d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dd a series of regression tests to validate that privilege requirements are

Browse Source 
implemented properly for a number of kernel subsystems.  In general, they
try to exercise the privilege first as the root user, then as a test user,
in order to determine when privilege is being checked.

Currently, these tests do not compare inside/outside jail, and probably
should be enhanced to do that.

Sponsored by:	nCircle Network Security, Inc.
Obtained from:	TrustedBSD Project
This commit is contained in:
rwatson 2006-09-13 09:05:39 +00:00
parent 166e57c29a
commit bd76450bdb
32 changed files with 4026 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
tools/regression/priv/Makefile Normal file
View File

@ -0,0 +1,40 @@
#
# $FreeBSD$
#
PROG= main
SRCS= main.c \
priv_acct.c \
priv_adjtime.c \
priv_clock_settime.c \
priv_io.c \
priv_kenv_set.c \
priv_kenv_unset.c \
priv_proc_setlogin.c \
priv_proc_setrlimit.c \
priv_sched_rtprio.c \
priv_sched_setpriority.c \
priv_settimeofday.c \
priv_sysctl_write.c \
priv_vfs_admin.c \
priv_vfs_chown.c \
priv_vfs_chroot.c \
priv_vfs_clearsugid.c \
priv_vfs_extattr_system.c \
priv_vfs_fhopen.c \
priv_vfs_fhstat.c \
priv_vfs_fhstatfs.c \
priv_vfs_generation.c \
priv_vfs_getfh.c \
priv_vfs_read_write.c \
priv_vfs_setgid.c \
priv_vfs_stickyfile.c \
priv_vm_mlock.c \
priv_vm_munlock.c \
priv_vm_madv_protect.c \
\
test_utimes.c
NO_MAN=
WARNS= 3
.include <bsd.prog.mk>

184
tools/regression/priv/main.c Normal file
View File

@ -0,0 +1,184 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Privilege test framework. Each test is encapsulated on a .c file exporting
* a function that implements the test. Each test is run from its own child
* process, and they are run in sequence one at a time.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
/*
* Common routines used across many tests.
*/
void
assert_root(void)
{
if (getuid() != UID_ROOT || geteuid() != UID_ROOT)
err(-1, "must be run as root");
}
void
setup_file(char *fpathp, uid_t uid, gid_t gid, mode_t mode)
{
int fd;
strcpy(fpathp, "/tmp/priv.XXXXXXXXXXX");
fd = mkstemp(fpathp);
if (fd < 0)
err(-1, "mkstemp");
if (fchown(fd, uid, gid) < 0)
err(-1, "fchown(%s, %d, %d)", fpathp, uid, gid);
if (fchmod(fd, mode) < 0)
err(-1, "chmod(%s, 0%o)", fpathp, mode);
close(fd);
}
/*
* When downgrading privileges, set the gid before the uid; when upgrading,
* set uid before gid.
*/
void
set_creds(uid_t uid, gid_t gid)
{
if (setegid(gid) < 0)
err(-1, "setegid(%d)", gid);
if (seteuid(uid) < 0)
err(-1, "seteuid(%d)", uid);
}
void
set_euid(uid_t uid)
{
if (seteuid(uid) < 0)
err(-1, "seteuid(%d)", uid);
}
void
restore_creds(void)
{
if (seteuid(UID_ROOT) < 0)
err(-1, "seteuid(%d)", UID_ROOT);
if (setegid(GID_WHEEL) < 0)
err(-1, "setegid(%d)", GID_WHEEL);
}
/*
* Execute tests in a child process so they don't contaminate each other,
* especially with regard to file descriptors, credentials, working
* directories, and chroot status.
*/
static void
run(const char *funcname, void (*func)(void))
{
pid_t childpid, pid;
printf("running %s\n", funcname);
fflush(stdout);
fflush(stderr);
childpid = fork();
if (childpid == -1)
err(-1, "test %s unable to fork", funcname);
if (childpid == 0) {
setprogname(funcname);
func();
fflush(stdout);
fflush(stderr);
exit(0);
} else {
while (1) {
pid = waitpid(childpid, NULL, 0);
if (pid == -1)
warn("waitpid %s", funcname);
if (pid == childpid)
break;
}
}
fflush(stdout);
fflush(stderr);
}
int
main(int argc, char *argv[])
{
run("priv_acct", priv_acct);
run("priv_adjtime", priv_adjtime);
run("priv_clock_settime", priv_clock_settime);
run("priv_io", priv_io);
run("priv_kenv_set", priv_kenv_set);
run("priv_kenv_unset", priv_kenv_unset);
run("priv_proc_setlogin", priv_proc_setlogin);
run("priv_proc_setrlimit", priv_proc_setrlimit);
run("priv_sched_rtprio", priv_sched_rtprio);
run("priv_sched_setpriority", priv_sched_setpriority);
run("priv_settimeofday", priv_settimeofday);
run("priv_sysctl_write", priv_sysctl_write);
run("priv_vfs_admin", priv_vfs_admin);
run("priv_vfs_chown", priv_vfs_chown);
run("priv_vfs_chroot", priv_vfs_chroot);
run("priv_vfs_clearsugid", priv_vfs_clearsugid);
run("priv_vfs_extattr_system", priv_vfs_extattr_system);
run("priv_vfs_fhopen", priv_vfs_fhopen);
run("priv_vfs_fhstat", priv_vfs_fhstat);
run("priv_vfs_fhstatfs", priv_vfs_fhstatfs);
run("priv_vfs_generation", priv_vfs_generation);
run("priv_vfs_getfh", priv_vfs_getfh);
run("priv_vfs_read", priv_vfs_read);
run("priv_vfs_setgid", priv_vfs_setgid);
run("priv_vfs_stickyfile", priv_vfs_stickyfile);
run("priv_vfs_write", priv_vfs_write);
run("priv_vm_madv_protect", priv_vm_madv_protect);
run("priv_vm_mlock", priv_vm_mlock);
run("priv_vm_munlock", priv_vm_munlock);
run("test_utimes", test_utimes);
return (0);
}

90
tools/regression/priv/main.h Normal file
View File

@ -0,0 +1,90 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
#define UID_ROOT 0
#define UID_OWNER 100
#define UID_OTHER 200
#define UID_THIRD 300
#define GID_WHEEL 0
#define GID_OWNER 100
#define GID_OTHER 200
#define KENV_VAR_NAME "test"
#define KENV_VAR_VALUE "test"
/*
* Library routines used by many tests.
*/
void assert_root(void);
void setup_file(char *fpathp, uid_t uid, gid_t gid, mode_t mode);
void set_creds(uid_t uid, gid_t gid);
void set_euid(uid_t uid);
void restore_creds(void);
/*
* Tests for specific privileges.
*/
void priv_acct(void);
void priv_adjtime(void);
void priv_clock_settime(void);
void priv_io(void);
void priv_kenv_set(void);
void priv_kenv_unset(void);
void priv_proc_setlogin(void);
void priv_proc_setrlimit(void);
void priv_sched_rtprio(void);
void priv_sched_setpriority(void);
void priv_settimeofday(void);
void priv_sysctl_write(void);
void priv_vfs_admin(void);
void priv_vfs_chown(void);
void priv_vfs_chroot(void);
void priv_vfs_clearsugid(void);
void priv_vfs_extattr_system(void);
void priv_vfs_fhopen(void);
void priv_vfs_fhstat(void);
void priv_vfs_fhstatfs(void);
void priv_vfs_generation(void);
void priv_vfs_getfh(void);
void priv_vfs_read(void);
void priv_vfs_setgid(void);
void priv_vfs_stickyfile(void);
void priv_vfs_write(void);
void priv_vm_madv_protect(void);
void priv_vm_mlock(void);
void priv_vm_munlock(void);
/*
* Tests for more complex access control logic involving more than one
* privilege, or privilege combined with DAC.
*/
void test_utimes(void);

178
tools/regression/priv/priv_acct.c Normal file
View File

@ -0,0 +1,178 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that configuring accounting requires privilege. First check that
* accounting is not in use on the system to prevent disrupting the
* accounting service. Confirm three different state transitions, both as
* privileged and non-privileged: disabled to enabled, rotate, and enabled to
* disabled.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/sysctl.h>
#include <err.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include "main.h"
#define SYSCTL_NAME "kern.acct_configured"
#define PATH_TEMPLATE "/tmp/acct.XXXXXXXXXXX"
void
priv_acct(void)
{
char fpath1[1024] = PATH_TEMPLATE;
char fpath2[1024] = PATH_TEMPLATE;
int error, fd, i;
size_t len;
assert_root();
/*
* Check that accounting isn't already configured in the kernel.
*/
len = sizeof(i);
if (sysctlbyname(SYSCTL_NAME, &i, &len, NULL, 0) < 0)
err(-1, "sysctlbyname(%s)", SYSCTL_NAME);
if (i != 0)
errx(-1, "sysctlbyname(%s) indicates accounting configured",
SYSCTL_NAME);
/*
* Create two temporary files to use as accounting targets.
*/
fd = mkstemp(fpath1);
if (fd < 0)
err(-1, "mkstemp");
close(fd);
fd = mkstemp(fpath2);
if (fd < 0) {
warn("mkstemp");
(void)unlink(fpath1);
exit(-1);
}
/*
* Change the permissions on the file so that access control on the
* file doesn't come into play.
*/
if (chmod(fpath1, 0666) < 0) {
warn("chmod(%s, 0666)", fpath1);
goto out;
}
if (chmod(fpath2, 0666) < 0) {
warn("chmod(%s, 0600)", fpath2);
goto out;
}
/*
* Test that privileged can move through entire life cycle.
*/
if (acct(fpath1) < 0) {
warn("acct(NULL -> %s) as root", fpath1);
goto out;
}
if (acct(fpath2) < 0) {
warn("acct(%s -> %s) as root", fpath1, fpath2);
goto out;
}
if (acct(NULL) < 0) {
warn("acct(%s -> NULL) as root", fpath1);
goto out;
}
/*
* Testing for unprivileged is a bit more tricky, as expect each step
* to fail, so must replay various bits of the setup process as root
* so that each step can be tested as !root.
*/
set_euid(UID_OTHER);
error = acct(fpath1);
if (error == 0) {
warnx("acct(NULL -> %s) succeeded as !root", fpath1);
goto out;
}
if (errno != EPERM) {
warn("acct(NULL -> %s) wrong errno %d as !root", fpath1,
errno);
goto out;
}
set_euid(UID_ROOT);
if (acct(fpath1) < 0) {
err(-1, "acct(NULL -> %s) setup for !root", fpath1);
goto out;
}
set_euid(UID_OTHER);
error = acct(fpath2);
if (error == 0) {
warnx("acct(%s -> %s) succeeded as !root", fpath1, fpath2);
goto out;
}
if (errno != EPERM) {
warn("acct(%s -> %s) wrong errno %d as !root", fpath1,
fpath2, errno);
goto out;
}
set_euid(UID_ROOT);
if (acct(fpath2) < 0) {
err(-1, "acct(%s -> %s) setup for !root", fpath1, fpath2);
goto out;
}
set_euid(UID_OTHER);
error = acct(NULL);
if (error == 0) {
warnx("acct(%s -> NULL) succeeded as !root", fpath2);
goto out;
}
if (errno != EPERM) {
warn("acct(%s -> NULL) wrong errno %d as !root", fpath2,
errno);
goto out;
}
out:
(void)seteuid(UID_ROOT);
(void)acct(NULL);
(void)unlink(fpath1);
(void)unlink(fpath2);
}

