From e2c4475028606343176752bd0974df2c5ed6a520 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 4 Jan 2018 19:44:27 +0100 Subject: fs-util: add new CHASE_SAFE flag to chase_symlinks() When the flag is specified we won't transition to a privilege-owned file or directory from an unprivileged-owned one. This is useful when privileged code wants to load data from a file unprivileged users have write access to, and validates the ownership, but want's to make sure that no symlink games are played to read a root-owned system file belonging to a different context. --- src/test/test-fs-util.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'src/test') diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c index f2f571ce2..1c453e11a 100644 --- a/src/test/test-fs-util.c +++ b/src/test/test-fs-util.c @@ -30,6 +30,7 @@ #include "rm-rf.h" #include "string-util.h" #include "strv.h" +//#include "user-util.h" #include "util.h" static void test_chase_symlinks(void) { @@ -235,6 +236,32 @@ static void test_chase_symlinks(void) { r = chase_symlinks(p, NULL, 0, &result); assert_se(r == -ENOENT); + if (geteuid() == 0) { + p = strjoina(temp, "/priv1"); + assert_se(mkdir(p, 0755) >= 0); + + q = strjoina(p, "/priv2"); + assert_se(mkdir(q, 0755) >= 0); + + assert_se(chase_symlinks(q, NULL, CHASE_SAFE, NULL) >= 0); + + assert_se(chown(q, UID_NOBODY, GID_NOBODY) >= 0); + assert_se(chase_symlinks(q, NULL, CHASE_SAFE, NULL) >= 0); + + assert_se(chown(p, UID_NOBODY, GID_NOBODY) >= 0); + assert_se(chase_symlinks(q, NULL, CHASE_SAFE, NULL) >= 0); + + assert_se(chown(q, 0, 0) >= 0); + assert_se(chase_symlinks(q, NULL, CHASE_SAFE, NULL) == -EPERM); + + assert_se(rmdir(q) >= 0); + assert_se(symlink("/etc/passwd", q) >= 0); + assert_se(chase_symlinks(q, NULL, CHASE_SAFE, NULL) == -EPERM); + + assert_se(chown(p, 0, 0) >= 0); + assert_se(chase_symlinks(q, NULL, CHASE_SAFE, NULL) >= 0); + } + assert_se(rm_rf(temp, REMOVE_ROOT|REMOVE_PHYSICAL) >= 0); } -- cgit v1.2.3