19fa5f6b4SRobert Watson /*-
29fa5f6b4SRobert Watson * Copyright (c) 2006 nCircle Network Security, Inc.
3d903306aSRobert Watson * Copyright (c) 2007 Robert N. M. Watson
49fa5f6b4SRobert Watson * All rights reserved.
59fa5f6b4SRobert Watson *
69fa5f6b4SRobert Watson * This software was developed by Robert N. M. Watson for the TrustedBSD
79fa5f6b4SRobert Watson * Project under contract to nCircle Network Security, Inc.
89fa5f6b4SRobert Watson *
99fa5f6b4SRobert Watson * Redistribution and use in source and binary forms, with or without
109fa5f6b4SRobert Watson * modification, are permitted provided that the following conditions
119fa5f6b4SRobert Watson * are met:
129fa5f6b4SRobert Watson * 1. Redistributions of source code must retain the above copyright
139fa5f6b4SRobert Watson * notice, this list of conditions and the following disclaimer.
149fa5f6b4SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright
159fa5f6b4SRobert Watson * notice, this list of conditions and the following disclaimer in the
169fa5f6b4SRobert Watson * documentation and/or other materials provided with the distribution.
179fa5f6b4SRobert Watson *
189fa5f6b4SRobert Watson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
199fa5f6b4SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
209fa5f6b4SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
219fa5f6b4SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
229fa5f6b4SRobert Watson * INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
239fa5f6b4SRobert Watson * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
249fa5f6b4SRobert Watson * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
259fa5f6b4SRobert Watson * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
269fa5f6b4SRobert Watson * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
279fa5f6b4SRobert Watson * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
289fa5f6b4SRobert Watson * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
299fa5f6b4SRobert Watson */
309fa5f6b4SRobert Watson
319fa5f6b4SRobert Watson /*
329fa5f6b4SRobert Watson * There are three cases in which the file system will clear the setuid or
33d903306aSRobert Watson * setgid bits on a file when running unprivileged:
349fa5f6b4SRobert Watson *
359fa5f6b4SRobert Watson * - When the file is chown()'d and either of the uid or the gid is changed.
36d903306aSRobert Watson * (currently, only changing the file gid applies, as privilege is required
37d903306aSRobert Watson * to change the uid).
389fa5f6b4SRobert Watson *
39d903306aSRobert Watson * - The file is written to successfully.
409fa5f6b4SRobert Watson *
419fa5f6b4SRobert Watson * - An extended attribute of the file is written to successfully.
429fa5f6b4SRobert Watson *
43d903306aSRobert Watson * In each case, check that the flags are cleared if unprivileged, and that
44d903306aSRobert Watson * they aren't cleared if privileged.
45d903306aSRobert Watson *
46d903306aSRobert Watson * We can't use expect() as we're looking for side-effects rather than
47d903306aSRobert Watson * success/failure of the system call.
489fa5f6b4SRobert Watson */
499fa5f6b4SRobert Watson
509fa5f6b4SRobert Watson #include <sys/types.h>
519fa5f6b4SRobert Watson #include <sys/extattr.h>
529fa5f6b4SRobert Watson #include <sys/stat.h>
539fa5f6b4SRobert Watson
549fa5f6b4SRobert Watson #include <err.h>
559fa5f6b4SRobert Watson #include <fcntl.h>
569fa5f6b4SRobert Watson #include <stdlib.h>
579fa5f6b4SRobert Watson #include <string.h>
589fa5f6b4SRobert Watson #include <unistd.h>
599fa5f6b4SRobert Watson
609fa5f6b4SRobert Watson #include "main.h"
619fa5f6b4SRobert Watson
62d903306aSRobert Watson static char fpath[1024];
63d903306aSRobert Watson static int fpath_initialized;
649fa5f6b4SRobert Watson
659fa5f6b4SRobert Watson /*
66d903306aSRobert Watson * If running as root, check that SUID is still set; otherwise, check that it
67d903306aSRobert Watson * is not.
689fa5f6b4SRobert Watson */
699fa5f6b4SRobert Watson static void
confirm_sugid(char * test_case,int asroot,int injail)70d903306aSRobert Watson confirm_sugid(char *test_case, int asroot, int injail)
719fa5f6b4SRobert Watson {
729fa5f6b4SRobert Watson struct stat sb;
739fa5f6b4SRobert Watson
74d903306aSRobert Watson if (stat(fpath, &sb) < 0) {
75d903306aSRobert Watson warn("%s stat(%s)", test_case, fpath);
76d903306aSRobert Watson return;
779fa5f6b4SRobert Watson }
78d903306aSRobert Watson if (asroot) {
79d903306aSRobert Watson if (!(sb.st_mode & S_ISUID))
80d903306aSRobert Watson warnx("%s(root, %s): !SUID", test_case, injail ?
81d903306aSRobert Watson "jail" : "!jail");
82d903306aSRobert Watson } else {
83d903306aSRobert Watson if (sb.st_mode & S_ISUID)
84d903306aSRobert Watson warnx("%s(!root, %s): SUID", test_case, injail ?