75
tools/regression/priv/priv_adjtime.c Normal file
View File

@ -0,0 +1,75 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Confirm that privilege is required to invoke adjtime(); first query, then
* try setting first with, and then without privilege.
*/
#include <sys/time.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_adjtime(void)
{
struct timeval tv;
int error;
assert_root();
/*
* Query time adjustment.
*/
if (adjtime(NULL, &tv) < 0)
err(-1, "adjtime");
/*
* Set with privilege.
*/
if (adjtime(&tv, NULL) < 0)
err(-1, "adjtime as root");
/*
* Set without privilege.
*/
set_euid(UID_OTHER);
error = adjtime(&tv, NULL);
if (error == 0)
errx(-1, "adjtime succeeded as !root");
if (errno != EPERM)
errx(-1, "adjtime wrong errno %d as !root", errno);
}

76
tools/regression/priv/priv_clock_settime.c Normal file
View File

@ -0,0 +1,76 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Confirm that privilege is required to invoke clock_settime(). So as not
* to mess up the clock too much, first query the time, then immediately set
* it. Test only CLOCK_REALTIME.
*/
#include <sys/time.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_clock_settime(void)
{
struct timespec ts;
int error;
assert_root();
/*
* Query time.
*/
if (clock_gettime(CLOCK_REALTIME, &ts) < 0)
err(-1, "clock_gettime");
/*
* Set with privilege.
*/
if (clock_settime(CLOCK_REALTIME, &ts) < 0)
err(-1, "clock_settime as root");
/*
* Set without privilege.
*/
set_euid(UID_OTHER);
error = clock_settime(CLOCK_REALTIME, &ts);
if (error == 0)
errx(-1, "clock_settime succeeded as !root");
if (errno != EPERM)
errx(-1, "clock_settime wrong errno %d as !root", errno);
}

135
tools/regression/priv/priv_io.c Normal file
View File

@ -0,0 +1,135 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test privilege check on /dev/io. By default, the permissions also protect
* against non-superuser access, so this program will modify permissions on
* /dev/io to allow group access for the wheel group, and revert the change
* on exit. This is not good for run-time security, but is necessary to test
* the checks properly.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include "main.h"
#define NEW_PERMS 0660
#define DEV_IO "/dev/io"
#define EXPECTED_PERMS 0600
static mode_t saved_perms;
static void
save_perms(void)
{
struct stat sb;
if (stat(DEV_IO, &sb) < 0)
err(-1, "save_perms: stat(%s)", DEV_IO);
saved_perms = sb.st_mode & ALLPERMS;
if (saved_perms != EXPECTED_PERMS)
err(-1, "save_perms: perms = 0%o; expected 0%o", saved_perms,
EXPECTED_PERMS);
}
static void
set_perms(void)
{
if (chmod(DEV_IO, NEW_PERMS) < 0)
err(-1, "set_perms: chmod(%s, 0%o)", DEV_IO, NEW_PERMS);
}
static void
restore_perms(void)
{
if (chmod(DEV_IO, saved_perms) < 0)
err(-1, "restore_perms: chmod(%s, 0%o)", DEV_IO, saved_perms);
}
static void
try_open(const char *test_case, uid_t uid, int expected)
{
int fd;
set_euid(uid);
fd = open(DEV_IO, O_RDONLY);
if (expected == 0) {
if (fd == -1) {
warn("try_open: %s open(%s) errno %d", DEV_IO,
test_case, errno);
goto out;
}
close(fd);
goto out;
}
if (fd >= 0) {
warn("try_open: %s open(%s) unexpected success", test_case,
DEV_IO);
close(fd);
goto out;
}
if (errno == expected)
goto out;
warn("try_open: %s open(%s) wrong errno %d, expected %d", DEV_IO,
test_case, errno, expected);
out:
set_euid(UID_ROOT);
}
void
priv_io(void)
{
assert_root();
save_perms();
try_open("root:0600", UID_ROOT, 0);
try_open("other", UID_OTHER, EACCES);
set_perms();
try_open("root:0660", UID_ROOT, 0);
try_open("other", UID_OTHER, EPERM);
restore_perms();
}

68
tools/regression/priv/priv_kenv_set.c Normal file
View File

@ -0,0 +1,68 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that setting a kernel environment variable requires privilege, by
* first trying it with privilege, then without.
*/
#include <sys/types.h>
#include <err.h>
#include <errno.h>
#include <kenv.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
void
priv_kenv_set(void)
{
int error;
assert_root();
error = kenv(KENV_SET, KENV_VAR_NAME, KENV_VAR_VALUE,
strlen(KENV_VAR_VALUE)+1);
if (error)
err(-1, "kenv(KENV_SET, ...) as root");
set_euid(UID_OTHER);
error = kenv(KENV_SET, KENV_VAR_NAME, KENV_VAR_VALUE,
strlen(KENV_VAR_VALUE)+1);
if (error == 0)
errx(-1, "kenv(KENV_SET, ...) as !root succeeded");
if (errno != EPERM)
err(-1, "kenv(KENV_SET, ...) as !root wrong errno %d",
errno);
}

77
tools/regression/priv/priv_kenv_unset.c Normal file
View File

@ -0,0 +1,77 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that setting a kernel environment variable, then trying to unset it
* without and with privilege.
*/
#include <sys/types.h>
#include <err.h>
#include <errno.h>
#include <kenv.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
void
priv_kenv_unset(void)
{
int error;
assert_root();
error = kenv(KENV_SET, KENV_VAR_NAME, KENV_VAR_VALUE,
strlen(KENV_VAR_VALUE)+1);
if (error)
err(-1, "kenv(KENV_SET, ...) as root");
error = kenv(KENV_UNSET, KENV_VAR_NAME, NULL, 0);
if (error)
err(-1, "kenv(KENV_UNSET, ...) as root");
/* Set it again for !root. */
error = kenv(KENV_SET, KENV_VAR_NAME, KENV_VAR_VALUE,
strlen(KENV_VAR_VALUE)+1);
if (error)
err(-1, "kenv(KENV_SET, ...) as root");
set_euid(UID_OTHER);
error = kenv(KENV_UNSET, KENV_VAR_NAME, NULL, 0);
if (error == 0)
errx(-1, "kenv(KENV_UNSET, ...) as !root succeeded");
if (errno != EPERM)
err(-1, "kenv(KENV_UNSET, ...) as !root wrong errno %d",
errno);
}

73
tools/regression/priv/priv_proc_setlogin.c Normal file
View File

@ -0,0 +1,73 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that privilege is required to call setlogin(). Do so by first
* querying with getlogin(), then setting the result back using setlogin(),
* at first with privilege, then without.
*/
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_proc_setlogin(void)
{
char *loginname;
int error;
assert_root();
loginname = getlogin();
if (loginname == NULL)
err(-1, "getlogin");
/*
* First, with privilege.
*/
error = setlogin(loginname);
if (error)
err(-1, "setlogin(%s) as root", loginname);
/*
* Then again, without privilege.
*/
set_euid(UID_OTHER);
error = setlogin(loginname);
if (error == 0)
errx(-1, "setlogin(%s) succeeded as !root", loginname);
if (errno != EPERM)
err(-1, "setlogin(%s) wrong errno %d", loginname, errno);
}

137
tools/regression/priv/priv_proc_setrlimit.c Normal file
View File

@ -0,0 +1,137 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that raising current resource limits above hard resource limits
* requires privilege. There is one privilege check, but two conditions:
*
* - To raise the current above the maximum.
*
* - To raise the maximum.
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_proc_setrlimit(void)
{
struct rlimit rl, rl_lower, rl_raise_max, rl_raise_cur;
int error;
assert_root();
/*
* To make sure that there is room to raise the resource limit, we
* must first lower it. Otherwise, if the resource limit is already
* at the global maximum, that complicates matters. In principle, we
* can bump into privilege failures during setup, but there's not
* much we can do about that. Keep this prototypical setting around
* as the target to restore to later.
*/
if (getrlimit(RLIMIT_DATA, &rl) < 0)
err(-1, "getrlimit(RLIMIT_DATA)");
/*
* What to lower to before trying to raise.
*/
rl_lower = rl;
rl_lower.rlim_cur -= 10;
rl_lower.rlim_max = rl_lower.rlim_cur;
/*
* Raise the maximum.
*/
rl_raise_max = rl;
rl_raise_max.rlim_max += 10;
/*
* Raise the current above the maximum.
*/
rl_raise_cur = rl;
rl_raise_cur.rlim_cur += 10;
/*
* Test raising the maximum with privilege.
*/
if (setrlimit(RLIMIT_DATA, &rl_lower) < 0)
err(-1, "setrlimit(RLIMIT_DATA, lower) as root");
if (setrlimit(RLIMIT_DATA, &rl_raise_max) < 0)
err(-1, "setrlimit(RLIMIT_DATA, raise_max) as root");
/*
* Test raising the current above the maximum with privilege.
*/
if (setrlimit(RLIMIT_DATA, &rl_lower) < 0)
err(-1, "setrlimit(RLIMIT_DATA, lower) as root");
if (setrlimit(RLIMIT_DATA, &rl_raise_cur) < 0)
err(-1, "setrlimit(RLIMIT_DATA, raise_cur) as root");
/*
* Test raising the maximum without privilege.
*/
if (setrlimit(RLIMIT_DATA, &rl_lower) < 0)
err(-1, "setrlimit(RLIMIT_DATA, lower) as root");
set_euid(UID_OTHER);
error = setrlimit(RLIMIT_DATA, &rl_raise_max);
if (error == 0)
errx(-1,
"setrlimit(RLIMIT_DATA, raise_max) succeeded as !root");
if (errno != EPERM)
err(-1, "setrlimit(RLIMIT_DATA, raise_max) wrong errno %d "
"as !root", errno);
/*
* Test raising the current above the maximum without privilege.
*/
set_euid(UID_ROOT);
if (setrlimit(RLIMIT_DATA, &rl_lower) < 0)
err(-1, "setrlimit(RLIMIT_DATA, lower) as root");
set_euid(UID_OTHER);
error = setrlimit(RLIMIT_DATA, &rl_raise_cur);
if (error == 0)
errx(-1,
"setrlimit(RLIMIT_DATA, raise_cur) succeeded as !root");
if (errno != EPERM)
err(-1, "setrlimit(RLIMIT_DATA, raise_cur) wrong errno %d "
"as !root", errno);
}

234
tools/regression/priv/priv_sched_rtprio.c Normal file
View File

@ -0,0 +1,234 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test privilege associated with real time process settings. There are
* three relevant notions of privilege:
*
* - Privilege to set the real-time priority of the current process.
* - Privilege to set the real-time priority of another process.
* - Privilege to set the idle priority of another process.
* - No privilege to set the idle priority of the current process.
*
* This requires a test process and a target (dummy) process running with
* various uids. This test is based on the code in the setpriority() test.
*/
#include <sys/types.h>
#include <sys/rtprio.h>
#include <sys/wait.h>
#include <err.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
#include "main.h"
static void
dummy(void)
{
while (1)
sleep(1);
}
static void
collect(pid_t test_pid, pid_t dummy_pid)
{
pid_t pid;
/*
* First, collect the main test process. When it has exited, then
* kill off the dummy process.
*/
if (test_pid > 0) {
while (1) {
pid = waitpid(test_pid, NULL, 0);
if (pid == -1)
warn("waitpid(%d (test), NULL, 0)", test_pid);
if (pid == test_pid)
break;
}
}
if (kill(dummy_pid, SIGKILL) < 0)
err(-1, "kill(%d, SIGKILL)", dummy_pid);
while (1) {
pid = waitpid(dummy_pid, NULL, 0);
if (pid == -1)
warn("waitpid(%d, NULL, 0)", dummy_pid);
if (pid == dummy_pid)
return;
}
}
static void
test(pid_t dummy_pid)
{
struct rtprio rtp;
int error;
/*
* Tests first as root. Test that we can set normal, realtime, and
* idle priorities on the current thread and on the dummy thread.
*/
rtp.type = RTP_PRIO_REALTIME;
rtp.prio = 0;
if (rtprio(RTP_SET, 0, &rtp) < 0)
err(-1, "rtprio(RTP_SET, 0, {REALTIME, 0}) as root");
rtp.type = RTP_PRIO_IDLE;
rtp.prio = 0;
if (rtprio(RTP_SET, 0, &rtp) < 0)
err(-1, "rtprio(RTP_SET, 0, {IDLE, 0}) as root");
rtp.type = RTP_PRIO_NORMAL;
rtp.prio = 0;
if (rtprio(RTP_SET, 0, &rtp) < 0)
err(-1, "rtprio(RTP_SET, 0, {NORMAL, 0) as root");
rtp.type = RTP_PRIO_REALTIME;
rtp.prio = 0;
if (rtprio(RTP_SET, dummy_pid, &rtp) < 0)
err(-1, "rtprio(RTP_SET, %d, {REALTIME, 0}) as root",
dummy_pid);
rtp.type = RTP_PRIO_IDLE;
rtp.prio = 0;
if (rtprio(RTP_SET, dummy_pid, &rtp) < 0)
err(-1, "rtprio(RTP_SET, %d, {IDLE, 0}) as root", dummy_pid);
rtp.type = RTP_PRIO_NORMAL;
rtp.prio = 0;
if (rtprio(RTP_SET, dummy_pid, &rtp) < 0)
err(-1, "rtprio(RTP_SET, %d, {NORMAL, 0) as root",
dummy_pid);
/*
* Then test again as a different credential.
*/
if (setresuid(UID_OTHER, UID_OTHER, UID_OTHER) < 0)
err(-1, "setresuid(%d)", UID_OTHER);
rtp.type = RTP_PRIO_REALTIME;
rtp.prio = 0;
error = rtprio(RTP_SET, 0, &rtp);
if (error == 0)
errx(-1,
"rtprio(RTP_SET, 0, {REALTIME, 0}) succeeded as !root");
if (errno != EPERM)
err(-1, "rtprio(RTP_SET, 0, {REALTIME, 0}) wrong errno %d as"
" !root", errno);
rtp.type = RTP_PRIO_IDLE;
rtp.prio = 0;
error = rtprio(RTP_SET, 0, &rtp);
if (error == 0)
errx(-1, "rtprio(RTP_SET, 0, {IDLE, 0}) succeeded as !root");
if (errno != EPERM)
err(-1, "rtprio(RTP_SET, 0, {IDLE, 0}) wrong errno %d as "
"!root", errno);
rtp.type = RTP_PRIO_NORMAL;
rtp.prio = 0;
if (rtprio(RTP_SET, 0, &rtp) < 0)
err(-1, "rtprio(RTP_SET, 0, {NORMAL, 0}) as !root");
rtp.type = RTP_PRIO_REALTIME;
rtp.prio = 0;
error = rtprio(RTP_SET, dummy_pid, &rtp);
if (error == 0)
errx(-1,
"rtprio(RTP_SET, %d, {REALTIME, 0}) succeeded as !root",
dummy_pid);
if (errno != EPERM)
err(-1, "rtprio(RTP_SET, %d, {REALTIME, 0}) wrong errno %d as"
" !root", dummy_pid, errno);
rtp.type = RTP_PRIO_IDLE;
rtp.prio = 0;
error = rtprio(RTP_SET, dummy_pid, &rtp);
if (error == 0)
errx(-1, "rtprio(RTP_SET, %d, {IDLE, 0}) succeeded as !root",
dummy_pid);
if (errno != EPERM)
err(-1,
"rtprio(RTP_SET, %d, {IDLE, 0}) wrong errno %d as !root",
dummy_pid, errno);
rtp.type = RTP_PRIO_NORMAL;
rtp.prio = 0;
error = rtprio(RTP_SET, dummy_pid, &rtp);
if (error == 0)
errx(-1,
"rtprio(RTP_SET, %d, {NORMAL, 0) succeeded as !root",
dummy_pid);
if (errno != EPERM)
err(-1, "rtprio(RTP_SET, %d, {NORMAL, 0}) wrong errno %d as "
"!root", dummy_pid, errno);
exit(0);
}
void
priv_sched_rtprio(void)
{
pid_t dummy_pid, test_pid;
assert_root();
/*
* Set up dummy process, which we will kill before exiting.
*/
dummy_pid = fork();
if (dummy_pid < 0)
err(-1, "fork - dummy");
if (dummy_pid == 0) {
if (setresuid(UID_THIRD, UID_THIRD, UID_THIRD) < 0)
err(-1, "setresuid(%d)", UID_THIRD);
dummy();
}
sleep(1); /* Allow dummy thread to change uids. */
test_pid = fork();
if (test_pid < 0) {
warn("fork - test");
collect(-1, dummy_pid);
return;
}
if (test_pid == 0)
test(dummy_pid);
collect(test_pid, dummy_pid);
}

