/$seq/sticky_dir
> +	result=`sudo -u $USER2 $XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/$FILENAME" 2>&1` \
> +		&& echo "successfully opened $FILENAME" \
> +		|| echo $result | _filter_test_dir
> +}
> +
> +setup_tree()
> +{
> +	# Create sticky dir owned by $USER2
> +	mkdir -p $TEST_DIR/$seq
> +	mkdir -p $TEST_DIR/$seq/sticky_dir
> +	chmod 1777 $TEST_DIR/$seq/sticky_dir
> +	chown $USER2.$USER2 $TEST_DIR/$seq/sticky_dir
> +
> +	# Create file & fifo in that dir owned by $USER1, and open
> +	# normal read/write privs for world & group
> +	$XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/file"
> +	chown $USER1.$USER1 $TEST_DIR/$seq/sticky_dir/file
> +	chmod o+rw $TEST_DIR/$seq/sticky_dir/file
> +
> +	mkfifo $TEST_DIR/$seq/sticky_dir/fifo
> +	chown $USER1.$USER1 $TEST_DIR/$seq/sticky_dir/fifo
> +	chmod o+rw $TEST_DIR/$seq/sticky_dir/fifo
> +}
> +
> +setup_tree
> +
> +# First test fs.protected_regular
> +# With protection set to 1, O_CREAT opens in a world-writable sticky
> +# directory should fail if the file exists, is owned by another, and
> +# file owner != dir owner
> +#
> +# With protection set to 2, the same goes for group-writable
> +# sticky directories
> +
> +echo "== Test file open when owned by another and file owner != dir owner"
> +sysctl -w fs.protected_regular=0
> +test_access file
> +sysctl -w fs.protected_regular=1
> +test_access file
> +sysctl -w fs.protected_regular=2
> +test_access file
> +
> +echo
> +
> +# Now test fs.protected_fifos
> +# With protection set to 1, O_CREAT opens in a world-writable sticky
> +# directory should fail if the fifo exists, is owned by another, and
> +# file owner != dir owner
> +#
> +# With protection set to 2, the same goes for group-writable
> +# sticky directories
> +echo "== Test fifo open when owned by another and fifo owner != dir owner"
> +sysctl -w fs.protected_fifos=0
> +test_access fifo
> +sysctl -w fs.protected_fifos=1
> +test_access fifo
> +sysctl -w fs.protected_fifos=2
> +test_access fifo
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/generic/901.out b/tests/generic/901.out
> new file mode 100644
> index 00000000..af774ca5
> --- /dev/null
> +++ b/tests/generic/901.out
> @@ -0,0 +1,34 @@
> +QA output created by 901
> +== Test file open when owned by another and file owner != dir owner
> +fs.protected_regular = 0
> += group & world writable dir
> +successfully opened file
> += only group writable dir
> +successfully opened file
> +fs.protected_regular = 1
> += group & world writable dir
> +TEST_DIR/901/sticky_dir/file: Permission denied
> += only group writable dir
> +successfully opened file
> +fs.protected_regular = 2
> += group & world writable dir
> +TEST_DIR/901/sticky_dir/file: Permission denied
> += only group writable dir
> +TEST_DIR/901/sticky_dir/file: Permission denied
> +
> +== Test fifo open when owned by another and fifo owner != dir owner
> +fs.protected_fifos = 0
> += group & world writable dir
> +successfully opened fifo
> += only group writable dir
> +successfully opened fifo
> +fs.protected_fifos = 1
> += group & world writable dir
> +TEST_DIR/901/sticky_dir/fifo: Permission denied
> += only group writable dir
> +successfully opened fifo
> +fs.protected_fifos = 2
> += group & world writable dir
> +TEST_DIR/901/sticky_dir/fifo: Permission denied
> += only group writable dir
> +TEST_DIR/901/sticky_dir/fifo: Permission denied
> diff --git a/tests/generic/group b/tests/generic/group
> index 782b0cc3..d1e529d5 100644
> --- a/tests/generic/group
> +++ b/tests/generic/group
> @@ -599,3 +599,4 @@
>  595 auto quick encrypt
>  596 auto quick
>  900 auto quick perms
> +901 auto quick perms
> 
>
Bill O'Donnell May 6, 2020, 6:53 p.m. UTC | #2
On Tue, May 05, 2020 at 03:21:54PM -0500, Eric Sandeen wrote:
> This tests the fs.protected_regular and fs.protected_fifos
> sysctls which restrict access behavior in sticky world-writable
> directories as documented in the kernel at 
> Documentation/admin-guide/sysctl/fs.rst
> 
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> ---

