1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
#! /bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright (c) 2020 Red Hat, Inc. All Rights Reserved.
#
# FS QA Test No. 598
#
# Test protected_regular and protected_fifos sysctls
#
. ./common/preamble
_begin_fstest auto quick perms
# Override the default cleanup function.
_cleanup()
{
rm -rf $TEST_DIR/$seq
[ ! -z "$REGULAR_PROTECTION" ] \
&& sysctl -qw fs.protected_regular=$REGULAR_PROTECTION
[ ! -z "$FIFO_PROTECTION" ] \
&& sysctl -qw fs.protected_fifos=$FIFO_PROTECTION
cd /
rm -f $tmp.*
}
# Import common functions.
. ./common/filter
# real QA test starts here
# Modify as appropriate.
_supported_fs generic
_require_test
_require_sysctl_variable fs.protected_regular
_require_sysctl_variable fs.protected_fifos
_require_user fsgqa2
# Do this SECOND so that qa_user is fsgqa, and _user_do uses that account
_require_user fsgqa
_require_chmod
USER1=fsgqa2
USER2=fsgqa
# Save current system state to reset when done
REGULAR_PROTECTION=`sysctl -n fs.protected_regular`
FIFO_PROTECTION=`sysctl -n fs.protected_fifos`
test_access()
{
FILENAME=$1
# sticky dir is world & group writable:
echo "= group & world writable dir"
chmod og+w $TEST_DIR/$seq/sticky_dir
# "open -f" opens O_CREAT
_user_do "$XFS_IO_PROG -c \"open -f $TEST_DIR/$seq/sticky_dir/$FILENAME\""
# sticky dir is only group writable:
echo "= only group writable dir"
chmod o-w $TEST_DIR/$seq/sticky_dir
_user_do "$XFS_IO_PROG -c \"open -f $TEST_DIR/$seq/sticky_dir/$FILENAME\""
}
setup_tree()
{
# Create sticky dir owned by $USER2
mkdir -p $TEST_DIR/$seq
mkdir -p $TEST_DIR/$seq/sticky_dir
chmod 1777 $TEST_DIR/$seq/sticky_dir
chown $USER2:$USER2 $TEST_DIR/$seq/sticky_dir
# Create file & fifo in that dir owned by $USER1, and open
# normal read/write privs for world & group
$XFS_IO_PROG -c "open -f $TEST_DIR/$seq/sticky_dir/file"
chown $USER1:$USER1 $TEST_DIR/$seq/sticky_dir/file
chmod o+rw $TEST_DIR/$seq/sticky_dir/file
mkfifo $TEST_DIR/$seq/sticky_dir/fifo
chown $USER1:$USER1 $TEST_DIR/$seq/sticky_dir/fifo
chmod o+rw $TEST_DIR/$seq/sticky_dir/fifo
}
setup_tree
# First test fs.protected_regular
# With protection set to 1, O_CREAT opens in a world-writable sticky
# directory should fail if the file exists, is owned by another, and
# file owner != dir owner
#
# With protection set to 2, the same goes for group-writable
# sticky directories
echo "== Test file open when owned by another and file owner != dir owner"
sysctl -w fs.protected_regular=0
test_access file
sysctl -w fs.protected_regular=1
test_access file
sysctl -w fs.protected_regular=2
test_access file
echo
# Now test fs.protected_fifos
# With protection set to 1, O_CREAT opens in a world-writable sticky
# directory should fail if the fifo exists, is owned by another, and
# file owner != dir owner
#
# With protection set to 2, the same goes for group-writable
# sticky directories
echo "== Test fifo open when owned by another and fifo owner != dir owner"
sysctl -w fs.protected_fifos=0
test_access fifo
sysctl -w fs.protected_fifos=1
test_access fifo
sysctl -w fs.protected_fifos=2
test_access fifo
# success, all done
status=0
exit
|