163
tools/regression/priv/priv_sched_setpriority.c Normal file
View File

@ -0,0 +1,163 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that privilege is required to lower nice value; first test with, then
* without. There are two failure modes associated with privilege: the right
* to renice a process with a different uid, and the right to renice to a
* lower priority. Because both the real and effective uid are part of the
* permissions test, we have to create two children processes with different
* uids.
*/
#include <sys/types.h>
#include <sys/resource.h>
#include <sys/wait.h>
#include <err.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
#include "main.h"
static void
dummy(void)
{
while (1)
sleep(1);
}
static void
collect(pid_t test_pid, pid_t dummy_pid)
{
pid_t pid;
/*
* First, collect the main test process. When it has exited, then
* kill off the dummy process.
*/
if (test_pid > 0) {
while (1) {
pid = waitpid(test_pid, NULL, 0);
if (pid == -1)
warn("waitpid(%d (test), NULL, 0)", test_pid);
if (pid == test_pid)
break;
}
}
if (kill(dummy_pid, SIGKILL) < 0)
err(-1, "kill(%d, SIGKILL)", dummy_pid);
while (1) {
pid = waitpid(dummy_pid, NULL, 0);
if (pid == -1)
warn("waitpid(%d, NULL, 0)", dummy_pid);
if (pid == dummy_pid)
return;
}
}
static void
test(pid_t dummy_pid)
{
int error;
/*
* Tests first as root.
*/
if (setpriority(PRIO_PROCESS, 0, -1) < 0)
err(-1, "setpriority(PRIO_PROCESS, 0, -1) as root");
if (setpriority(PRIO_PROCESS, dummy_pid, -1) < 0)
err(-1, "setpriority(PRIO_PROCESS, %d, -1) as root",
dummy_pid);
/*
* Then test again as a different credential.
*/
if (setresuid(UID_OTHER, UID_OTHER, UID_OTHER) < 0)
err(-1, "setresuid(%d)", UID_OTHER);
error = setpriority(PRIO_PROCESS, 0, -2);
if (error == 0)
errx(-1,
"setpriority(PRIO_PROCESS, 0, -2) succeeded as !root");
if (errno != EACCES)
err(-1, "setpriority(PRIO_PROCESS, 0, 2) wrong errno %d as "
"!root", errno);
error = setpriority(PRIO_PROCESS, dummy_pid, -2);
if (error == 0)
errx(-1,
"setpriority(PRIO_PROCESS, %d, -2) succeeded as !root",
dummy_pid);
if (errno != EPERM)
err(-1, "setpriority(PRIO_PROCESS, %d, 2) wrong errno %d as "
"!root", dummy_pid, errno);
exit(0);
}
void
priv_sched_setpriority(void)
{
pid_t dummy_pid, test_pid;
assert_root();
/*
* Set up dummy process, which we will kill before exiting.
*/
dummy_pid = fork();
if (dummy_pid < 0)
err(-1, "fork - dummy");
if (dummy_pid == 0) {
if (setresuid(UID_THIRD, UID_THIRD, UID_THIRD) < 0)
err(-1, "setresuid(%d)", UID_THIRD);
dummy();
}
sleep(1); /* Allow dummy thread to change uids. */
test_pid = fork();
if (test_pid < 0) {
warn("fork - test");
collect(-1, dummy_pid);
return;
}
if (test_pid == 0)
test(dummy_pid);
collect(test_pid, dummy_pid);
}

76
tools/regression/priv/priv_settimeofday.c Normal file
View File

@ -0,0 +1,76 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Confirm that privilege is required to invoke settimeofday(). So as not
* to mess up the clock too much, first query the time, then immediately set
* it.
*/
#include <sys/time.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_settimeofday(void)
{
struct timeval tv;
int error;
assert_root();
/*
* Query time.
*/
if (gettimeofday(&tv, NULL) < 0)
err(-1, "gettimeofday");
/*
* Set with privilege.
*/
if (settimeofday(&tv, NULL) < 0)
err(-1, "settimeofday as root");
/*
* Set without privilege.
*/
set_euid(UID_OTHER);
error = settimeofday(&tv, NULL);
if (error == 0)
errx(-1, "settimeofday succeeded as !root");
if (errno != EPERM)
errx(-1, "settimeofday wrong errno %d as !root", errno);
}

89
tools/regression/priv/priv_sysctl_write.c Normal file
View File

@ -0,0 +1,89 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that sysctls can only be written with privilege by trying first with,
* then without privilege. Do this by first reading, then setting the
* hostname as a no-op.
*/
#include <sys/types.h>
#include <sys/sysctl.h>
#include <err.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
#define KERN_HOSTNAME_STRING "kern.hostname"
void
priv_sysctl_write(void)
{
char buffer[1024];
size_t len;
int error;
assert_root();
/*
* First query the current value.
*/
len = sizeof(buffer);
error = sysctlbyname(KERN_HOSTNAME_STRING, buffer, &len, NULL, 0);
if (error)
err(-1, "sysctlbyname(\"%s\") query", KERN_HOSTNAME_STRING);
/*
* Now try to set with privilege.
*/
error = sysctlbyname(KERN_HOSTNAME_STRING, NULL, NULL, buffer,
strlen(buffer));
if (error)
err(-1, "sysctlbyname(\"%s\") set as root",
KERN_HOSTNAME_STRING);
/*
* Now without privilege.
*/
set_euid(UID_OTHER);
error = sysctlbyname(KERN_HOSTNAME_STRING, NULL, NULL, buffer,
strlen(buffer));
if (error == 0)
errx(-1, "sysctlbyname(\"%s\") succeeded as !root",
KERN_HOSTNAME_STRING);
if (errno != EPERM)
err(-1, "sysctlbyname(\"%s\") wrong errno %d",
KERN_HOSTNAME_STRING, errno);
}

328
tools/regression/priv/priv_vfs_admin.c Normal file
View File

@ -0,0 +1,328 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Check that privilege is required for a variety of administrative
* activities on a file owned by another user. Admin privileges are required
* for the following services:
*
* - Set file flags.
* - Set utimes to non-NULL.
* - Set file mode.
* - Set file ownership.
* - Remove a file from a sticky directory. (XXXRW: Not tested here.)
* - Set the ACL on a file. (XXXRW: Not tested here.)
* - Delete the ACL on a file. (XXXRW: Not tested here.)
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <err.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
static u_long
getflags(char *fpathp)
{
struct stat sb;
if (stat(fpathp, &sb) < 0)
err(-1, "stat(%s)", fpathp);
return (sb.st_flags);
}
static void
priv_vfs_admin_chflags(void)
{
char fpath[1024];
u_long flags;
int error;
/*
* Test that setting file flags works as and not as the file owner
* when running with privilege, but only as the file owner when
* running without privilege.
*/
setup_file(fpath, UID_ROOT, GID_WHEEL, 0600);
flags = getflags(fpath);
flags |= UF_NODUMP;
if (chflags(fpath, flags) < 0) {
warn("chflags(%s, UF_NODUMP) owner as root", fpath);
goto out;
}
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
flags = getflags(fpath);
flags |= UF_NODUMP;
if (chflags(fpath, flags) < 0) {
warn("chflags(%s, UF_NODUMP) !owner as root", fpath);
goto out;
}
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
flags = getflags(fpath);
flags |= UF_NODUMP;
set_euid(UID_OWNER);
if (chflags(fpath, flags) < 0) {
warn("chflags(%s, UF_NODUMP) owner as !root", fpath);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
flags = getflags(fpath);
flags |= UF_NODUMP;
set_euid(UID_OTHER);
error = chflags(fpath, flags);
if (error == 0) {
warnx("chflags(%s, UF_NODUMP) succeeded !owner as !root",
fpath);
goto out;
}
if (errno != EPERM) {
warn("chflags(%s, UF_NODUMP) wrong errno %d !owner a !root",
fpath, errno);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
out:
(void)seteuid(UID_ROOT);
(void)unlink(fpath);
}
static void
priv_vfs_admin_utimes(void)
{
struct timeval tv[2];
char fpath[1024];
int error;
/*
* Actual values don't matter here.
*/
tv[0].tv_sec = 0;
tv[0].tv_usec = 0;
tv[1].tv_sec = 0;
tv[1].tv_usec = 0;
/*
* When using a non-NULL argument to utimes(), must either hold
* privilege or be the file owner. Check all four possible
* combinations of privilege, ownership.
*/
setup_file(fpath, UID_ROOT, GID_WHEEL, 0600);
if (utimes(fpath, tv) < 0) {
warn("utimes(%s, !NULL) owner as root", fpath);
goto out;
}
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
if (utimes(fpath, tv) < 0) {
warn("utimes(%s, !NULL) !owner as root", fpath);
goto out;
}
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
set_euid(UID_OWNER);
if (utimes(fpath, tv) < 0) {
warn("utimes(%s, !NULL) owner as !root", fpath);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
set_euid(UID_OTHER);
error = utimes(fpath, tv);
if (error == 0) {
warnx("utimes(%s, !NULL) succeeded !owner as !root",
fpath);
goto out;
}
if (errno != EPERM) {
warn("utimes(%s, !NULL) wrong errno %d !owner a !root",
fpath, errno);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
out:
(void)seteuid(UID_ROOT);
(void)unlink(fpath);
}
static void
priv_vfs_admin_chmod(void)
{
char fpath[1024];
int error;
/*
* Test that setting file permissions works either as file owner or
* not when running with privilege, but only as file owner when
* running without privilege.
*/
setup_file(fpath, UID_ROOT, GID_WHEEL, 0600);
if (chmod(fpath, 0640) < 0) {
warn("chmod(%s, 0640) owner as root", fpath);
goto out;
}
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
if (chmod(fpath, 0640) < 0) {
warn("chmod(%s, 0640) !owner as root", fpath);
goto out;
}
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
set_euid(UID_OWNER);
if (chmod(fpath, 0640) < 0) {
warn("chmod(%s, 0640) owner as !root", fpath);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
set_euid(UID_OTHER);
error = chmod(fpath, 0640);
if (error == 0) {
warnx("chmod(%s, 0640) succeeded !owner as !root",
fpath);
goto out;
}
if (errno != EPERM) {
warn("chmod(%s, 0640) wrong errno %d !owner a !root",
fpath, errno);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
out:
(void)seteuid(UID_ROOT);
(void)unlink(fpath);
}
static const gid_t gidset[] = { GID_WHEEL, GID_OWNER, GID_OTHER};
static void
priv_vfs_admin_chown(void)
{
char fpath[1024];
int error;
/*
* Test that the group of the file can only be changed with privilege
* or as the owner. These test is run last as it frobs the group
* context. We change the file group from one group we're in to
* another we're in to avoid any other access control checks failing.
*/
if (setgroups(3, gidset) < 0)
err(-1, "priv_vfs_admin_chown:setgroups(3, {%d, %d, %d})",
GID_WHEEL, GID_OWNER, GID_OTHER);
/*
* Test that setting file permissions works either as file owner or
* not when running with privilege, but only as file owner when
* running without privilege.
*/
setup_file(fpath, UID_ROOT, GID_WHEEL, 0600);
if (chown(fpath, -1, GID_OWNER) < 0) {
warn("chown(%s, %d) owner as root", fpath, GID_OWNER);
goto out;
}
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
if (chown(fpath, -1, GID_OWNER) < 0) {
warn("chown(%s, %d) !owner as root", fpath, GID_OWNER);
goto out;
}
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
set_euid(UID_OWNER);
if (chown(fpath, -1, GID_OWNER) < 0) {
warn("chown(%s, %d) owner as !root", fpath, GID_OWNER);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
set_euid(UID_OTHER);
error = chown(fpath, -1, GID_OWNER);
if (error == 0) {
warnx("chown(%s, %d) succeeded !owner as !root",
fpath, GID_OWNER);
goto out;
}
if (errno != EPERM) {
warn("chown(%s, %d) wrong errno %d !owner a !root",
fpath, GID_OWNER, errno);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
out:
(void)seteuid(UID_ROOT);
(void)unlink(fpath);
}
void
priv_vfs_admin(void)
{
assert_root();
priv_vfs_admin_chflags();
priv_vfs_admin_utimes();
priv_vfs_admin_chmod();
priv_vfs_admin_chown(); /* Run this last. */
}