85d903306aSRobert Watson "jail" : "!jail");
869fa5f6b4SRobert Watson }
879fa5f6b4SRobert Watson }
889fa5f6b4SRobert Watson
89d903306aSRobert Watson int
priv_vfs_clearsugid_setup(int asroot,int injail,struct test * test)90d903306aSRobert Watson priv_vfs_clearsugid_setup(int asroot, int injail, struct test *test)
919fa5f6b4SRobert Watson {
929fa5f6b4SRobert Watson
93d903306aSRobert Watson setup_file("priv_vfs_clearsugid_setup: fpath", fpath, UID_OWNER,
94d903306aSRobert Watson GID_OTHER, 0600 | S_ISUID);
95d903306aSRobert Watson fpath_initialized = 1;
96d903306aSRobert Watson return (0);
979fa5f6b4SRobert Watson }
98d903306aSRobert Watson
99d903306aSRobert Watson void
priv_vfs_clearsugid_chgrp(int asroot,int injail,struct test * test)100d903306aSRobert Watson priv_vfs_clearsugid_chgrp(int asroot, int injail, struct test *test)
101d903306aSRobert Watson {
102d903306aSRobert Watson
103d903306aSRobert Watson if (chown(fpath, -1, asroot ? GID_WHEEL : GID_OWNER) < 0)
104d903306aSRobert Watson err(-1, "priv_vfs_clearsugid_chgrp(%s, %s): chrgrp",
105d903306aSRobert Watson asroot ? "root" : "!root", injail ? "jail" : "!jail");
106d903306aSRobert Watson confirm_sugid("priv_vfs_clearsugid_chgrp", asroot, injail);
1079fa5f6b4SRobert Watson }
1089fa5f6b4SRobert Watson
1099fa5f6b4SRobert Watson #define EA_NAMESPACE EXTATTR_NAMESPACE_USER
1109fa5f6b4SRobert Watson #define EA_NAME "clearsugid"
1119fa5f6b4SRobert Watson #define EA_DATA "test"
1129fa5f6b4SRobert Watson #define EA_SIZE (strlen(EA_DATA))
113d903306aSRobert Watson
1149fa5f6b4SRobert Watson void
priv_vfs_clearsugid_extattr(int asroot,int injail,struct test * test)115d903306aSRobert Watson priv_vfs_clearsugid_extattr(int asroot, int injail, struct test *test)
1169fa5f6b4SRobert Watson {
117d903306aSRobert Watson
118d903306aSRobert Watson if (extattr_set_file(fpath, EA_NAMESPACE, EA_NAME, EA_DATA, EA_SIZE)
119d903306aSRobert Watson < 0)
120d903306aSRobert Watson err(-1,
121d903306aSRobert Watson "priv_vfs_clearsugid_extattr(%s, %s): extattr_set_file",
122d903306aSRobert Watson asroot ? "root" : "!root", injail ? "jail" : "!jail");
123d903306aSRobert Watson confirm_sugid("priv_vfs_clearsugid_extattr", asroot, injail);
124d903306aSRobert Watson }
125d903306aSRobert Watson
126d903306aSRobert Watson void
priv_vfs_clearsugid_write(int asroot,int injail,struct test * test)127d903306aSRobert Watson priv_vfs_clearsugid_write(int asroot, int injail, struct test *test)
128d903306aSRobert Watson {
1299fa5f6b4SRobert Watson int fd;
1309fa5f6b4SRobert Watson
1319fa5f6b4SRobert Watson fd = open(fpath, O_RDWR);
132d903306aSRobert Watson if (fd < 0)
133d903306aSRobert Watson err(-1, "priv_vfs_clearsugid_write(%s, %s): open",
134d903306aSRobert Watson asroot ? "root" : "!root", injail ? "jail" : "!jail");
135d903306aSRobert Watson if (write(fd, EA_DATA, EA_SIZE) < 0)
136d903306aSRobert Watson err(-1, "priv_vfs_clearsugid_write(%s, %s): write",
137d903306aSRobert Watson asroot ? "root" : "!root", injail ? "jail" : "!jail");
138d903306aSRobert Watson (void)close(fd);
139d903306aSRobert Watson confirm_sugid("priv_vfs_clearsugid_write", asroot, injail);
1409fa5f6b4SRobert Watson }
1419fa5f6b4SRobert Watson
142d903306aSRobert Watson void
priv_vfs_clearsugid_cleanup(int asroot,int injail,struct test * test)143d903306aSRobert Watson priv_vfs_clearsugid_cleanup(int asroot, int injail, struct test *test)
144d903306aSRobert Watson {
1459fa5f6b4SRobert Watson
146d903306aSRobert Watson if (fpath_initialized) {
1479fa5f6b4SRobert Watson (void)unlink(fpath);
148d903306aSRobert Watson fpath_initialized = 0;
1499fa5f6b4SRobert Watson }
1509fa5f6b4SRobert Watson }
151