|
rpm-build |
0a0c83 |
This script tests if file permissions are properly checked with and
|
|
rpm-build |
0a0c83 |
without ACLs. The script must be run as root to allow switching users.
|
|
rpm-build |
0a0c83 |
The following users are required. They must be a member in the groups
|
|
rpm-build |
0a0c83 |
listed in parentheses.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
bin (bin)
|
|
rpm-build |
0a0c83 |
daemon (bin, daemon)
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Cry immediately if we are not running as root.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ require_root
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
First, set up a temporary directory and create a regular file with
|
|
rpm-build |
0a0c83 |
defined permissions.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ umask 022
|
|
rpm-build |
0a0c83 |
$ mkdir d
|
|
rpm-build |
0a0c83 |
$ cd d
|
|
rpm-build |
0a0c83 |
$ umask 027
|
|
rpm-build |
0a0c83 |
$ touch f
|
|
rpm-build |
0a0c83 |
$ ls -l f | awk -- '{ print $1, $3, $4 }' | sed 's/\\.//g'
|
|
rpm-build |
0a0c83 |
> -rw-r----- root root
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Make sure root has access to the file. Verify that user daemon does not
|
|
rpm-build |
0a0c83 |
have access to the file owned by root.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ echo root > f
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ echo daemon >> f
|
|
rpm-build |
0a0c83 |
>~ .*f: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Now, change the ownership of the file to bin:bin and verify that this
|
|
rpm-build |
0a0c83 |
gives user bin write access.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ chown bin:bin f
|
|
rpm-build |
0a0c83 |
$ ls -l f | awk -- '{ print $1, $3, $4 }' | sed 's/\\.//g'
|
|
rpm-build |
0a0c83 |
> -rw-r----- bin bin
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ echo bin >> f
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
User daemon is a member in the owning group, which has only read access.
|
|
rpm-build |
0a0c83 |
Verify this.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ cat f
|
|
rpm-build |
0a0c83 |
> root
|
|
rpm-build |
0a0c83 |
> bin
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ echo daemon >> f
|
|
rpm-build |
0a0c83 |
>~ .*f: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Now, add an ACL entry for user daemon that grants him rw- access. File
|
|
rpm-build |
0a0c83 |
owners and users capable of CAP_FOWNER are allowed to change ACLs.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ setfacl -m u:daemon:rw f
|
|
rpm-build |
0a0c83 |
$ getfacl --omit-header f
|
|
rpm-build |
0a0c83 |
> user::rw-
|
|
rpm-build |
0a0c83 |
> user:daemon:rw-
|
|
rpm-build |
0a0c83 |
> group::r--
|
|
rpm-build |
0a0c83 |
> mask::rw-
|
|
rpm-build |
0a0c83 |
> other::---
|
|
rpm-build |
0a0c83 |
>
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Verify that the additional ACL entry grants user daemon write access.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ echo daemon >> f
|
|
rpm-build |
0a0c83 |
$ cat f
|
|
rpm-build |
0a0c83 |
> root
|
|
rpm-build |
0a0c83 |
> bin
|
|
rpm-build |
0a0c83 |
> daemon
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Remove write access from the group class permission bits, and
|
|
rpm-build |
0a0c83 |
verify that this masks daemon's write permission.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ chmod g-w f
|
|
rpm-build |
0a0c83 |
$ getfacl --omit-header f
|
|
rpm-build |
0a0c83 |
> user::rw-
|
|
rpm-build |
0a0c83 |
> user:daemon:rw- #effective:r--
|
|
rpm-build |
0a0c83 |
> group::r--
|
|
rpm-build |
0a0c83 |
> mask::r--
|
|
rpm-build |
0a0c83 |
> other::---
|
|
rpm-build |
0a0c83 |
>
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ echo daemon >> f
|
|
rpm-build |
0a0c83 |
>~ .*f: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Add an entry for group daemon with rw- access, and change the
|
|
rpm-build |
0a0c83 |
permissions for user daemon to r--. Also change the others permissions t
|
|
rpm-build |
0a0c83 |
rw-. The user entry should take precedence, so daemon should be denied
|
|
rpm-build |
0a0c83 |
access.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ setfacl -m u:daemon:r,g:daemon:rw-,o::rw- f
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ echo daemon >> f
|
|
rpm-build |
0a0c83 |
>~ .*f: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Remove the entry for user daemon. The group daemon permissions should
|
|
rpm-build |
0a0c83 |
now give user daemon rw- access.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ setfacl -x u:daemon f
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ echo daemon2 >> f
|
|
rpm-build |
0a0c83 |
$ cat f
|
|
rpm-build |
0a0c83 |
> root
|
|
rpm-build |
0a0c83 |
> bin
|
|
rpm-build |
0a0c83 |
> daemon
|
|
rpm-build |
0a0c83 |
> daemon2
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Set the group daemon permissions to r-- and verify that after than, user
|
|
rpm-build |
0a0c83 |
daemon does not have write access anymore.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ setfacl -m g:daemon:r f
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ echo daemon3 >> f
|
|
rpm-build |
0a0c83 |