170
tools/regression/priv/priv_vfs_chown.c Normal file
View File

@ -0,0 +1,170 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Confirm that privilege is required in the cases using chown():
*
* - If the process euid does not match the file uid.
*
* - If the target uid is different than the current uid.
*
* - If the target gid changes and we the process is not a member of the new
* group.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <err.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include "main.h"
const gid_t gidset[] = {GID_WHEEL, GID_OWNER};
void
priv_vfs_chown(void)
{
char fpath[1024];
int error;
assert_root();
/*
* Before beginning, set up group set for process. Place in wheel
* and owner groups; don't put in other group so that when we chown
* to the other group, it's as a non-member.
*/
if (setgroups(2, gidset) < 0)
err(-1, "setgroups(2, {%d, %d})", GID_WHEEL, GID_OWNER);
/*
* In the first pass, confirm that all works as desired with
* privilege.
*
* Check that chown when non-owner works fine. Do a no-op change to
* avoid other permission checks. Note that we can't request
* (-1, -1) and get an access control check, we have to request
* specific uid/gid that are not the same.
*/
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
if (chown(fpath, -1, GID_OWNER) < 0) {
warn("chown(%s, -1, %d) as root", fpath, GID_OWNER);
goto out;
}
(void)unlink(fpath);
/*
* Check that chown changing uid works with privilege.
*/
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
if (chown(fpath, UID_OTHER, -1) < 0) {
warn("chown(%s, %d, -1) as root", fpath, UID_OTHER);
goto out;
}
(void)unlink(fpath);
/*
* Check that can change the file group to one we are not a member of
* when running with privilege.
*/
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
if (chown(fpath, -1, GID_OTHER) < 0) {
warn("chown(%s, -1, %d) as root", fpath, GID_OTHER);
goto out;
}
(void)unlink(fpath);
/*
* Now, the same again, but without privilege.
*
* Confirm that we can't chown a file we don't own, even as a no-op.
*/
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
set_euid(UID_OTHER);
error = chown(fpath, -1, GID_OWNER);
if (error == 0) {
warnx("chown(%s, -1, %d) succeeded as !root, non-owner",
fpath, GID_OWNER);
goto out;
}
if (errno != EPERM) {
warn("chown(%s, -1, %d) wrong errno %d as !root, non-owner",
fpath, GID_OWNER, errno);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
/*
* Check that we can't change the uid of the file without privilege,
* even though we own the file.
*/
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
set_euid(UID_OWNER);
error = chown(fpath, UID_OTHER, -1);
if (error == 0) {
warnx("chown(%s, %d, -1) succeeded as !root", fpath,
UID_OTHER);
goto out;
}
if (errno != EPERM) {
warn("chown(%s, %d, -1) wrong errno %d as !root", fpath,
UID_OTHER, errno);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
/*
* Check that can't change the file group to one we are not a member
* of when running without privilege.
*/
setup_file(fpath, UID_OWNER, GID_OWNER, 0600);
set_euid(UID_OWNER);
error = chown(fpath, -1, GID_OTHER);
if (error == 0) {
warn("chown(%s, -1, %d) succeeded as !root", fpath, GID_OTHER);
goto out;
}
if (errno != EPERM) {
warn("chown(%s, -1, %d) wrong errno %d as !root", fpath,
errno, GID_OTHER);
goto out;
}
set_euid(UID_ROOT);
(void)unlink(fpath);
out:
(void)seteuid(UID_ROOT);
(void)unlink(fpath);
}

63
tools/regression/priv/priv_vfs_chroot.c Normal file
View File

@ -0,0 +1,63 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that chroot() requires privilege; try with, and without. Do a no-op
* chroot() to "/".
*
* XXXRW: Would also be good to check fchroot() permission, but that is not
* exposed via the BSD API.
*/
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_vfs_chroot(void)
{
int error;
assert_root();
if (chroot("/") < 0)
err(-1, "chroot(\"/\") as root");
set_euid(UID_OTHER);
error = chroot("/");
if (error == 0)
errx(-1, "chroot(\"/\") succeeded as !root");
if (errno != EPERM)
err(-1, "chroot(\"/\") wrong errno %d as !root", errno);
}

215
tools/regression/priv/priv_vfs_clearsugid.c Normal file
View File

@ -0,0 +1,215 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* There are three cases in which the file system will clear the setuid or
* setgid bits on a file when running as !root:
*
* - When the file is chown()'d and either of the uid or the gid is changed.
*
* - The file is written to succeesfully.
*
* - An extended attribute of the file is written to successfully.
*
* Test each case first as root (that flags aren't cleared), and then as
* !root, to check they are cleared.
*/
#include <sys/types.h>
#include <sys/extattr.h>
#include <sys/stat.h>
#include <err.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
static const gid_t gidset[] = {GID_WHEEL, GID_OWNER, GID_OTHER};
/*
* Confirm that the setuid bit is set on a file. Don't return on failure.
*/
static void
confirm_setuid(char *fpathp, char *test_case)
{
struct stat sb;
if (stat(fpathp, &sb) < 0) {
warn("%s stat(%s)", test_case, fpathp);
(void)seteuid(UID_ROOT);
(void)unlink(fpathp);
exit(-1);
}
if (!(sb.st_mode & S_ISUID)) {
warnx("case %s stat(%s) not setuid", test_case, fpathp);
(void)seteuid(UID_ROOT);
(void)unlink(fpathp);
exit(-1);
}
}
/*
* Confirm that the setuid bit is not set on a file. Don't return on failure.
*/
static void
confirm_notsetuid(char *fpathp, char *test_case)
{
struct stat sb;
if (stat(fpathp, &sb) < 0) {
warn("%s stat(%s)", test_case, fpathp);
(void)seteuid(UID_ROOT);
(void)unlink(fpathp);
exit(-1);
}
if (sb.st_mode & S_ISUID) {
warnx("case %s stat(%s) is setuid", test_case, fpathp);
(void)seteuid(UID_ROOT);
(void)unlink(fpathp);
exit(-1);
}
}
#define EA_NAMESPACE EXTATTR_NAMESPACE_USER
#define EA_NAME "clearsugid"
#define EA_DATA "test"
#define EA_SIZE (strlen(EA_DATA))
void
priv_vfs_clearsugid(void)
{
char ch, fpath[1024];
int fd;
assert_root();
/*
* Before starting on work, set up group IDs so that the process can
* change the group ID of the file without privilege, in order to see
* the effects. That way privilege is only required to maintain the
* setuid bit. For the chown() test, we change only the group id, as
* that can be done with or without privilege.
*/
if (setgroups(3, gidset) < 0)
err(-1, "setgroups(2, {%d, %d})", GID_WHEEL, GID_OWNER);
/*
* chown() with privilege.
*/
setup_file(fpath, UID_ROOT, GID_WHEEL, 0600 | S_ISUID);
if (chown(fpath, -1, GID_OTHER) < 0)
warn("chown(%s, -1, %d) as root", fpath, GID_OTHER);
confirm_setuid(fpath, "chown as root");
(void)unlink(fpath);
/*
* write() with privilege.
*/
setup_file(fpath, UID_ROOT, GID_WHEEL, 0600 | S_ISUID);
fd = open(fpath, O_RDWR);
if (fd < 0) {
warn("open(%s) as root", fpath);
goto out;
}
ch = 0;
if (write(fd, &ch, sizeof(ch)) < 0) {
warn("write(%s) as root", fpath);
goto out;
}
close(fd);
confirm_setuid(fpath, "write as root");
(void)unlink(fpath);
/*
* extwrite() with privilege.
*/
setup_file(fpath, UID_ROOT, GID_WHEEL, 0600 | S_ISUID);
if (extattr_set_file(fpath, EA_NAMESPACE, EA_NAME, EA_DATA, EA_SIZE)
< 0) {
warn("extattr_set_file(%s, user, %s, %s, %d) as root",
fpath, EA_NAME, EA_DATA, EA_SIZE);
goto out;
}
confirm_setuid(fpath, "extwrite as root");
(void)unlink(fpath);
/*
* chown() without privilege.
*/
setup_file(fpath, UID_OWNER, GID_OWNER, 0600 | S_ISUID);
set_euid(UID_OWNER);
if (chown(fpath, -1, GID_OTHER) < 0)
warn("chown(%s, -1, %d) as !root", fpath, GID_OTHER);
set_euid(UID_ROOT);
confirm_notsetuid(fpath, "chown as !root");
(void)unlink(fpath);
/*
* write() without privilege.
*/
setup_file(fpath, UID_OWNER, GID_OWNER, 0600 | S_ISUID);
set_euid(UID_OWNER);
fd = open(fpath, O_RDWR);
if (fd < 0) {
warn("open(%s) as !root", fpath);
goto out;
}
ch = 0;
if (write(fd, &ch, sizeof(ch)) < 0) {
warn("write(%s) as !root", fpath);
goto out;
}
close(fd);
set_euid(UID_ROOT);
confirm_notsetuid(fpath, "write as !root");
(void)unlink(fpath);
/*
* extwrite() without privilege.
*/
setup_file(fpath, UID_OWNER, GID_OWNER, 0600 | S_ISUID);
set_euid(UID_OWNER);
if (extattr_set_file(fpath, EA_NAMESPACE, EA_NAME, EA_DATA, EA_SIZE)
< 0) {
warn("extattr_set_file(%s, user, %s, %s, %d) as !root",
fpath, EA_NAME, EA_DATA, EA_SIZE);
goto out;
}
set_euid(UID_ROOT);
confirm_notsetuid(fpath, "extwrite as !root");
(void)unlink(fpath);
out:
(void)seteuid(UID_ROOT);
(void)unlink(fpath);
}

