diff options
| author | Jeremy Allison <jra@samba.org> | 2010-03-09 16:36:48 -0800 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2010-03-09 16:36:48 -0800 |
| commit | 3855c948c029490c616f4b4aa81b47e6df8c12a0 (patch) | |
| tree | d8de146356be8e8c645e9da2351dcd141afa15c9 /source3/script | |
| parent | ae79d8ce02921e9a5c82433527909c7f707051e3 (diff) | |
| download | samba-3855c948c029490c616f4b4aa81b47e6df8c12a0.tar.gz samba-3855c948c029490c616f4b4aa81b47e6df8c12a0.tar.bz2 samba-3855c948c029490c616f4b4aa81b47e6df8c12a0.zip | |
Add tests which, when run as root, will ensure we can't write
into a read-only directory, or read a owner-read-only file.
Jeremy.
Diffstat (limited to 'source3/script')
| -rwxr-xr-x | source3/script/tests/selftest.sh | 33 | ||||
| -rwxr-xr-x | source3/script/tests/test_smbclient_s3.sh | 128 | ||||
| -rwxr-xr-x | source3/script/tests/tests_all.sh | 4 |
3 files changed, 154 insertions, 11 deletions
diff --git a/source3/script/tests/selftest.sh b/source3/script/tests/selftest.sh index 9994e47035..e49bca863b 100755 --- a/source3/script/tests/selftest.sh +++ b/source3/script/tests/selftest.sh @@ -36,9 +36,22 @@ if [ $CUSTOM_CONF_ARG ]; then fi ## -## create the test directory +## create the test directory layout ## PREFIX=`echo $DIRECTORY | sed s+//+/+` +printf "%s" "CREATE TEST ENVIRONMENT IN '$PREFIX'"... +/bin/rm -rf $PREFIX +if [ -e "$PREFIX" ]; then + echo "***" + echo "*** Failed to delete test environment $PREFIX" + echo "*** Was a previous run done as root ?" + echo "***" + exit 1 +fi + +## +## create the test directory +## mkdir -p $PREFIX || exit $? OLD_PWD=`pwd` cd $PREFIX || exit $? @@ -145,11 +158,6 @@ if test "x`smbd -b | grep NSS_WRAPPER`" = "x"; then fi -## -## create the test directory layout -## -printf "%s" "CREATE TEST ENVIRONMENT IN '$PREFIX'"... -/bin/rm -rf $PREFIX/* mkdir -p $PRIVATEDIR $NCALRPCDIR $LIBDIR $PIDDIR $LOCKDIR $LOGDIR mkdir -p $SOCKET_WRAPPER_DIR mkdir -p $WINBINDD_SOCKET_DIR @@ -173,6 +181,16 @@ fi chmod 777 $SHRDIR ## +## Create a read-only directory. +## +RO_SHRDIR=`echo $SHRDIR | sed -e 's:/[^/]*$::'` +RO_SHRDIR=$RO_SHRDIR/root-tmp +mkdir -p $RO_SHRDIR +chmod 755 $RO_SHRDIR +touch $RO_SHRDIR/unreadable_file +chmod 600 $RO_SHRDIR/unreadable_file + +## ## Create the common config include file with the basic settings ## @@ -269,6 +287,9 @@ cat >$SERVERCONFFILE<<EOF [tmp] path = $SHRDIR +[ro-tmp] + path = $RO_SHRDIR + guest ok = yes [hideunread] copy = tmp hide unreadable = yes diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh index ff5022015f..84a3999f90 100755 --- a/source3/script/tests/test_smbclient_s3.sh +++ b/source3/script/tests/test_smbclient_s3.sh @@ -2,9 +2,9 @@ # this runs the file serving tests that are expected to pass with samba3 -if [ $# -lt 4 ]; then +if [ $# -lt 5 ]; then cat <<EOF -Usage: test_smbclient_s3.sh SERVER SERVER_IP USERNAME PASSWORD +Usage: test_smbclient_s3.sh SERVER SERVER_IP USERNAME PASSWORD USERID EOF exit 1; fi @@ -13,8 +13,9 @@ SERVER="$1" SERVER_IP="$2" USERNAME="$3" PASSWORD="$4" +USERID="$5" SMBCLIENT="$VALGRIND ${SMBCLIENT:-$BINDIR/smbclient} $CONFIGURATION" -shift 4 +shift 5 ADDARGS="$*" test x"$TEST_FUNCTIONS_SH" != x"INCLUDED" && { @@ -126,6 +127,119 @@ EOF fi } +# Test writing into a read-only directory (logon as guest) fails. +test_read_only_dir() +{ + prompt="NT_STATUS_ACCESS_DENIED making remote directory" + tmpfile=/tmp/smbclient.in.