>~ .*f: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Now, remove the group daemon entry. Because user daemon is a member in
|
|
rpm-build |
0a0c83 |
the owning group, he should still have no write access.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ setfacl -x g:daemon f
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ echo daemon4 >> f
|
|
rpm-build |
0a0c83 |
>~ .*f: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Change the owning group. The other permissions should now grant user
|
|
rpm-build |
0a0c83 |
daemon write access.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
$ chgrp root f
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ echo daemon5 >> f
|
|
rpm-build |
0a0c83 |
$ cat f
|
|
rpm-build |
0a0c83 |
> root
|
|
rpm-build |
0a0c83 |
> bin
|
|
rpm-build |
0a0c83 |
> daemon
|
|
rpm-build |
0a0c83 |
> daemon2
|
|
rpm-build |
0a0c83 |
> daemon5
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Verify that permissions in separate matching ACL entries do not
|
|
rpm-build |
0a0c83 |
accumulate.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
$ setfacl -m g:bin:r,g:daemon:w f
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su daemon
|
|
rpm-build |
0a0c83 |
$ : < f
|
|
rpm-build |
0a0c83 |
$ : > f
|
|
rpm-build |
0a0c83 |
$ : <> f
|
|
rpm-build |
0a0c83 |
>~ .*f: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Test if directories can have ACLs. We assume that only one access check
|
|
rpm-build |
0a0c83 |
algorithm is used for all file types the file system, so these tests
|
|
rpm-build |
0a0c83 |
only need to verify that ACL permissions make a difference.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
$ mkdir -m 750 e
|
|
rpm-build |
0a0c83 |
$ touch e/h
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ shopt -s nullglob ; echo e/*
|
|
rpm-build |
0a0c83 |
>
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ echo i > e/i
|
|
rpm-build |
0a0c83 |
>~ .*e/i: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
$ setfacl -m u:bin:rx e
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ echo e/*
|
|
rpm-build |
0a0c83 |
> e/h
|
|
rpm-build |
0a0c83 |
$ echo i > e/i
|
|
rpm-build |
0a0c83 |
>~ .*e/i: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
$ setfacl -m u:bin:rwx e
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ echo i > e/i
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Test if symlinks are properly followed.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
$ touch g
|
|
rpm-build |
0a0c83 |
$ ln -s g l
|
|
rpm-build |
0a0c83 |
$ setfacl -m u:bin:rw l
|
|
rpm-build |
0a0c83 |
$ ls -l g | awk -- '{ print $1, $3, $4 }'
|
|
rpm-build |
0a0c83 |
> -rw-rw----+ root root
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Test if ACLs are effective for block and character special files, fifos,
|
|
rpm-build |
0a0c83 |
sockets. This is done by creating special files locally. The devices do
|
|
rpm-build |
0a0c83 |
not need to exist: The access check is earlier in the code path than the
|
|
rpm-build |
0a0c83 |
test if the device exists.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ mknod -m 0660 hdt b 91 64
|
|
rpm-build |
0a0c83 |
$ mknod -m 0660 null c 1 3
|
|
rpm-build |
0a0c83 |
$ mkfifo -m 0660 fifo
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ : < hdt
|
|
rpm-build |
0a0c83 |
>~ .*hdt: Permission denied$
|
|
rpm-build |
0a0c83 |
$ : < null
|
|
rpm-build |
0a0c83 |
>~ .*null: Permission denied$
|
|
rpm-build |
0a0c83 |
$ : < fifo
|
|
rpm-build |
0a0c83 |
>~ .*fifo: Permission denied$
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
$ setfacl -m u:bin:rw hdt null fifo
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su bin
|
|
rpm-build |
0a0c83 |
$ : < hdt
|
|
rpm-build |
0a0c83 |
>~ .*hdt: No such device or address$
|
|
rpm-build |
0a0c83 |
$ : < null
|
|
rpm-build |
0a0c83 |
$ ( echo blah > fifo & ) ; cat fifo
|
|
rpm-build |
0a0c83 |
> blah
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Test if CAP_FOWNER is properly honored for directories. This addresses a
|
|
rpm-build |
0a0c83 |
specific bug in XFS 1.2, which does not grant root access to files in
|
|
rpm-build |
0a0c83 |
directories if the file has an ACL and only CAP_FOWNER would grant them.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
$ mkdir -m 600 x
|
|
rpm-build |
0a0c83 |
$ chown daemon:daemon x
|
|
rpm-build |
0a0c83 |
$ echo j > x/j
|
|
rpm-build |
0a0c83 |
$ ls -l x/j | awk -- '{ print $1, $3, $4 }' | sed 's/\\.//g'
|
|
rpm-build |
0a0c83 |
> -rw-r----- root root
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ setfacl -m u:daemon:r x
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ ls -l x/j | awk -- '{ print $1, $3, $4 }' | sed 's/\\.//g'
|
|
rpm-build |
0a0c83 |
> -rw-r----- root root
|
|
rpm-build |
0a0c83 |
(With the bug this gives: `ls: x/j: Permission denied'.)
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ echo k > x/k
|
|
rpm-build |
0a0c83 |
(With the bug this gives: `x/k: Permission denied'.)
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ chmod 750 x
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
Clean up.
|
|
rpm-build |
0a0c83 |
|
|
rpm-build |
0a0c83 |
$ su
|
|
rpm-build |
0a0c83 |
$ cd ..
|
|
rpm-build |
0a0c83 |
$ rm -rf d
|