96
tools/regression/priv/priv_vfs_extattr_system.c Normal file
View File

@ -0,0 +1,96 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that privilege is required to write to the system extended attribute
* namespace.
*/
#include <sys/types.h>
#include <sys/extattr.h>
#include <err.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
#define EA_NAMESPACE EXTATTR_NAMESPACE_SYSTEM
#define EA_NAME "test"
#define EA_DATA "test"
#define EA_SIZE strlen(EA_DATA)
void
priv_vfs_extattr_system(void)
{
char fpath[1024];
int error;
assert_root();
/*
* Set file perms so that discretionary access control would grant
* write rights on non-system EAs on the file.
*/
setup_file(fpath, UID_ROOT, GID_WHEEL, 0666);
/*
* Try with privilege.
*/
if (extattr_set_file(fpath, EA_NAMESPACE, EA_NAME, EA_DATA, EA_SIZE)
< 0) {
warn("extattr_set_file(SYSTEM, %s, %s, %d) as root",
EA_NAME, EA_DATA, EA_SIZE);
goto out;
}
set_euid(UID_OTHER);
/*
* Try without privilege.
*/
error = extattr_set_file(fpath, EA_NAMESPACE, EA_NAME, EA_DATA,
EA_SIZE);
if (error == 0) {
warn("extattr_set_file(SYSTEM, %s, %s, %d) succeeded as !root",
EA_NAME, EA_DATA, EA_SIZE);
goto out;
}
if (errno != EPERM) {
warn("extattr_set_file(SYSTEM, %s, %s, %d) wrong errno %d "
"as !root", EA_NAME, EA_DATA, EA_SIZE, errno);
goto out;
}
out:
seteuid(UID_ROOT);
(void)unlink(fpath);
}

92
tools/regression/priv/priv_vfs_fhopen.c Normal file
View File

@ -0,0 +1,92 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Confirm that calls to fhopen() require privilege, trying with, and
* without. We create a temporary file and grab the file handle using
* getfh() before starting.
*/
#include <sys/param.h>
#include <sys/mount.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include "main.h"
void
priv_vfs_fhopen(void)
{
char fpath[1024];
fhandle_t fh;
int fd;
assert_root();
setup_file(fpath, UID_ROOT, GID_WHEEL, 0644);
if (getfh(fpath, &fh) < 0) {
warn("getfh(%s)", fpath);
goto out;
}
/*
* First, try with privilege.
*/
fd = fhopen(&fh, O_RDONLY);
if (fd < 0) {
warn("fhopen(%s) as root", fpath);
goto out;
}
close(fd);
/*
* Now, without privilege.
*/
set_euid(UID_OTHER);
fd = fhopen(&fh, O_RDONLY);
if (fd >= 0) {
warnx("fhopen(%s) succeeded as !root", fpath);
close(fd);
goto out;
}
if (errno != EPERM) {
warn("fhopen(%s) wrong errno %d as !root", fpath, errno);
goto out;
}
out:
seteuid(UID_ROOT);
(void)unlink(fpath);
}

89
tools/regression/priv/priv_vfs_fhstat.c Normal file
View File

@ -0,0 +1,89 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Confirm that calls to fhstat() require privilege, trying with, and
* without. We create a temporary file and grab the file handle using
* getfh() before starting.
*/
#include <sys/param.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_vfs_fhstat(void)
{
char fpath[1024];
struct stat sb;
fhandle_t fh;
int error;
assert_root();
setup_file(fpath, UID_ROOT, GID_WHEEL, 0644);
if (getfh(fpath, &fh) < 0) {
warn("getfh(%s)", fpath);
goto out;
}
/*
* First, try with privilege.
*/
if (fhstat(&fh, &sb) < 0) {
warn("fhstat(%s) as root", fpath);
goto out;
}
/*
* Now, without privilege.
*/
set_euid(UID_OTHER);
error = fhstat(&fh, &sb);
if (error == 0) {
warn("fhstat(%s) succeeded as !root", fpath);
goto out;
}
if (errno != EPERM) {
warn("fhstat(%s) wrong errno %d as !root", fpath, errno);
goto out;
}
out:
seteuid(UID_ROOT);
(void)unlink(fpath);
}

89
tools/regression/priv/priv_vfs_fhstatfs.c Normal file
View File

@ -0,0 +1,89 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Confirm that calls to fhstatfs() require privilege, trying with, and
* without. We create a temporary file and grab the file handle using
* getfh() before starting.
*/
#include <sys/param.h>
#include <sys/mount.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_vfs_fhstatfs(void)
{
char fpath[1024];
struct statfs sf;
fhandle_t fh;
int error;
assert_root();
setup_file(fpath, UID_ROOT, GID_WHEEL, 0644);
if (getfh(fpath, &fh) < 0) {
warn("getfh(%s)", fpath);
goto out;
}
/*
* First, try with privilege.
*/
if (fhstatfs(&fh, &sf) < 0) {
warn("fhstatfs(%s) as root", fpath);
goto out;
}
/*
* Now, without privilege.
*/
set_euid(UID_OTHER);
error = fhstatfs(&fh, &sf);
if (error == 0) {
warnx("fhstatfs(%s) succeeded as !root", fpath);
goto out;
}
if (errno != EPERM) {
warn("fhstatfs(%s) wrong errno %d as !root", fpath, errno);
goto out;
}
out:
seteuid(UID_ROOT);
(void)unlink(fpath);
}

113
tools/regression/priv/priv_vfs_generation.c Normal file
View File

@ -0,0 +1,113 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Confirm that a generation number isn't returned by stat() when not running
* with privilege. In order to differentiate between a generation of 0 and
* a generation not being returned, we have to create a temporary file known
* to have a non-0 generation. We try up to 10 times, and then give up,
* which is non-ideal, but better than not testing for a problem.
*/
#include <sys/stat.h>
#include <err.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
/*
* Can't use setup_file() since the resulting file needs to have specific
* properties.
*/
void
priv_vfs_generation(void)
{
char fpath[1024] = "/tmp/priv.XXXXXXXXXX";
struct stat sb;
int fd, i;
assert_root();
/*
* Create a file with a non-0 generation number. Try ten times,
* which gives a high chance of succeeds, fail otherwise. Not ideal,
* since we can't distinguish the file having a generation of 0 from
* not being able to query it for access control reasons. The perils
* of an API that changes behavior based on lack of privilege rather
* than failing...
*/
for (i = 0; i < 10; i++) {
fd = mkstemp(fpath);
if (fd < 0)
err(-1, "mkstemp");
if (fstat(fd, &sb) < 0) {
warn("fstat(%s)", fpath);
close(fd);
goto out;
}
if (sb.st_gen != 0)
break;
close(fd);
(void)unlink(fpath);
strcpy(fpath, "/tmp/generation.XXXXXXXXXX");
fd = -1;
}
if (fd == -1)
errx(-1,
"could not create file with non-0 generation as root");
close(fd);
/*
* We've already tested that fstat() works, but try stat() to be
* consistent between privileged and unprivileged tests.
*/
if (stat(fpath, &sb) < 0) {
warn("stat(%s) as root", fpath);
goto out;
}
set_euid(UID_OTHER);
if (stat(fpath, &sb) < 0) {
warn("stat(%s) as !root", fpath);
goto out;
}
if (sb.st_gen != 0)
warn("stat(%s) returned generation as !root", fpath);
out:
(void)seteuid(UID_ROOT);
(void)unlink(fpath);
}

78
tools/regression/priv/priv_vfs_getfh.c Normal file
View File

@ -0,0 +1,78 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Check that getfh() requires privilege; run it with, and without,
* privilege.
*/
#include <sys/param.h>
#include <sys/mount.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_vfs_getfh(void)
{
char fpath[1024];
fhandle_t fh;
int error;
assert_root();
setup_file(fpath, UID_ROOT, GID_WHEEL, 0644);
if (getfh(fpath, &fh) < 0) {
warn("getfh(%s) as root", fpath);
goto out;
}
set_euid(UID_OTHER);
error = getfh(fpath, &fh);
if (error == 0) {
warnx("getfh(%s) succeeded as !root", fpath);
goto out;
}
if (errno != EPERM) {
warn("getfh(%s) wrong errno %d as !root", fpath, errno);
goto out;
}
out:
(void)seteuid(UID_ROOT);
(void)unlink(fpath);
}