$$ + +## +## We can't do this as non-root. We always have rights to +## create the directory. +## + if [ "$USERID" != 0 ]; then + echo "skipping test_read_only_dir as non-root" + true + return + fi + +## +## We can't do this with an encrypted connection. No credentials +## to set up the channel. +## + if [ "$ADDARGS" == "-e" ]; then + echo "skipping test_read_only_dir with encrypted connection" + true + return + fi + + cat > $tmpfile <<EOF +mkdir a_test_dir +quit +EOF + + cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT $CONFIGURATION "$@" -U% //$SERVER/ro-tmp -I $SERVER_IP $ADDARGS < $tmpfile 2>&1' + eval echo "$cmd" + out=`eval $cmd` + ret=$? + rm -f $tmpfile + + if [ $ret != 0 ] ; then + echo "$out" + echo "failed writing into read-only directory with error $ret" + false + return + fi + + echo "$out" | grep "$prompt" >/dev/null 2>&1 + + ret=$? + if [ $ret = 0 ] ; then + # got the correct prompt .. succeed + true + else + echo "$out" + echo "failed writing into read-only directory - grep failed with $ret" + false + fi +} + +# Test reading an owner-only file (logon as guest) fails. +test_owner_only_file() +{ + prompt="NT_STATUS_ACCESS_DENIED opening remote file" + tmpfile=/tmp/smbclient.in.$$ + +## +## We can't do this as non-root. We always have rights to +## read the file. +## + if [ "$USERID" != 0 ]; then + echo "skipping test_owner_only_file as non-root" + true + return + fi + +## +## We can't do this with an encrypted connection. No credentials +## to set up the channel. +## + if [ "$ADDARGS" == "-e" ]; then + echo "skipping test_owner_only_file with encrypted connection" + true + return + fi + + cat > $tmpfile <<EOF +get unreadable_file +quit +EOF + + cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT $CONFIGURATION "$@" -U% //$SERVER/ro-tmp -I $SERVER_IP $ADDARGS < $tmpfile 2>&1' + eval echo "$cmd" + out=`eval $cmd` + ret=$? + rm -f $tmpfile + + if [ $ret != 0 ] ; then + echo "$out" + echo "failed reading owner-only file with error $ret" + false + return + fi + + echo "$out" | grep "$prompt" >/dev/null 2>&1 + + ret=$? + if [ $ret = 0 ] ; then + # got the correct prompt .. succeed + true + else + echo "$out" + echo "failed reading owner-only file - grep failed with $ret" + false + fi +} testit "smbclient -L $SERVER_IP" $SMBCLIENT $CONFIGURATION -L $SERVER_IP -N -p 139 || failed=`expr $failed + 1` testit "smbclient -L $SERVER -I $SERVER_IP" $SMBCLIENT $CONFIGURATION -L $SERVER -I $SERVER_IP -N -p 139 || failed=`expr $failed + 1` @@ -150,4 +264,12 @@ testit "creating a bad symlink and deleting it" \ test_bad_symlink || \ failed=`expr $failed + 1` +testit "writing into a read-only directory fails" \ + test_read_only_dir || \ + failed=`expr $failed + 1` + +testit "Reading a owner-only file fails" \ + test_owner_only_file || \ + failed=`expr $failed + 1` + testok $0 $failed diff --git a/source3/script/tests/tests_all.sh b/source3/script/tests/tests_all.sh index 11d315b198..153f8ea0d5 100755 --- a/source3/script/tests/tests_all.sh +++ b/source3/script/tests/tests_all.sh @@ -20,13 +20,13 @@ smbtorture_s3_encrypted() { smbclient_s3() { echo "RUNNING TESTS smbclient_s3" - $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP $USERNAME $PASSWORD \ + $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP $USERNAME $PASSWORD $USERID \ || failed=`expr $failed + $?` } smbclient_s3_encrypted() { echo "RUNNING TESTS smbclient_s3_encrypted" - $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP $USERNAME $PASSWORD "-e" \ + $SCRIPTDIR/test_smbclient_s3.sh $SERVER $SERVER_IP $USERNAME $PASSWORD $USERID "-e" \ || failed=`expr $failed + $?` } |