diff options
author | Daniel Silverstone <dsilvers@digital-scurf.org> | 2013-06-22 15:56:09 +0100 |
---|---|---|
committer | Daniel Silverstone <dsilvers@digital-scurf.org> | 2013-06-22 15:56:09 +0100 |
commit | e98156c549fd5a67fe7ab0a5bcaf72a1f51330ce (patch) | |
tree | c7d50dad11ae0f7cb9aaa4fef6ba539503310260 | |
parent | 1630874880c9bf9c67a4be1b3783a5bf5778e06b (diff) | |
download | gitano-e98156c549fd5a67fe7ab0a5bcaf72a1f51330ce.tar.gz |
Additional scenario for the 'as' command
-rw-r--r-- | testing/02-commands-as.yarn | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/testing/02-commands-as.yarn b/testing/02-commands-as.yarn index 1a96617..ce8afbf 100644 --- a/testing/02-commands-as.yarn +++ b/testing/02-commands-as.yarn @@ -36,3 +36,37 @@ The final trivial case is that a user which can run `as` cannot use it to run AND stderr contains Cannot use 'as' to run 'as' AND stderr contains Validation of command line failed AND stderr contains exit:1 + +Security-related cases for `as` invocation +------------------------------------------ + +There are a number of security implications for the `as` command. In the +simplest of cases it is only necessary to grant gitano-admin members the right +to run commands `as` other users. In this way, only those who could otherwise +alter the users in the first place can act on their behalf. + +There is, however, a potential information leak -- namely if someone who does +not have the right to run commands 'as' another user runs an `as` with a user +which does not exist. It is critical that this simply be reported as a lack of +permission to run any command, and not leak that the target user does not exist +in any way. + + SCENARIO Ensuring 'as' does not leak user presence + + GIVEN a standard instance + AND testinstance has keys called other + WHEN testinstance, using adminkey, adds user other, using testinstance other + AND testinstance adminkey runs as other whoami + THEN stderr is empty + WHEN testinstance other, expecting failure, runs as badger whoami + THEN stdout is empty + AND stderr does not contain badger + +Finally we ensure that when a user who may run `as` commands does so, but +manages to typo a username, they get a useful error message. + + WHEN testinstance adminkey, expecting failure, runs as badger whoami + THEN stderr contains badger + AND stderr contains does not exist + AND stderr contains exit:1 + AND stdout is empty |