370
tools/regression/priv/priv_vfs_read_write.c Normal file
View File

@ -0,0 +1,370 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* This is a joint test of both the read and write privileges with respect to
* discretionary file system access control (permissions). Only permissions,
* not ACL semantics, and only privilege-related checks are performed.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
struct test_arguments {
int open_flags;
uid_t proc_uid;
gid_t proc_gid;
uid_t file_uid;
gid_t file_gid;
};
/*
* Rather special-purpose, don't reuse. Will need updating if anything other
* than O_RDONLY and O_WRONLY are to be used in tests.
*/
static const char *
flags_to_string(int flags)
{
switch (flags) {
case O_RDONLY:
return ("O_RDONLY");
case O_WRONLY:
return ("O_WRONLY");
default:
return ("unknown");
}
}
static void
test_perm(struct test_arguments ta, mode_t file_mode, int expected)
{
uid_t proc_uid, file_uid;
gid_t proc_gid, file_gid;
int fd, open_flags;
char fpath[1024];
proc_uid = ta.proc_uid;
proc_gid = ta.proc_gid;
file_uid = ta.file_uid;
file_gid = ta.file_gid;
open_flags = ta.open_flags;
setup_file(fpath, file_uid, file_gid, file_mode);
set_creds(proc_uid, proc_gid);
fd = open(fpath, open_flags);
if (expected == 0) {
if (fd <= 0) {
warn("test_perm(%s, %d, %d, %d, %d, %04o, %d) "
"returned %d instead of %d",
flags_to_string(open_flags), proc_uid, proc_gid,
file_uid, file_gid, file_mode, expected,
errno, expected);
restore_creds();
(void)unlink(fpath);
exit(-1);
}
close(fd);
} else {
if (fd >= 0) {
warnx("test_perm(%s, %d, %d, %d, %d, %04o, %d)"
" returned 0 instead of %d",
flags_to_string(open_flags), proc_uid, proc_gid,
file_uid, file_gid, file_mode, expected,
expected);
close(fd);
restore_creds();
(void)unlink(fpath);
exit(-1);
} else if (errno != expected) {
warn("test_perm(%s, %d, %d, %d, %d, %04o, %d)"
" returned %d instead of %d",
flags_to_string(open_flags), proc_uid, proc_gid,
file_uid, file_gid, file_mode, expected,
errno, expected);
restore_creds();
(void)unlink(fpath);
exit(-1);
}
}
restore_creds();
(void)unlink(fpath);
}
static const gid_t gidset[] = { GID_WHEEL };
static void
preamble(void)
{
if (getuid() != UID_ROOT)
errx(-1, "must be run as root");
if (setgroups(1, gidset) < 0)
err(-1, "setgroups(1, {%d})", GID_WHEEL);
}
void
priv_vfs_read(void)
{
struct test_arguments ta;
preamble();
ta.open_flags = O_RDONLY;
/*
* Privileged user and file owner. All tests should pass.
*/
ta.proc_uid = UID_ROOT;
ta.proc_gid = GID_WHEEL;
ta.file_uid = UID_ROOT;
ta.file_gid = GID_WHEEL;
test_perm(ta, 0000, 0);
test_perm(ta, 0100, 0);
test_perm(ta, 0200, 0);
test_perm(ta, 0300, 0);
test_perm(ta, 0400, 0);
test_perm(ta, 0500, 0);
test_perm(ta, 0600, 0);
test_perm(ta, 0700, 0);
/*
* Privileged user and file group. All tests should pass.
*/
ta.proc_uid = UID_ROOT;
ta.proc_gid = GID_WHEEL;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_WHEEL;
test_perm(ta, 0000, 0);
test_perm(ta, 0010, 0);
test_perm(ta, 0020, 0);
test_perm(ta, 0030, 0);
test_perm(ta, 0040, 0);
test_perm(ta, 0050, 0);
test_perm(ta, 0060, 0);
test_perm(ta, 0070, 0);
/*
* Privileged user and file other. All tests should pass.
*/
ta.proc_uid = UID_ROOT;
ta.proc_gid = GID_WHEEL;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_OWNER;
test_perm(ta, 0000, 0);
test_perm(ta, 0001, 0);
test_perm(ta, 0002, 0);
test_perm(ta, 0003, 0);
test_perm(ta, 0004, 0);
test_perm(ta, 0005, 0);
test_perm(ta, 0006, 0);
test_perm(ta, 0007, 0);
/*
* Unprivileged user and file owner. Various DAC failures.
*/
ta.proc_uid = UID_OWNER;
ta.proc_gid = GID_OWNER;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_OWNER;
test_perm(ta, 0000, EACCES);
test_perm(ta, 0100, EACCES);
test_perm(ta, 0200, EACCES);
test_perm(ta, 0300, EACCES);
test_perm(ta, 0400, 0);
test_perm(ta, 0500, 0);
test_perm(ta, 0600, 0);
test_perm(ta, 0700, 0);
/*
* Unprivileged user and file group. Various DAC failures.
*/
ta.proc_uid = UID_OTHER;
ta.proc_gid = GID_OWNER;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_OWNER;
test_perm(ta, 0000, EACCES);
test_perm(ta, 0010, EACCES);
test_perm(ta, 0020, EACCES);
test_perm(ta, 0030, EACCES);
test_perm(ta, 0040, 0);
test_perm(ta, 0050, 0);
test_perm(ta, 0060, 0);
test_perm(ta, 0070, 0);
/*
* Unprivileged user and file other. Various DAC failures.
*/
ta.proc_uid = UID_OTHER;
ta.proc_gid = GID_OTHER;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_OWNER;
test_perm(ta, 0000, EACCES);
test_perm(ta, 0001, EACCES);
test_perm(ta, 0002, EACCES);
test_perm(ta, 0003, EACCES);
test_perm(ta, 0004, 0);
test_perm(ta, 0005, 0);
test_perm(ta, 0006, 0);
test_perm(ta, 0007, 0);
}
void
priv_vfs_write(void)
{
struct test_arguments ta;
preamble();
ta.open_flags = O_WRONLY;
/*
* Privileged user and file owner. All tests should pass.
*/
ta.proc_uid = UID_ROOT;
ta.proc_gid = GID_WHEEL;
ta.file_uid = UID_ROOT;
ta.file_gid = GID_WHEEL;
test_perm(ta, 0000, 0);
test_perm(ta, 0100, 0);
test_perm(ta, 0200, 0);
test_perm(ta, 0300, 0);
test_perm(ta, 0400, 0);
test_perm(ta, 0500, 0);
test_perm(ta, 0600, 0);
test_perm(ta, 0700, 0);
/*
* Privileged user and file group. All tests should pass.
*/
ta.proc_uid = UID_ROOT;
ta.proc_gid = GID_WHEEL;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_WHEEL;
test_perm(ta, 0000, 0);
test_perm(ta, 0010, 0);
test_perm(ta, 0020, 0);
test_perm(ta, 0030, 0);
test_perm(ta, 0040, 0);
test_perm(ta, 0050, 0);
test_perm(ta, 0060, 0);
test_perm(ta, 0070, 0);
/*
* Privileged user and file other. All tests should pass.
*/
ta.proc_uid = UID_ROOT;
ta.proc_gid = GID_WHEEL;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_OWNER;
test_perm(ta, 0000, 0);
test_perm(ta, 0001, 0);
test_perm(ta, 0002, 0);
test_perm(ta, 0003, 0);
test_perm(ta, 0004, 0);
test_perm(ta, 0005, 0);
test_perm(ta, 0006, 0);
test_perm(ta, 0007, 0);
/*
* Unprivileged user and file owner. Various DAC failures.
*/
ta.proc_uid = UID_OWNER;
ta.proc_gid = GID_OWNER;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_OWNER;
test_perm(ta, 0000, EACCES);
test_perm(ta, 0100, EACCES);
test_perm(ta, 0200, 0);
test_perm(ta, 0300, 0);
test_perm(ta, 0400, EACCES);
test_perm(ta, 0500, EACCES);
test_perm(ta, 0600, 0);
test_perm(ta, 0700, 0);
/*
* Unprivileged user and file group. Various DAC failures.
*/
ta.proc_uid = UID_OTHER;
ta.proc_gid = GID_OWNER;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_OWNER;
test_perm(ta, 0000, EACCES);
test_perm(ta, 0010, EACCES);
test_perm(ta, 0020, 0);
test_perm(ta, 0030, 0);
test_perm(ta, 0040, EACCES);
test_perm(ta, 0050, EACCES);
test_perm(ta, 0060, 0);
test_perm(ta, 0070, 0);
/*
* Unprivileged user and file other. Various DAC failures.
*/
ta.proc_uid = UID_OTHER;
ta.proc_gid = GID_OTHER;
ta.file_uid = UID_OWNER;
ta.file_gid = GID_OWNER;
test_perm(ta, 0000, EACCES);
test_perm(ta, 0001, EACCES);
test_perm(ta, 0002, 0);
test_perm(ta, 0003, 0);
test_perm(ta, 0004, EACCES);
test_perm(ta, 0005, EACCES);
test_perm(ta, 0006, 0);
test_perm(ta, 0007, 0);
}

143
tools/regression/priv/priv_vfs_setgid.c Normal file
View File

@ -0,0 +1,143 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that privilege is required to set the sgid bit on a file with a group
* that isn't in the process credential. The file uid owner is set to the
* uid being tested with, as we are not interested in testing privileges
* associated with file ownership.
*/
#include <sys/stat.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include "main.h"
static const gid_t gidset_without[] = {GID_WHEEL};
static const gid_t gidset_with[] = {GID_WHEEL, GID_OWNER};
void
priv_vfs_setgid(void)
{
char fpath[1024];
int error, fd;
assert_root();
setup_file(fpath, UID_ROOT, GID_OWNER, 0644);
if (setgroups(1, gidset_without) < 0) {
warn("setgroups(1, {%d})", gidset_without[0]);
goto out;
}
fd = open(fpath, O_RDWR);
if (fd < 0) {
warn("open(%s, O_RDWR)", fpath);
goto out;
}
/*
* With privilege, set mode on file.
*/
if (fchmod(fd, 0600 | S_ISGID) < 0) {
warn("fchmod(%s, 0600 | S_ISGID) as root", fpath);
goto out;
}
/*
* Reset mode and chown file before dropping privilege.
*/
if (fchmod(fd, 0600) < 0) {
warn("fchmod(%s, 0600) as root", fpath);
goto out;
}
if (fchown(fd, UID_OWNER, GID_OWNER) < 0) {
warn("fchown(%s, %d, %d) as root", fpath, UID_OWNER,
GID_OTHER);
goto out;
}
/*
* Drop privilege.
*/
set_euid(UID_OWNER);
/*
* Without privilege, set mode on file.
*/
error = fchmod(fd, 0600 | S_ISGID);
if (error == 0) {
warnx("fchmod(%s, 0600 | S_ISGID) succeeded as !root",
fpath);
goto out;
}
if (errno != EPERM) {
warn("fchmod(%s, 0600 | S_ISGID) wrong errno %d as !root",
fpath, errno);
goto out;
}
/*
* Turn privilege back on so that we confirm privilege isn't required
* if we are a group member of the file's group.
*/
set_euid(UID_ROOT);
if (setgroups(2, gidset_with) < 0) {
warn("setgroups(2, {%d, %d})", gidset_with[0],
gidset_with[1]);
goto out;
}
if (seteuid(UID_OWNER) < 0) {
warn("seteuid(%d) pass 2", UID_OWNER);
goto out;
}
/*
* Without privilege, set mode on file (this time with right gid).
*/
if (fchmod(fd, 0600 | S_ISGID) < 0) {
warnx("fchmod(%s, 0600 | S_ISGID) pass 2 as !root", fpath);
sleep(10);
goto out;
}
out:
seteuid(UID_ROOT);
(void)unlink(fpath);
}

