Commit 84f97107 authored by Tim Beale's avatar Tim Beale Committed by Mathieu Parent

CVE-2019-3870 tests: Add test to check file-permissions are correct after provision

This provisions a new DC and checks there are no world-writable
files in the new DC's private directory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834Signed-off-by: 's avatarTim Beale <timbeale@catalyst.net.nz>
Reviewed-by: 's avatarAndrew Bartlett <abartlet@samba.org>
Reviewed-by: 's avatarJeremy Allison <jra@samba.org>
parent 40af26fa
samba4.blackbox.provision_fileperms.provision-fileperms\(none\)
......@@ -904,6 +904,7 @@ plantestsuite_loadlist("samba4.deletetest.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [
plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")])
plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision'])
plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision'])
plantestsuite("samba4.blackbox.provision_fileperms", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/provision_fileperms.sh"), '$PREFIX/provision'])
plantestsuite("samba4.blackbox.supported_features", "none",
["PYTHON=%s" % python,
os.path.join(samba4srcdir,
......
#!/bin/sh
if [ $# -lt 1 ]; then
cat <<EOF
Usage: $0 PREFIX
EOF
exit 1;
fi
PREFIX="$1"
shift 1
. `dirname $0`/../../../testprogs/blackbox/subunit.sh
# selftest sets the umask to zero. Explicitly set it to 022 here,
# which should mean files should never be writable for anyone else
ORIG_UMASK=`umask`
umask 0022
# checks that the files in the 'private' directory created are not
# world-writable
check_private_file_perms()
{
target_dir="$1/private"
result=0
for file in `ls $target_dir/`
do
filepath="$target_dir/$file"
# skip directories/sockets for now
if [ ! -f $filepath ] ; then
continue;
fi
# use stat to get the file permissions, i.e. -rw-------
file_perm=`stat -c "%A" $filepath`
# then use cut to drop the first 4 chars containing the file type
# and owner permissions. What's left is the group and other users
global_perm=`echo $file_perm | cut -c4-`
# check the remainder doesn't have write permissions set
if [ -z "${global_perm##*w*}" ] ; then
echo "Error: $file has $file_perm permissions"
result=1
fi
done
return $result
}
TARGET_DIR=$PREFIX/basic-dc
rm -rf $TARGET_DIR
# create a dummy smb.conf - we need to use fake ACLs for the file system here
# (but passing --option args with spaces in it proved too difficult in bash)
SMB_CONF=$TARGET_DIR/tmp/smb.conf
mkdir -p `dirname $SMB_CONF`
echo "vfs objects = fake_acls xattr_tdb" > $SMB_CONF
# provision a basic DC
testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF
# check the file permissions in the 'private' directory really are private
testit "provision-fileperms" check_private_file_perms $TARGET_DIR
rm -rf $TARGET_DIR
umask $ORIG_UMASK
exit $failed
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment