From e98156c549fd5a67fe7ab0a5bcaf72a1f51330ce Mon Sep 17 00:00:00 2001 From: Daniel Silverstone Date: Sat, 22 Jun 2013 15:56:09 +0100 Subject: Additional scenario for the 'as' command --- testing/02-commands-as.yarn | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/testing/02-commands-as.yarn b/testing/02-commands-as.yarn index 1a96617..ce8afbf 100644 --- a/testing/02-commands-as.yarn +++ b/testing/02-commands-as.yarn @@ -36,3 +36,37 @@ The final trivial case is that a user which can run `as` cannot use it to run AND stderr contains Cannot use 'as' to run 'as' AND stderr contains Validation of command line failed AND stderr contains exit:1 + +Security-related cases for `as` invocation +------------------------------------------ + +There are a number of security implications for the `as` command. In the +simplest of cases it is only necessary to grant gitano-admin members the right +to run commands `as` other users. In this way, only those who could otherwise +alter the users in the first place can act on their behalf. + +There is, however, a potential information leak -- namely if someone who does +not have the right to run commands 'as' another user runs an `as` with a user +which does not exist. It is critical that this simply be reported as a lack of +permission to run any command, and not leak that the target user does not exist +in any way. + + SCENARIO Ensuring 'as' does not leak user presence + + GIVEN a standard instance + AND testinstance has keys called other + WHEN testinstance, using adminkey, adds user other, using testinstance other + AND testinstance adminkey runs as other whoami + THEN stderr is empty + WHEN testinstance other, expecting failure, runs as badger whoami + THEN stdout is empty + AND stderr does not contain badger + +Finally we ensure that when a user who may run `as` commands does so, but +manages to typo a username, they get a useful error message. + + WHEN testinstance adminkey, expecting failure, runs as badger whoami + THEN stderr contains badger + AND stderr contains does not exist + AND stderr contains exit:1 + AND stdout is empty -- cgit v1.2.1