| Message ID | 294c5739-ff30-285c-8cf7-11a6dff98294@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fstests: test restricted file access sysctls | expand |
On Tue, May 05, 2020 at 03:20:10PM -0500, Eric Sandeen wrote: > This tests the fs.protected_symlinks and fs.protected_hardlinks > sysctls which restrict links behavior in sticky world-writable > directories as documented in the kernel at > Documentation/admin-guide/sysctl/fs.rst > > Signed-off-by: Eric Sandeen <sandeen@redhat.com> > --- > > diff --git a/tests/generic/900 b/tests/generic/900 > new file mode 100755 > index 00000000..f0ac46ef > --- /dev/null > +++ b/tests/generic/900 > @@ -0,0 +1,114 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright (c) 2020 Red Hat, Inc. All Rights Reserved. > +# > +# FS QA Test 900 > +# > +# Test protected_symlink and protected_hardlink ioctls > +# > +seq=`basename $0` > +seqres=$RESULT_DIR/$seq > +echo "QA output created by $seq" > + > +here=`pwd` > +tmp=/tmp/$$ > +status=1 # failure is the default! > +trap "_cleanup; exit \$status" 0 1 2 3 15 > + > +_cleanup() > +{ > + rm -rf $TEST_DIR/$seq > + sysctl -qw fs.protected_symlinks=$SYMLINK_PROTECTION > + sysctl -qw fs.protected_hardlinks=$HARDLINK_PROTECTION > + cd / > + rm -f $tmp.* > +} > + > +# get standard environment, filters and checks > +. ./common/rc > +. ./common/filter > + > +# remove previous $seqres.full before test > +rm -f $seqres.full > + > +# real QA test starts here > + > +# Modify as appropriate. > +_supported_fs generic > +_supported_os Linux > +_require_test > +_require_sysctl fs.protected_symlinks > +_require_sysctl fs.protected_hardlinks > +_require_user fsgqa > +_require_user fsgqa2 > + > +OWNER=fsgqa > +OTHER=fsgqa2 Why fsgqa2 instead of 123456-fsgqa? Thanks- Bill > + > +# Save current system state to reset when done > +SYMLINK_PROTECTION=`sysctl -n fs.protected_symlinks` > +HARDLINK_PROTECTION=`sysctl -n fs.protected_hardlinks` > + > +test_symlink() > +{ > + ln -s $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/symlink > + chown $OTHER.$OTHER $TEST_DIR/$seq/sticky_dir > + chown $OWNER.$OWNER $TEST_DIR/$seq/sticky_dir/symlink > + # If we can read the target, we followed the link > + sudo -u $OTHER cat $TEST_DIR/$seq/sticky_dir/symlink 2>&1 \ > + | _filter_test_dir > + rm -f $TEST_DIR/$seq/sticky_dir/symlink > +} > + > +test_hardlink() > +{ > + chown $OWNER.$OWNER $TEST_DIR/$seq/target > + chmod go-rw $TEST_DIR/$seq/target > + sudo -u $OTHER \ > + ln $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/hardlink 2>&1 \ > + | _filter_test_dir > + test -f $TEST_DIR/$seq/sticky_dir/hardlink \ > + && echo "successfully created hardlink" > + rm -f $TEST_DIR/$seq/sticky_dir/hardlink > +} > + > +setup_tree() > +{ > + # Create world-writable sticky dir > + mkdir -p $TEST_DIR/$seq/sticky_dir > + chmod 1777 $TEST_DIR/$seq/sticky_dir > + # And a file elsewhere that will be linked to from that sticky dir > + mkdir -p $TEST_DIR/$seq > + # If we can read it, we followed the link. > + echo "successfully followed symlink" > $TEST_DIR/$seq/target > +} > + > +setup_tree > + > +# First test fs.protected_symlinks > +# With protection on, symlink follows should fail if the > +# link owner != the sticky directory owner, and the process > +# is not the link owner. > +echo "== Test symlink follow protection when" > +echo "== process != link owner and dir owner != link owner" > +sysctl -w fs.protected_symlinks=0 > +test_symlink > +sysctl -w fs.protected_symlinks=1 > +test_symlink > + > +echo > + > +# Now test fs.protected_hardlinks > +# With protection on, hardlink creation should fail if the > +# process does not own the target file, and the process does not have > +# read-write access to the target > +echo "== Test hardlink create protection when" > +echo "== process != target owner and process cannot read target" > +sysctl -w fs.protected_hardlinks=0 > +test_hardlink > +sysctl -w fs.protected_hardlinks=1 > +test_hardlink > + > +# success, all done > +status=0 > +exit > diff --git a/tests/generic/900.out b/tests/generic/900.out > new file mode 100644 > index 00000000..c9b26dbd > --- /dev/null > +++ b/tests/generic/900.out > @@ -0,0 +1,14 @@ > +QA output created by 900 > +== Test symlink follow protection when > +== process != link owner and dir owner != link owner > +fs.protected_symlinks = 0 > +successfully followed symlink > +fs.protected_symlinks = 1 > +cat: TEST_DIR/900/sticky_dir/symlink: Permission denied > + > +== Test hardlink create protection when > +== process != target owner and process cannot read target > +fs.protected_hardlinks = 0 > +successfully created hardlink > +fs.protected_hardlinks = 1 > +ln: failed to create hard link 'TEST_DIR/900/sticky_dir/hardlink' => 'TEST_DIR/900/target': Operation not permitted > diff --git a/tests/generic/group b/tests/generic/group > index 718575ba..782b0cc3 100644 > --- a/tests/generic/group > +++ b/tests/generic/group > @@ -598,3 +598,4 @@ > 594 auto quick quota > 595 auto quick encrypt > 596 auto quick > +900 auto quick perms > >
On 5/6/20 1:44 PM, Bill O'Donnell wrote: > On Tue, May 05, 2020 at 03:20:10PM -0500, Eric Sandeen wrote: ... >> +OWNER=fsgqa >> +OTHER=fsgqa2 > > Why fsgqa2 instead of 123456-fsgqa? > Thanks- > Bill Yeah, not quite sure what to do about that. That username is somewhat specific to test generic/381 because it wants to test usernames starting with digits. I hate to proliferate required users, though, so not sure what the best way to go might be. I could maybe/probably use root as one of the users, but didn't want to over-complicate it with matching admin privs vs. normal user privs. -Eric
On Wed, May 06, 2020 at 01:48:19PM -0500, Eric Sandeen wrote: > On 5/6/20 1:44 PM, Bill O'Donnell wrote: > > On Tue, May 05, 2020 at 03:20:10PM -0500, Eric Sandeen wrote: > > ... > > >> +OWNER=fsgqa > >> +OTHER=fsgqa2 > > > > Why fsgqa2 instead of 123456-fsgqa? > > Thanks- > > Bill > > Yeah, not quite sure what to do about that. That username is somewhat specific > to test generic/381 because it wants to test usernames starting with digits. > I hate to proliferate required users, though, so not sure what the best way > to go might be. > > I could maybe/probably use root as one of the users, but didn't want to > over-complicate it with matching admin privs vs. normal user privs. Fair enough. THanks! Reviewed-by: Bill O'Donnell <billodo@redhat.com> > > -Eric >
On Tue, May 05, 2020 at 03:20:10PM -0500, Eric Sandeen wrote: > This tests the fs.protected_symlinks and fs.protected_hardlinks > sysctls which restrict links behavior in sticky world-writable > directories as documented in the kernel at > Documentation/admin-guide/sysctl/fs.rst > > Signed-off-by: Eric Sandeen <sandeen@redhat.com> > --- > > diff --git a/tests/generic/900 b/tests/generic/900 > new file mode 100755 > index 00000000..f0ac46ef > --- /dev/null > +++ b/tests/generic/900 > @@ -0,0 +1,114 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright (c) 2020 Red Hat, Inc. All Rights Reserved. > +# > +# FS QA Test 900 > +# > +# Test protected_symlink and protected_hardlink ioctls > +# > +seq=`basename $0` > +seqres=$RESULT_DIR/$seq > +echo "QA output created by $seq" > + > +here=`pwd` > +tmp=/tmp/$$ > +status=1 # failure is the default! > +trap "_cleanup; exit \$status" 0 1 2 3 15 > + > +_cleanup() > +{ > + rm -rf $TEST_DIR/$seq > + sysctl -qw fs.protected_symlinks=$SYMLINK_PROTECTION > + sysctl -qw fs.protected_hardlinks=$HARDLINK_PROTECTION Restore the sysctl only if "SYMLINK_PROTECTION" and "HARDLINK_PROTECTION" are set. > + cd / > + rm -f $tmp.