diff options
author | Tim Beale <timbeale@catalyst.net.nz> | 2019-03-15 13:52:50 +1300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2019-04-08 10:27:34 +0000 |
commit | 0c8ad9c9dbeac1ad0ca3553a19d7bbf652bb650d (patch) | |
tree | 8e58aaf87967d8c1ca6517734802e40477d8d872 /source4 | |
parent | 6048103751afa33f1951539ce36224a03b276604 (diff) | |
download | samba-0c8ad9c9dbeac1ad0ca3553a19d7bbf652bb650d.tar.gz |
CVE-2019-3870 tests: Add test to check file-permissions are correct after provision
This provisions a new DC and checks there are no world-writable
files in the new DC's private directory.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source4')
-rwxr-xr-x | source4/selftest/tests.py | 1 | ||||
-rwxr-xr-x | source4/setup/tests/provision_fileperms.sh | 71 |
2 files changed, 72 insertions, 0 deletions
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 76655d768f0..f74678fb90b 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -948,6 +948,7 @@ plantestsuite_loadlist("samba4.deletetest.python(ad_dc_default)", "ad_dc_default plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")]) plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision']) plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision']) +plantestsuite("samba4.blackbox.provision_fileperms", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/provision_fileperms.sh"), '$PREFIX/provision']) plantestsuite("samba4.blackbox.supported_features", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, diff --git a/source4/setup/tests/provision_fileperms.sh b/source4/setup/tests/provision_fileperms.sh new file mode 100755 index 00000000000..0b3ef0321fb --- /dev/null +++ b/source4/setup/tests/provision_fileperms.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat <<EOF +Usage: $0 PREFIX +EOF +exit 1; +fi + +PREFIX="$1" +shift 1 + +. `dirname $0`/../../../testprogs/blackbox/subunit.sh + +# selftest sets the umask to zero. Explicitly set it to 022 here, +# which should mean files should never be writable for anyone else +ORIG_UMASK=`umask` +umask 0022 + +# checks that the files in the 'private' directory created are not +# world-writable +check_private_file_perms() +{ + target_dir="$1/private" + result=0 + + for file in `ls $target_dir/` + do + filepath="$target_dir/$file" + + # skip directories/sockets for now + if [ ! -f $filepath ] ; then + continue; + fi + + # use stat to get the file permissions, i.e. -rw------- + file_perm=`stat -c "%A" $filepath` + + # then use cut to drop the first 4 chars containing the file type + # and owner permissions. What's left is the group and other users + global_perm=`echo $file_perm | cut -c4-` + + # check the remainder doesn't have write permissions set + if [ -z "${global_perm##*w*}" ] ; then + echo "Error: $file has $file_perm permissions" + result=1 + fi + done + return $result +} + +TARGET_DIR=$PREFIX/basic-dc +rm -rf $TARGET_DIR + +# create a dummy smb.conf - we need to use fake ACLs for the file system here +# (but passing --option args with spaces in it proved too difficult in bash) +SMB_CONF=$TARGET_DIR/tmp/smb.conf +mkdir -p `dirname $SMB_CONF` +echo "vfs objects = fake_acls xattr_tdb" > $SMB_CONF + +# provision a basic DC +testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF + +# check the file permissions in the 'private' directory really are private +testit "provision-fileperms" check_private_file_perms $TARGET_DIR + +rm -rf $TARGET_DIR + +umask $ORIG_UMASK + +exit $failed |