From 31dd09e00df2e240a0ecb8acb6ac69473824c1a2 Mon Sep 17 00:00:00 2001 From: ptools Date: Tue, 30 Mar 2004 03:05:40 +0000 Subject: [PATCH] Change access check for posix compliance for CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH root access check for CAP_DAC_OVERRIDE --- 088 | 67 +++++++++++++++++++++++++++++++++++++++++++ 088.out | 9 ++++++ group | 4 +++ src/Makefile | 2 +- src/t_access_root.c | 69 +++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 150 insertions(+), 1 deletion(-) create mode 100755 088 create mode 100755 088.out create mode 100644 src/t_access_root.c diff --git a/088 b/088 new file mode 100755 index 000000000..a19752ffc --- /dev/null +++ b/088 @@ -0,0 +1,67 @@ +#! /bin/sh +# XFS QA Test No. 088 +# +# test out CAP_DAC_OVERRIDE and CAP_DAC_SEARCH code in +# xfs_iaccess(ip,mode,cr) +# +#----------------------------------------------------------------------- +# Copyright (c) 2000-2004 Silicon Graphics, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of version 2 of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Further, this software is distributed without any warranty that it is +# free of the rightful claim of any third person regarding infringement +# or the like. Any license provided herein, whether implied or +# otherwise, applies only to this software file. Patent licenses, if +# any, provided herein do not apply to combinations of this program with +# other software, or any other product whatsoever. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write the Free Software Foundation, Inc., 59 +# Temple Place - Suite 330, Boston MA 02111-1307, USA. +# +# Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy, +# Mountain View, CA 94043, or: +# +# http://www.sgi.com +# +# For further information regarding this notice, see: +# +# http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/ +#----------------------------------------------------------------------- +# +# creator +owner=root@icy.melbourne.sgi.com + +seq=`basename $0` +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "rm -f $tmp.*; exit \$status" 0 1 2 3 15 + +# get standard environment, filters and checks +. ./common.rc +. ./common.filter + +_filter() +{ + sed -e "s#$TEST_DIR#TEST_DIR#g" \ + -e '/----------/d' +} + +# real QA test starts here + +path=$TEST_DIR/t_access +src/t_access_root $path | _filter + +# success, all done +status=0 +exit diff --git a/088.out b/088.out new file mode 100755 index 000000000..317c13fc2 --- /dev/null +++ b/088.out @@ -0,0 +1,9 @@ +QA output created by 088 +access(TEST_DIR/t_access, 0) returns 0 +access(TEST_DIR/t_access, R_OK) returns 0 +access(TEST_DIR/t_access, W_OK) returns 0 +access(TEST_DIR/t_access, X_OK) returns -1 +access(TEST_DIR/t_access, R_OK | W_OK) returns 0 +access(TEST_DIR/t_access, R_OK | X_OK) returns -1 +access(TEST_DIR/t_access, W_OK | X_OK) returns -1 +access(TEST_DIR/t_access, R_OK | W_OK | X_OK) returns -1 diff --git a/group b/group index 0acfed6b5..5434b639f 100644 --- a/group +++ b/group @@ -41,6 +41,9 @@ copy harshula@sgi.com # chacl, libacl acl tes@sgi.com ajag@sgi.com +# permissions +perms tes@sgi.com + # xfs_growfs growfs ajag@sgi.com @@ -151,3 +154,4 @@ ioctl nathans@sgi.com 085 log auto 086 log auto 087 log auto +088 perms diff --git a/src/Makefile b/src/Makefile index b0461beb7..0dfe31502 100644 --- a/src/Makefile +++ b/src/Makefile @@ -38,7 +38,7 @@ TARGETS = alloc acl_get bstat devzero dirstress fault feature \ nametest permname randholes runas truncfile usemem \ fstest mmapcat append_reader append_writer \ dirperf metaperf enospc_unlink resvtest scaleread \ - godown + godown t_access_root ifeq ($(ENABLE_DBM), yes) TARGETS += dbtest endif diff --git a/src/t_access_root.c b/src/t_access_root.c new file mode 100644 index 000000000..a4a016e53 --- /dev/null +++ b/src/t_access_root.c @@ -0,0 +1,69 @@ +/* + * t_access_root.c - trivial test program to show permission bug. + * + * Written by Michael Kerrisk - copyright ownership not pursued. + * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html + */ + +#include +#include +#include +#include +#include +#include + +#define UID 500 +#define GID 100 +#define PERM 0 +#define TESTPATH "/tmp/t_access" + +static void +errExit(char *msg) +{ + perror(msg); + exit(EXIT_FAILURE); +} /* errExit */ + +static void +accessTest(char *file, int mask, char *mstr) +{ + printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask)); +} /* accessTest */ + +int +main(int argc, char *argv[]) +{ + int fd, perm, uid, gid; + char *testpath; + char cmd[PATH_MAX + 20]; + + testpath = (argc > 1) ? argv[1] : TESTPATH; + perm = (argc > 2) ? strtoul(argv[2], NULL, 8) : PERM; + uid = (argc > 3) ? atoi(argv[3]) : UID; + gid = (argc > 4) ? atoi(argv[4]) : GID; + + unlink(testpath); + + fd = open(testpath, O_RDWR | O_CREAT, 0); + if (fd == -1) errExit("open"); + + if (fchown(fd, uid, gid) == -1) errExit("fchown"); + if (fchmod(fd, perm) == -1) errExit("fchmod"); + close(fd); + + snprintf(cmd, sizeof(cmd), "ls -l %s", testpath); + system(cmd); + + if (seteuid(uid) == -1) errExit("seteuid"); + + accessTest(testpath, 0, "0"); + accessTest(testpath, R_OK, "R_OK"); + accessTest(testpath, W_OK, "W_OK"); + accessTest(testpath, X_OK, "X_OK"); + accessTest(testpath, R_OK | W_OK, "R_OK | W_OK"); + accessTest(testpath, R_OK | X_OK, "R_OK | X_OK"); + accessTest(testpath, W_OK | X_OK, "W_OK | X_OK"); + accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK"); + + exit(EXIT_SUCCESS); +} /* main */ -- 2.51.0