* > +} > + > +# get standard environment, filters and checks > +. ./common/rc > +. ./common/filter > + > +# remove previous $seqres.full before test > +rm -f $seqres.full > + > +# real QA test starts here > + > +# Modify as appropriate. > +_supported_fs generic > +_supported_os Linux > +_require_test > +_require_sysctl fs.protected_symlinks > +_require_sysctl fs.protected_hardlinks > +_require_user fsgqa > +_require_user fsgqa2 New user :) update README as well? > + > +OWNER=fsgqa > +OTHER=fsgqa2 > + > +# Save current system state to reset when done > +SYMLINK_PROTECTION=`sysctl -n fs.protected_symlinks` > +HARDLINK_PROTECTION=`sysctl -n fs.protected_hardlinks` > + > +test_symlink() > +{ > + ln -s $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/symlink > + chown $OTHER.$OTHER $TEST_DIR/$seq/sticky_dir > + chown $OWNER.$OWNER $TEST_DIR/$seq/sticky_dir/symlink > + # If we can read the target, we followed the link > + sudo -u $OTHER cat $TEST_DIR/$seq/sticky_dir/symlink 2>&1 \ Use _user_do instead of sudo? > + | _filter_test_dir > + rm -f $TEST_DIR/$seq/sticky_dir/symlink > +} > + > +test_hardlink() > +{ > + chown $OWNER.$OWNER $TEST_DIR/$seq/target > + chmod go-rw $TEST_DIR/$seq/target > + sudo -u $OTHER \ > + ln $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/hardlink 2>&1 \ > + | _filter_test_dir Same here. Thanks, Eryu > + test -f $TEST_DIR/$seq/sticky_dir/hardlink \ > + && echo "successfully created hardlink" > + rm -f $TEST_DIR/$seq/sticky_dir/hardlink > +} > + > +setup_tree() > +{ > + # Create world-writable sticky dir > + mkdir -p $TEST_DIR/$seq/sticky_dir > + chmod 1777 $TEST_DIR/$seq/sticky_dir > + # And a file elsewhere that will be linked to from that sticky dir > + mkdir -p $TEST_DIR/$seq > + # If we can read it, we followed the link. > + echo "successfully followed symlink" > $TEST_DIR/$seq/target > +} > + > +setup_tree > + > +# First test fs.protected_symlinks > +# With protection on, symlink follows should fail if the > +# link owner != the sticky directory owner, and the process > +# is not the link owner. > +echo "== Test symlink follow protection when" > +echo "== process != link owner and dir owner != link owner" > +sysctl -w fs.protected_symlinks=0 > +test_symlink > +sysctl -w fs.protected_symlinks=1 > +test_symlink > + > +echo > + > +# Now test fs.protected_hardlinks > +# With protection on, hardlink creation should fail if the > +# process does not own the target file, and the process does not have > +# read-write access to the target > +echo "== Test hardlink create protection when" > +echo "== process != target owner and process cannot read target" > +sysctl -w fs.protected_hardlinks=0 > +test_hardlink > +sysctl -w fs.protected_hardlinks=1 > +test_hardlink > + > +# success, all done > +status=0 > +exit > diff --git a/tests/generic/900.out b/tests/generic/900.out > new file mode 100644 > index 00000000..c9b26dbd > --- /dev/null > +++ b/tests/generic/900.out > @@ -0,0 +1,14 @@ > +QA output created by 900 > +== Test symlink follow protection when > +== process != link owner and dir owner != link owner > +fs.protected_symlinks = 0 > +successfully followed symlink > +fs.protected_symlinks = 1 > +cat: TEST_DIR/900/sticky_dir/symlink: Permission denied > + > +== Test hardlink create protection when > +== process != target owner and process cannot read target > +fs.protected_hardlinks = 0 > +successfully created hardlink > +fs.protected_hardlinks = 1 > +ln: failed to create hard link 'TEST_DIR/900/sticky_dir/hardlink' => 'TEST_DIR/900/target': Operation not permitted > diff --git a/tests/generic/group b/tests/generic/group > index 718575ba..782b0cc3 100644 > --- a/tests/generic/group > +++ b/tests/generic/group > @@ -598,3 +598,4 @@ > 594 auto quick quota > 595 auto quick encrypt > 596 auto quick > +900 auto quick perms >
