From 936e4c229a4ed205e9981fc4f31acea063701b69 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Wed, 17 Jul 2013 11:57:02 +0200 Subject: Don't load configs from user directory when setuid When running as setuid() or setgid() don't access the user's home directory, or use $HOME environment variables. https://bugzilla.redhat.com/show_bug.cgi?id=985014 --- common/tests/Makefile.am | 5 +++- common/tests/frob-getauxval.c | 63 +++++++++++++++++++++++++++++++++++++++++++ common/tests/test-compat.c | 30 +++++++++++++++++++++ 3 files changed, 97 insertions(+), 1 deletion(-) create mode 100644 common/tests/frob-getauxval.c (limited to 'common/tests') diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am index 637399b..b1a42bd 100644 --- a/common/tests/Makefile.am +++ b/common/tests/Makefile.am @@ -7,7 +7,9 @@ AM_CPPFLAGS = \ -I$(top_srcdir) \ -I$(srcdir)/.. \ -I$(COMMON) \ - $(TEST_CFLAGS) + -DBUILDDIR=\"$(abs_builddir)\" \ + $(TEST_CFLAGS) \ + $(CUTEST_CFLAGS) LDADD = \ $(NULL) @@ -26,6 +28,7 @@ CHECK_PROGS = \ $(NULL) noinst_PROGRAMS = \ + frob-getauxval \ $(CHECK_PROGS) TESTS = $(CHECK_PROGS) diff --git a/common/tests/frob-getauxval.c b/common/tests/frob-getauxval.c new file mode 100644 index 0000000..54ebea0 --- /dev/null +++ b/common/tests/frob-getauxval.c @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2013 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter + */ + +#include "config.h" +#include "compat.h" + +#include + +#include +#include +#include +#include + +int +main (int argc, + char *argv[]) +{ + unsigned long type = 0; + unsigned long ret; + + if (argc == 2) + type = atoi (argv[1]); + + if (type == 0) { + fprintf (stderr, "usage: frob-getauxval 23"); + abort (); + } + + ret = getauxval (type); + printf ("getauxval(%lu) == %lu\n", type, ret); + return (int)ret; +} diff --git a/common/tests/test-compat.c b/common/tests/test-compat.c index f1960ce..a541235 100644 --- a/common/tests/test-compat.c +++ b/common/tests/test-compat.c @@ -35,6 +35,7 @@ #include "config.h" #include "test.h" +#include #include #include #include @@ -56,10 +57,39 @@ test_strndup (void) free (res); } +#ifdef OS_UNIX + +static void +test_getauxval (void) +{ + /* 23 is AT_SECURE */ + const char *args[] = { BUILDDIR "/frob-getauxval", "23", NULL }; + char *path; + int ret; + + ret = p11_test_run_child (args, true); + assert_num_eq (ret, 0); + + path = p11_test_copy_setgid (args[0]); + if (path == NULL) + return; + + args[0] = path; + ret = p11_test_run_child (args, true); + assert_num_cmp (ret, !=, 0); + + if (unlink (path) < 0) + assert_fail ("unlink failed", strerror (errno)); + free (path); +} + +#endif /* OS_UNIX */ + int main (int argc, char *argv[]) { p11_test (test_strndup, "/test/strndup"); + p11_test (test_getauxval, "/test/getauxval"); return p11_test_run (argc, argv); } -- cgit v1.1