looks good.
Reviewed-by: Bill O'Donnell <billodo@redhat.com>

> 
> diff --git a/tests/generic/901 b/tests/generic/901
> new file mode 100755
> index 00000000..5906b53c
> --- /dev/null
> +++ b/tests/generic/901
> @@ -0,0 +1,127 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (c) 2020 Red Hat, Inc.  All Rights Reserved.
> +#
> +# FS QA Test 900
> +#
> +# Test protected_regular and protected_fifos sysctls
> +#
> +seq=`basename $0`
> +seqres=$RESULT_DIR/$seq
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1	# failure is the default!
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +_cleanup()
> +{
> +	rm -rf $TEST_DIR/$seq
> +	sysctl -qw fs.protected_regular=$REGULAR_PROTECTION
> +	sysctl -qw fs.protected_fifos=$FIFO_PROTECTION
> +	cd /
> +	rm -f $tmp.*
> +}
> +
> +# get standard environment, filters and checks
> +. ./common/rc
> +. ./common/filter
> +
> +# remove previous $seqres.full before test
> +rm -f $seqres.full
> +
> +# real QA test starts here
> +
> +# Modify as appropriate.
> +_supported_fs generic
> +_supported_os Linux
> +_require_test
> +_require_sysctl fs.protected_regular
> +_require_sysctl fs.protected_fifos
> +_require_user fsgqa
> +_require_user fsgqa2
> +
> +USER1=fsgqa
> +USER2=fsgqa2
> +
> +# Save current system state to reset when done
> +REGULAR_PROTECTION=`sysctl -n fs.protected_regular`
> +FIFO_PROTECTION=`sysctl -n fs.protected_fifos`
> +
> +test_access()
> +{
> +	FILENAME=$1
> +
> +	# sticky dir is world & group writable:
> +	echo "= group & world writable dir"
> +	chmod og+w $TEST_DIR/$seq/sticky_dir
> +	# "open -f" opens O_CREAT
> +	result=`sudo -u $USER2 $XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/$FILENAME" 2>&1` \
> +		&& echo "successfully opened $FILENAME" \
> +		|| echo $result | _filter_test_dir
> +	# sticky dir is only group writable:
> +	echo "= only group writable dir"
> +	chmod o-w $TEST_DIR/$seq/sticky_dir
> +	result=`sudo -u $USER2 $XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/$FILENAME" 2>&1` \
> +		&& echo "successfully opened $FILENAME" \
> +		|| echo $result | _filter_test_dir
> +}
> +
> +setup_tree()
> +{
> +	# Create sticky dir owned by $USER2
> +	mkdir -p $TEST_DIR/$seq
> +	mkdir -p $TEST_DIR/$seq/sticky_dir
> +	chmod 1777 $TEST_DIR/$seq/sticky_dir
> +	chown $USER2.$USER2 $TEST_DIR/$seq/sticky_dir
> +
> +	# Create file & fifo in that dir owned by $USER1, and open
> +	# normal read/write privs for world & group
> +	$XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/file"
> +	chown $USER1.$USER1 $TEST_DIR/$seq/sticky_dir/file
> +	chmod o+rw $TEST_DIR/$seq/sticky_dir/file
> +
> +	mkfifo $TEST_DIR/$seq/sticky_dir/fifo
> +	chown $USER1.$USER1 $TEST_DIR/$seq/sticky_dir/fifo
> +	chmod o+rw $TEST_DIR/$seq/sticky_dir/fifo
> +}
> +
> +setup_tree
> +
> +# First test fs.protected_regular
> +# With protection set to 1, O_CREAT opens in a world-writable sticky
> +# directory should fail if the file exists, is owned by another, and
