diff options
author | Tim Beale <timbeale@catalyst.net.nz> | 2019-03-15 13:52:50 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2019-04-05 09:48:18 +0200 |
commit | 83cc536a42003bf2df0a5a121b07df33c1ffd96a (patch) | |
tree | b890de8b73a9c4ce0cb7d0364d0c70a2469a2762 | |
parent | b708ce3f1ac863dea8051b51b717bced2a433546 (diff) | |
download | samba-83cc536a42003bf2df0a5a121b07df33c1ffd96a.tar.gz |
CVE-2019-3870 tests: Add test to check file-permissions are correct after provision
This provisions a new DC and checks there are no world-writable
files in the new DC's private directory.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | selftest/knownfail.d/provision_fileperms | 1 | ||||
-rwxr-xr-x | source4/selftest/tests.py | 1 | ||||
-rwxr-xr-x | source4/setup/tests/provision_fileperms.sh | 71 |
3 files changed, 73 insertions, 0 deletions
diff --git a/selftest/knownfail.d/provision_fileperms b/selftest/knownfail.d/provision_fileperms new file mode 100644 index 00000000000..88b1585fd19 --- /dev/null +++ b/selftest/knownfail.d/provision_fileperms @@ -0,0 +1 @@ +samba4.blackbox.provision_fileperms.provision-fileperms\(none\) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 18b2c1162b0..d6fb388dc33 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -904,6 +904,7 @@ plantestsuite_loadlist("samba4.deletetest.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [ plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")]) plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision']) plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision']) +plantestsuite("samba4.blackbox.provision_fileperms", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/provision_fileperms.sh"), '$PREFIX/provision']) plantestsuite("samba4.blackbox.supported_features", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, diff --git a/source4/setup/tests/provision_fileperms.sh b/source4/setup/tests/provision_fileperms.sh new file mode 100755 index 00000000000..0b3ef0321fb --- /dev/null +++ b/source4/setup/tests/provision_fileperms.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat <<EOF +Usage: $0 PREFIX +EOF +exit 1; +fi + +PREFIX="$1" +shift 1 + +. `dirname $0`/../../../testprogs/blackbox/subunit.sh + +# selftest sets the umask to zero. Explicitly set it to 022 here, +# which should mean files should never be writable for anyone else +ORIG_UMASK=`umask` +umask 0022 + +# checks that the files in the 'private' directory created are not +# world-writable +check_private_file_perms() +{ + target_dir="$1/private" + result=0 + + for file in `ls $target_dir/` + do + filepath="$target_dir/$file" + + # skip directories/sockets for now + if [ ! -f $filepath ] ; then + continue; + fi + + # use stat to get the file permissions, i.e. -rw------- + file_perm=`stat -c "%A" $filepath` + + # then use cut to drop the first 4 chars containing the file type + # and owner permissions. What's left is the group and other users + global_perm=`echo $file_perm | cut -c4-` + + # check the remainder doesn't have write permissions set + if [ -z "${global_perm##*w*}" ] ; then + echo "Error: $file has $file_perm permissions" + result=1 + fi + done + return $result +} + +TARGET_DIR=$PREFIX/basic-dc +rm -rf $TARGET_DIR + +# create a dummy smb.conf - we need to use fake ACLs for the file system here +# (but passing --option args with spaces in it proved too difficult in bash) +SMB_CONF=$TARGET_DIR/tmp/smb.conf +mkdir -p `dirname $SMB_CONF` +echo "vfs objects = fake_acls xattr_tdb" > $SMB_CONF + +# provision a basic DC +testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF + +# check the file permissions in the 'private' directory really are private +testit "provision-fileperms" check_private_file_perms $TARGET_DIR + +rm -rf $TARGET_DIR + +umask $ORIG_UMASK + +exit $failed |