On 5/17/20 10:55 AM, Eryu Guan wrote: > On Tue, May 05, 2020 at 03:20:10PM -0500, Eric Sandeen wrote: >> This tests the fs.protected_symlinks and fs.protected_hardlinks >> sysctls which restrict links behavior in sticky world-writable >> directories as documented in the kernel at >> Documentation/admin-guide/sysctl/fs.rst >> >> Signed-off-by: Eric Sandeen <sandeen@redhat.com> >> --- >> >> diff --git a/tests/generic/900 b/tests/generic/900 >> new file mode 100755 >> index 00000000..f0ac46ef >> --- /dev/null >> +++ b/tests/generic/900 >> @@ -0,0 +1,114 @@ >> +#! /bin/bash >> +# SPDX-License-Identifier: GPL-2.0 >> +# Copyright (c) 2020 Red Hat, Inc. All Rights Reserved. >> +# >> +# FS QA Test 900 >> +# >> +# Test protected_symlink and protected_hardlink ioctls >> +# >> +seq=`basename $0` >> +seqres=$RESULT_DIR/$seq >> +echo "QA output created by $seq" >> + >> +here=`pwd` >> +tmp=/tmp/$$ >> +status=1 # failure is the default! >> +trap "_cleanup; exit \$status" 0 1 2 3 15 >> + >> +_cleanup() >> +{ >> + rm -rf $TEST_DIR/$seq >> + sysctl -qw fs.protected_symlinks=$SYMLINK_PROTECTION >> + sysctl -qw fs.protected_hardlinks=$HARDLINK_PROTECTION > > Restore the sysctl only if "SYMLINK_PROTECTION" and > "HARDLINK_PROTECTION" are set. thankss >> + cd / >> + rm -f $tmp.* >> +} >> + >> +# get standard environment, filters and checks >> +. ./common/rc >> +. ./common/filter >> + >> +# remove previous $seqres.full before test >> +rm -f $seqres.full >> + >> +# real QA test starts here >> + >> +# Modify as appropriate. >> +_supported_fs generic >> +_supported_os Linux >> +_require_test >> +_require_sysctl fs.protected_symlinks >> +_require_sysctl fs.protected_hardlinks >> +_require_user fsgqa >> +_require_user fsgqa2 > > New user :) update README as well? Hm, yep. >> + >> +OWNER=fsgqa >> +OTHER=fsgqa2 >> + >> +# Save current system state to reset when done >> +SYMLINK_PROTECTION=`sysctl -n fs.protected_symlinks` >> +HARDLINK_PROTECTION=`sysctl -n fs.protected_hardlinks` >> + >> +test_symlink() >> +{ >> + ln -s $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/symlink >> + chown $OTHER.$OTHER $TEST_DIR/$seq/sticky_dir >> + chown $OWNER.$OWNER $TEST_DIR/$seq/sticky_dir/symlink >> + # If we can read the target, we followed the link >> + sudo -u $OTHER cat $TEST_DIR/$seq/sticky_dir/symlink 2>&1 \ > > Use _user_do instead of sudo? but OTHER is "fsgqa2;" _user_do uses "fsgqa" .... hrm. I suppose I could update _user_do to take a username, but is it worth it? Maybe I should just make one of the users root, I'm just worried about accidentally running into admin capabilities... -Eric
On 5/18/20 9:42 AM, Eric Sandeen wrote: >>> +test_symlink() >>> +{ >>> + ln -s $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/symlink >>> + chown $OTHER.$OTHER $TEST_DIR/$seq/sticky_dir >>> + chown $OWNER.$OWNER $TEST_DIR/$seq/sticky_dir/symlink >>> + # If we can read the target, we followed the link >>> + sudo -u $OTHER cat $TEST_DIR/$seq/sticky_dir/symlink 2>&1 \ >> Use _user_do instead of sudo? > but OTHER is "fsgqa2;" _user_do uses "fsgqa" .... hrm. I suppose I could > update _user_do to take a username, but is it worth it? > > Maybe I should just make one of the users root, I'm just worried about accidentally > running into admin capabilities... Actually I'll just re-use 123456-fsgq for OWNER, then OTHER can be fsgqa, and I'll use _user_do. Thanks, -Eric