> +# file owner != dir owner
> +#
> +# With protection set to 2, the same goes for group-writable
> +# sticky directories
> +
> +echo "== Test file open when owned by another and file owner != dir owner"
> +sysctl -w fs.protected_regular=0
> +test_access file
> +sysctl -w fs.protected_regular=1
> +test_access file
> +sysctl -w fs.protected_regular=2
> +test_access file
> +
> +echo
> +
> +# Now test fs.protected_fifos
> +# With protection set to 1, O_CREAT opens in a world-writable sticky
> +# directory should fail if the fifo exists, is owned by another, and
> +# file owner != dir owner
> +#
> +# With protection set to 2, the same goes for group-writable
> +# sticky directories
> +echo "== Test fifo open when owned by another and fifo owner != dir owner"
> +sysctl -w fs.protected_fifos=0
> +test_access fifo
> +sysctl -w fs.protected_fifos=1
> +test_access fifo
> +sysctl -w fs.protected_fifos=2
> +test_access fifo
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/generic/901.out b/tests/generic/901.out
> new file mode 100644
> index 00000000..af774ca5
> --- /dev/null
> +++ b/tests/generic/901.out
> @@ -0,0 +1,34 @@
> +QA output created by 901
> +== Test file open when owned by another and file owner != dir owner
> +fs.protected_regular = 0
> += group & world writable dir
> +successfully opened file
> += only group writable dir
> +successfully opened file
> +fs.protected_regular = 1
> += group & world writable dir
> +TEST_DIR/901/sticky_dir/file: Permission denied
> += only group writable dir
> +successfully opened file
> +fs.protected_regular = 2
> += group & world writable dir
> +TEST_DIR/901/sticky_dir/file: Permission denied
> += only group writable dir
> +TEST_DIR/901/sticky_dir/file: Permission denied
> +
> +== Test fifo open when owned by another and fifo owner != dir owner
> +fs.protected_fifos = 0
> += group & world writable dir
> +successfully opened fifo
> += only group writable dir
> +successfully opened fifo
> +fs.protected_fifos = 1
> += group & world writable dir
> +TEST_DIR/901/sticky_dir/fifo: Permission denied
> += only group writable dir
> +successfully opened fifo
> +fs.protected_fifos = 2
> += group & world writable dir
> +TEST_DIR/901/sticky_dir/fifo: Permission denied
> += only group writable dir
> +TEST_DIR/901/sticky_dir/fifo: Permission denied
> diff --git a/tests/generic/group b/tests/generic/group
> index 782b0cc3..d1e529d5 100644
> --- a/tests/generic/group
> +++ b/tests/generic/group
> @@ -599,3 +599,4 @@
>  595 auto quick encrypt
>  596 auto quick
>  900 auto quick perms
> +901 auto quick perms
> 
>
Eric Sandeen May 6, 2020, 7:23 p.m. UTC | #3
On 5/5/20 3:21 PM, Eric Sandeen wrote:
> This tests the fs.protected_regular and fs.protected_fifos
> sysctls which restrict access behavior in sticky world-writable
> directories as documented in the kernel at 
> Documentation/admin-guide/sysctl/fs.rst
> 
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>

Actually, I'm going to self-nak this one, sorry; this bit -

> +	# "open -f" opens O_CREAT
> +	result=`sudo -u $USER2 $XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/$FILENAME" 2>&1` \
> +		&& echo "successfully opened $FILENAME" \
> +		|| echo $result | _filter_test_dir

depends on xfs_io exiting nonzero on a failure and that was only recently
fixed; I'll come up with a test that's more robust and send a V2.

-Eric
diff mbox series

Patch

diff --git a/tests/generic/901 b/tests/generic/901
new file mode 100755
index 00000000..5906b53c
--- /dev/null
+++ b/tests/generic/901
@@ -0,0 +1,127 @@ 
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2020 Red Hat, Inc.  All Rights Reserved.
+#
+# FS QA Test 900
+#
+# Test protected_regular and protected_fifos sysctls
+#
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	rm -rf $TEST_DIR/$seq
+	sysctl -qw fs.protected_regular=$REGULAR_PROTECTION
+	sysctl -qw fs.protected_fifos=$FIFO_PROTECTION
+	cd /
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+
+# Modify as appropriate.
+_supported_fs generic
+_supported_os Linux
+_require_test
+_require_sysctl fs.protected_regular
+_require_sysctl fs.protected_fifos
+_require_user fsgqa
+_require_user fsgqa2
+
+USER1=fsgqa
+USER2=fsgqa2
+
+# Save current system state to reset when done
+REGULAR_PROTECTION=`sysctl -n fs.protected_regular`
+FIFO_PROTECTION=`sysctl -n fs.protected_fifos`
+
+test_access()
+{
+	FILENAME=$1
+
+	# sticky dir is world & group writable:
+	echo "= group & world writable dir"
+	chmod og+w $TEST_DIR/$seq/sticky_dir
+	# "open -f" opens O_CREAT
+	result=`sudo -u $USER2 $XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/$FILENAME" 2>&1` \
+		&& echo "successfully opened $FILENAME" \
+		|| echo $result | _filter_test_dir
+	# sticky dir is only group writable:
+	echo "= only group writable dir"
+	chmod o-w $TEST_DIR/$seq/sticky_dir
+	result=`sudo -u $USER2 $XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/$FILENAME" 2>&1` \
+		&& echo "successfully opened $FILENAME" \
+		|| echo $result | _filter_test_dir
+}
+
+setup_tree()
+{
+	# Create sticky dir owned by $USER2
+	mkdir -p $TEST_DIR/$seq
+	mkdir -p $TEST_DIR/$seq/sticky_dir
+	chmod 1777 $TEST_DIR/$seq/sticky_dir
+	chown $USER2.$USER2 $TEST_DIR/$seq/sticky_dir
+
+	# Create file & fifo in that dir owned by $USER1, and open
+	# normal read/write privs for world & group
+	$XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/file"
+	chown $USER1.$USER1 $TEST_DIR/$seq/sticky_dir/file
+	chmod o+rw $TEST_DIR/$seq/sticky_dir/file
+
+	mkfifo $TEST_DIR/$seq/sticky_dir/fifo
+	chown $USER1.$USER1 $TEST_DIR/$seq/sticky_dir/fifo
+	chmod o+rw $TEST_DIR/$seq/sticky_dir/fifo
+}
+
+setup_tree
+
+# First test fs.protected_regular
+# With protection set to 1, O_CREAT opens in a world-writable sticky
+# directory should fail if the file exists, is owned by another, and
+# file owner != dir owner
+#
+# With protection set to 2, the same goes for group-writable
+# sticky directories
+
+echo "== Test file open when owned by another and file owner != dir owner"
+sysctl -w fs.protected_regular=0
+test_access file
+sysctl -w fs.protected_regular=1
+test_access file
+sysctl -w fs.protected_regular=2
+test_access file
+
+echo
+
+# Now test fs.protected_fifos
+# With protection set to 1, O_CREAT opens in a world-writable sticky
+# directory should fail if the fifo exists, is owned by another, and
+# file owner != dir owner
+#
+# With protection set to 2, the same goes for group-writable
+# sticky directories
+echo "== Test fifo open when owned by another and fifo owner != dir owner"
+sysctl -w fs.protected_fifos=0
+test_access fifo
+sysctl -w fs.protected_fifos=1
+test_access fifo
+sysctl -w fs.protected_fifos=2
+test_access fifo
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/901.out b/tests/generic/901.out
new file mode 100644
index 00000000..af774ca5
--- /dev/null
+++ b/tests/generic/901.out
@@ -0,0 +1,34 @@ 
+QA output created by 901
+== Test file open when owned by another and file owner != dir owner
+fs.protected_regular = 0
+= group & world writable dir
+successfully opened file
+= only group writable dir
+successfully opened file
+fs.protected_regular = 1
+= group & world writable dir
+TEST_DIR/901/sticky_dir/file: Permission denied
+= only group writable dir
+successfully opened file
+fs.protected_regular = 2
+= group & world writable dir
+TEST_DIR/901/sticky_dir/file: Permission denied
+= only group writable dir
+TEST_DIR/901/sticky_dir/file: Permission denied
+
+== Test fifo open when owned by another and fifo owner != dir owner
+fs.protected_fifos = 0
+= group & world writable dir
+successfully opened fifo
+= only group writable dir
+successfully opened fifo
+fs.protected_fifos = 1
+= group & world writable dir
+TEST_DIR/901/sticky_dir/fifo: Permission denied
+= only group writable dir
+successfully opened fifo
+fs.protected_fifos = 2
+= group & world writable dir
+TEST_DIR/901/sticky_dir/fifo: Permission denied
+= only group writable dir
+TEST_DIR/901/sticky_dir/fifo: Permission denied
diff --git a/tests/generic/group b/tests/generic/group
index 782b0cc3..d1e529d5 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -599,3 +599,4 @@ 
 595 auto quick encrypt
 596 auto quick
 900 auto quick perms
+901 auto quick perms