140
tools/regression/priv/priv_vfs_stickyfile.c Normal file
View File

@ -0,0 +1,140 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Check that privilege is required to set the sticky bit on a file, but not
* a directory. Try with and without privilege.
*/
#include <sys/stat.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
static void
cleanup(const char *fpath, const char *dpath)
{
(void)seteuid(UID_ROOT);
(void)unlink(fpath);
if (dpath != NULL)
(void)rmdir(dpath);
}
void
priv_vfs_stickyfile(void)
{
char fpath[1024] = "/tmp/stickyfile.XXXXXXXXXXX";
char dpath[1024] = "/tmp/stickyfile.XXXXXXXXXXX", *dpathp;
int error, fd;
assert_root();
fd = mkstemp(fpath);
if (fd < 0)
err(-1, "mkstemp");
dpathp = mkdtemp(dpath);
if (dpathp == NULL) {
warn("mkdtemp");
goto out;
}
/*
* First, with privilege, set and clear the sticky bit on the file
* and directory.
*/
if (fchmod(fd, 0600 | S_ISTXT) < 0) {
warn("fchmod(%s, 0600 | S_ISTXT) on file as root", fpath);
goto out;
}
if (chmod(dpathp, 0700 | S_ISTXT) < 0) {
warn("chmod(%s, 0600 | S_ISTXT) on dir as root", dpath);
goto out;
}
/*
* Reset to remove sticky bit before changing credential.
*/
if (fchmod(fd, 0600) < 0) {
warn("fchmod(%s, 0600) on file as root", fpath);
goto out;
}
if (chmod(dpath, 0700) < 0) {
warn("chmod(%s, 0600) on dir as root", dpath);
goto out;
}
/*
* Chown the file and directory to target user -- we're checking for
* the specific right to set the sticky bit, not the general right to
* chmod().
*/
if (fchown(fd, UID_OTHER, -1) < 0) {
warn("fchown(%s, %d, -1)", fpath, UID_OTHER);
goto out;
}
if (chown(dpath, UID_OTHER, -1) < 0) {
warn("chown(%s, %d, -1)", fpath, UID_OTHER);
goto out;
}
/*
* Change credential and try again.
*/
set_euid(UID_OTHER);
error = fchmod(fd, 0600 | S_ISTXT);
if (error == 0) {
warnx("fchmod(%s, 0600 | S_ISTXT) succeeded on file as "
"!root", fpath);
goto out;
}
if (errno != EFTYPE) {
warn("fchmod(%s, 0600 | S_ISTXT) wrong errno %d as !root",
fpath, errno);
goto out;
}
if (chmod(dpathp, 0700 | S_ISTXT) < 0) {
warn("chmod(%s, 0600 | S_ISTXT) on dir as !root", dpath);
goto out;
}
out:
setuid(UID_ROOT);
cleanup(fpath, dpathp);
}

64
tools/regression/priv/priv_vm_madv_protect.c Normal file
View File

@ -0,0 +1,64 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that madvise(..., MADV_PROTECT) requires privilege by running it first
* with privilege, then again without.
*/
#include <sys/types.h>
#include <sys/mman.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_vm_madv_protect(void)
{
int error;
assert_root();
error = madvise(NULL, 0, MADV_PROTECT);
if (error)
err(-1, "madvise(..., MADV_PROTECT) as root");
set_euid(UID_OTHER);
error = madvise(NULL, 0, MADV_PROTECT);
if (error == 0)
errx(-1, "mlock as !root succeeded");
if (errno != EPERM)
err(-1, "mlock as !root wrong errno %d", errno);
}

64
tools/regression/priv/priv_vm_mlock.c Normal file
View File

@ -0,0 +1,64 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that mlock() requires privilege by running it first with privilege,
* then again without.
*/
#include <sys/types.h>
#include <sys/mman.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_vm_mlock(void)
{
int error;
assert_root();
error = mlock(&error, getpagesize());
if (error)
err(-1, "mlock as root");
set_euid(UID_OTHER);
error = mlock(&error, getpagesize());
if (error == 0)
errx(-1, "mlock as !root succeeded");
if (errno != EPERM)
err(-1, "mlock as !root wrong errno %d", errno);
}

64
tools/regression/priv/priv_vm_munlock.c Normal file
View File

@ -0,0 +1,64 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* Test that munlock() requires privilege by running it first with privilege,
* then again without.
*/
#include <sys/types.h>
#include <sys/mman.h>
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include "main.h"
void
priv_vm_munlock(void)
{
int error;
assert_root();
error = munlock(&error, getpagesize());
if (error)
err(-1, "munlock as root");
set_euid(UID_OTHER);
error = munlock(&error, getpagesize());
if (error == 0)
errx(-1, "munlock as !root succeeded");
if (errno != EPERM)
err(-1, "munlock as !root wrong errno %d", errno);
}

153
tools/regression/priv/test_utimes.c Normal file
View File

@ -0,0 +1,153 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
* INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* $FreeBSD$
*/
/*
* If times is NULL, ... The caller must be the owner of the file, have
* permission to write the file, or be the super-user.
*
* If times is non-NULL, ... The caller must be the owner of the file or be
* the super-user.
*
* To test these, create a temporary file owned by uid_owner; then run a
* series of tests as root, owner, and other, along with various modes, to
* see what is permitted, and if not, what error is returned.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <err.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "main.h"
static int
try_utimes(const char *path, mode_t mode, uid_t uid,
struct timeval *timestamp, int expected)
{
int error;
if (chmod(path, mode) < 0) {
warn("try_utimes(%s, %d, %d, 0x%08x): chmod", path, mode, uid,
(u_int)timestamp);
(void)unlink(path);
exit(-1);
}
if (seteuid(uid) < 0) {
warn("try_utimes(%s, %d, %d, 0x%08x): seteuid(%d)", path,
mode, uid, (u_int)timestamp, uid);
(void)unlink(path);
exit(-1);
}
error = utimes(path, timestamp);
if (seteuid(UID_ROOT) < 0) {
warn("try_utimes(%s, %d, %d, 0x%08x): seteuid(UID_ROOT)",
path, mode, uid, (u_int)timestamp);
(void)unlink(path);
exit(-1);
}
if (expected == 0) {
if (error != 0) {
(void)unlink(path);
errx(-1, "try_utimes(%s, 0%o, %d, 0x%08x) failed %d",
path, mode, uid, (u_int)timestamp, errno);
}
return (0);
}
if (expected == errno)
return (0);
(void)unlink(path);
errx(-1, "try_utimes(%s, 0%o, %d, 0x%08x) wrong err %d", path, mode,
uid, (u_int)timestamp, errno);
}
void
test_utimes(void)
{
char path[128] = "/tmp/utimes.XXXXXXXXX";
struct timeval timestamp[2];
int fd;
if (getuid() != 0)
errx(-1, "must be run as root");
fd = mkstemp(path);
if (fd == -1)
err(-1, "mkstemp");
if (chown(path, UID_OWNER, -1) < 0) {
warn("chown(%s, %d)", path, UID_OWNER);
(void)unlink(path);
return;
}
bzero(timestamp, sizeof(timestamp));
try_utimes(path, 0444, UID_ROOT, NULL, 0);
try_utimes(path, 0444, UID_OWNER, NULL, 0);
/* Denied by permissions. */
try_utimes(path, 0444, UID_OTHER, NULL, EACCES);
try_utimes(path, 0444, UID_ROOT, timestamp, 0);
try_utimes(path, 0444, UID_OWNER, timestamp, 0);
try_utimes(path, 0444, UID_OTHER, timestamp, EPERM);
try_utimes(path, 0644, UID_ROOT, NULL, 0);
try_utimes(path, 0644, UID_OWNER, NULL, 0);
/* Denied by permissions. */
try_utimes(path, 0644, UID_OTHER, NULL, EACCES);
try_utimes(path, 0644, UID_ROOT, timestamp, 0);
try_utimes(path, 0644, UID_OWNER, timestamp, 0);
/* Denied as not owner. */
try_utimes(path, 0644, UID_OTHER, timestamp, EPERM);
try_utimes(path, 0666, UID_ROOT, NULL, 0);
try_utimes(path, 0666, UID_OWNER, NULL, 0);
try_utimes(path, 0666, UID_OTHER, NULL, 0);
try_utimes(path, 0666, UID_ROOT, timestamp, 0);
try_utimes(path, 0666, UID_OWNER, timestamp, 0);
/* Denied as not owner. */
try_utimes(path, 0666, UID_OTHER, timestamp, EPERM);
(void)unlink(path);
}