summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-03-09 16:36:48 -0800
committerJeremy Allison <jra@samba.org>2010-03-09 16:36:48 -0800
commit3855c948c029490c616f4b4aa81b47e6df8c12a0 (patch)
treed8de146356be8e8c645e9da2351dcd141afa15c9
parentae79d8ce02921e9a5c82433527909c7f707051e3 (diff)
downloadsamba-3855c948c029490c616f4b4aa81b47e6df8c12a0.tar.gz
samba-3855c948c029490c616f4b4aa81b47e6df8c12a0.tar.bz2
samba-3855c948c029490c616f4b4aa81b47e6df8c12a0.zip
Add tests which, when run as root, will ensure we can't write
into a read-only directory, or read a owner-read-only file. Jeremy.
-rwxr-xr-xsource3/script/tests/selftest.sh33
-rwxr-xr-xsource3/script/tests/test_smbclient_s3.sh128
-rwxr-xr-xsource3/script/tests/tests_all.sh4
3 files changed, 154 insertions, 11 deletions
diff --git a/source3/script/tests/selftest.sh b/source3/script/tests/selftest.sh
index 9994e47035..e49bca863b 100755
--- a/source3/script/tests/selftest.sh
+++ b/source3/script/tests/selftest.sh
@@ -36,9 +36,22 @@ if [ $CUSTOM_CONF_ARG ]; then
fi
##
-## create the test directory
+## create the test directory layout
##
PREFIX=`echo $DIRECTORY | sed s+//+/+`
+printf "%s" "CREATE TEST ENVIRONMENT IN '$PREFIX'"...
+/bin/rm -rf $PREFIX
+if [ -e "$PREFIX" ]; then
+ echo "***"
+ echo "*** Failed to delete test environment $PREFIX"
+ echo "*** Was a previous run done as root ?"
+ echo "***"
+ exit 1
+fi
+
+##
+## create the test directory
+##
mkdir -p $PREFIX || exit $?
OLD_PWD=`pwd`
cd $PREFIX || exit $?
@@ -145,11 +158,6 @@ if test "x`smbd -b | grep NSS_WRAPPER`" = "x"; then
fi
-##
-## create the test directory layout
-##
-printf "%s" "CREATE TEST ENVIRONMENT IN '$PREFIX'"...
-/bin/rm -rf $PREFIX/*
mkdir -p $PRIVATEDIR $NCALRPCDIR $LIBDIR $PIDDIR $LOCKDIR $LOGDIR
mkdir -p $SOCKET_WRAPPER_DIR
mkdir -p $WINBINDD_SOCKET_DIR
@@ -173,6 +181,16 @@ fi
chmod 777 $SHRDIR
##
+## Create a read-only directory.
+##
+RO_SHRDIR=`echo $SHRDIR | sed -e 's:/[^/]*$::'`
+RO_SHRDIR=$RO_SHRDIR/root-tmp
+mkdir -p $RO_SHRDIR
+chmod 755 $RO_SHRDIR
+touch $RO_SHRDIR/unreadable_file
+chmod 600 $RO_SHRDIR/unreadable_file
+
+##
## Create the common config include file with the basic settings
##
@@ -269,6 +287,9 @@ cat >$SERVERCONFFILE<<EOF
[tmp]
path = $SHRDIR
+[ro-tmp]
+ path = $RO_SHRDIR
+ guest ok = yes
[hideunread]
copy = tmp
hide unreadable = yes
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index ff5022015f..84a3999f90 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -2,9 +2,9 @@
# this runs the file serving tests that are expected to pass with samba3
-if [ $# -lt 4 ]; then
+if [ $# -lt 5 ]; then
cat <<EOF
-Usage: test_smbclient_s3.sh SERVER SERVER_IP USERNAME PASSWORD
+Usage: test_smbclient_s3.sh SERVER SERVER_IP USERNAME PASSWORD USERID
EOF
exit 1;
fi
@@ -13,8 +13,9 @@ SERVER="$1"
SERVER_IP="$2"
USERNAME="$3"
PASSWORD="$4"
+USERID="$5"
SMBCLIENT="$VALGRIND ${SMBCLIENT:-$BINDIR/smbclient} $CONFIGURATION"
-shift 4
+shift 5
ADDARGS="$*"
test x"$TEST_FUNCTIONS_SH" != x"INCLUDED" && {
@@ -126,6 +127,119 @@ EOF
fi
}
+# Test writing into a read-only directory (logon as guest) fails.