diff --git a/tests/generic/900 b/tests/generic/900 new file mode 100755 index 00000000..f0ac46ef --- /dev/null +++ b/tests/generic/900 @@ -0,0 +1,114 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2020 Red Hat, Inc. All Rights Reserved. +# +# FS QA Test 900 +# +# Test protected_symlink and protected_hardlink ioctls +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -rf $TEST_DIR/$seq + sysctl -qw fs.protected_symlinks=$SYMLINK_PROTECTION + sysctl -qw fs.protected_hardlinks=$HARDLINK_PROTECTION + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here + +# Modify as appropriate. +_supported_fs generic +_supported_os Linux +_require_test +_require_sysctl fs.protected_symlinks +_require_sysctl fs.protected_hardlinks +_require_user fsgqa +_require_user fsgqa2 + +OWNER=fsgqa +OTHER=fsgqa2 + +# Save current system state to reset when done +SYMLINK_PROTECTION=`sysctl -n fs.protected_symlinks` +HARDLINK_PROTECTION=`sysctl -n fs.protected_hardlinks` + +test_symlink() +{ + ln -s $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/symlink + chown $OTHER.$OTHER $TEST_DIR/$seq/sticky_dir + chown $OWNER.$OWNER $TEST_DIR/$seq/sticky_dir/symlink + # If we can read the target, we followed the link + sudo -u $OTHER cat $TEST_DIR/$seq/sticky_dir/symlink 2>&1 \ + | _filter_test_dir + rm -f $TEST_DIR/$seq/sticky_dir/symlink +} + +test_hardlink() +{ + chown $OWNER.$OWNER $TEST_DIR/$seq/target + chmod go-rw $TEST_DIR/$seq/target + sudo -u $OTHER \ + ln $TEST_DIR/$seq/target $TEST_DIR/$seq/sticky_dir/hardlink 2>&1 \ + | _filter_test_dir + test -f $TEST_DIR/$seq/sticky_dir/hardlink \ + && echo "successfully created hardlink" + rm -f $TEST_DIR/$seq/sticky_dir/hardlink +} + +setup_tree() +{ + # Create world-writable sticky dir + mkdir -p $TEST_DIR/$seq/sticky_dir + chmod 1777 $TEST_DIR/$seq/sticky_dir + # And a file elsewhere that will be linked to from that sticky dir + mkdir -p $TEST_DIR/$seq + # If we can read it, we followed the link. + echo "successfully followed symlink" > $TEST_DIR/$seq/target +} + +setup_tree + +# First test fs.protected_symlinks +# With protection on, symlink follows should fail if the +# link owner != the sticky directory owner, and the process +# is not the link owner. +echo "== Test symlink follow protection when" +echo "== process != link owner and dir owner != link owner" +sysctl -w fs.protected_symlinks=0 +test_symlink +sysctl -w fs.protected_symlinks=1 +test_symlink + +echo + +# Now test fs.protected_hardlinks +# With protection on, hardlink creation should fail if the +# process does not own the target file, and the process does not have +# read-write access to the target +echo "== Test hardlink create protection when" +echo "== process != target owner and process cannot read target" +sysctl -w fs.protected_hardlinks=0 +test_hardlink +sysctl -w fs.protected_hardlinks=1 +test_hardlink + +# success, all done +status=0 +exit diff --git a/tests/generic/900.out b/tests/generic/900.out new file mode 100644 index 00000000..c9b26dbd --- /dev/null +++ b/tests/generic/900.out @@ -0,0 +1,14 @@ +QA output created by 900 +== Test symlink follow protection when +== process != link owner and dir owner != link owner +fs.protected_symlinks = 0 +successfully followed symlink +fs.protected_symlinks = 1 +cat: TEST_DIR/900/sticky_dir/symlink: Permission denied + +== Test hardlink create protection when +== process != target owner and process cannot read target +fs.protected_hardlinks = 0 +successfully created hardlink +fs.protected_hardlinks = 1 +ln: failed to create hard link 'TEST_DIR/900/sticky_dir/hardlink' => 'TEST_DIR/900/target': Operation not permitted diff --git a/tests/generic/group b/tests/generic/group index 718575ba..782b0cc3 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -598,3 +598,4 @@ 594 auto quick quota 595 auto quick encrypt 596 auto quick +900 auto quick perms
This tests the fs.protected_symlinks and fs.protected_hardlinks sysctls which restrict links behavior in sticky world-writable directories as documented in the kernel at Documentation/admin-guide/sysctl/fs.rst Signed-off-by: Eric Sandeen <sandeen@redhat.com> ---