+test_read_only_dir()
+{
+ prompt="NT_STATUS_ACCESS_DENIED making remote directory"
+ tmpfile=/tmp/smbclient.in.$$
+
+##
+## We can't do this as non-root. We always have rights to
+## create the directory.
+##
+ if [ "$USERID" != 0 ]; then
+ echo "skipping test_read_only_dir as non-root"
+ true
+ return
+ fi
+
+##
+## We can't do this with an encrypted connection. No credentials
+## to set up the channel.
+##
+ if [ "$ADDARGS" == "-e" ]; then
+ echo "skipping test_read_only_dir with encrypted connection"
+ true
+ return
+ fi
+
+ cat > $tmpfile <<EOF
+mkdir a_test_dir
+quit
+EOF
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT $CONFIGURATION "$@" -U% //$SERVER/ro-tmp -I $SERVER_IP $ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed writing into read-only directory with error $ret"
+ false
+ return
+ fi
+
+ echo "$out" | grep "$prompt" >/dev/null 2>&1
+
+ ret=$?
+ if [ $ret = 0 ] ; then
+ # got the correct prompt .. succeed
+ true
+ else
+ echo "$out"
+ echo "failed writing into read-only directory - grep failed with $ret"
+ false
+ fi
+}
+
+# Test reading an owner-only file (logon as guest) fails.
+test_owner_only_file()
+{
+ prompt="NT_STATUS_ACCESS_DENIED opening remote file"
+ tmpfile=/tmp/smbclient.in.$$
+
+##
+## We can't do this as non-root. We always have rights to
+## read the file.
+##
+ if [ "$USERID" != 0 ]; then
+ echo "skipping test_owner_only_file as non-root"
+ true
+ return
+ fi
+
+##
+## We can't do this with an encrypted connection. No credentials
+## to set up the channel.
+##
+ if [ "$ADDARGS" == "-e" ]; then
+ echo "skipping test_owner_only_file with encrypted connection"
+ true
+ return
+ fi
+
+ cat > $tmpfile <<EOF
+get unreadable_file
+quit
+EOF
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT $CONFIGURATION "$@" -U% //$SERVER/ro-tmp -I $SERVER_IP $ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "failed reading owner-only file with error $ret"
+ false
+ return
+ fi
+
+ echo "$out" | grep "$prompt" >/dev/null 2>&1
+
+ ret=$?
+ if [ $ret = 0 ] ; then
+ # got the correct prompt .. succeed
+ true
+ else
+ echo "$out"
+ echo "failed reading owner-only file - grep failed with $ret"
+ false
+ fi
+}
testit "smbclient -L $SERVER_IP" $SMBCLIENT $CONFIGURATION -L $SERVER_IP -N -p 139 || failed=`expr $failed + 1`
testit "smbclient -L $SERVER -I $SERVER_IP" $SMBCLIENT $CONFIGURATION -L $SERVER -I $SERVER_IP -N -p 139 || failed=`expr $failed + 1`
@@ -150,4 +264,12 @@ testit "creating a bad symlink and deleting it" \
test_bad_symlink || \
failed=`expr $failed + 1`
+testit "writing into a read-only directory fails" \
+ test_read_only_dir || \
+ failed=`expr $failed + 1`
+
+testit "Reading a owner-only file fails" \
+ test_owner_only_file || \
+ failed=`expr $failed + 1`
+
testok $0 $failed
diff --git a/source3/script/tests/tests_all.sh b/source3/script/tests/tests_all.sh
index 11d315b198..153f8ea0d5 100755
--- a/source3/script/tests/tests_all.sh
+++ b/source3/script/tests/tests_all.sh
@@ -20,13 +20,13 @@ smbtorture_s3_encrypted() {
smbclient_s3() {
echo "RUNNING TESTS smbclient_s3"
- $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP $USERNAME $PASSWORD \
+ $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP $USERNAME $PASSWORD $USERID \
|| failed=`expr $failed + $?`
}
smbclient_s3_encrypted() {
echo "RUNNING TESTS smbclient_s3_encrypted"
- $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP $USERNAME $PASSWORD "-e" \
+ $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP $USERNAME $PASSWORD $USERID "-e" \
|| failed=`expr $failed + $?`
}