| 59 | } |
| 60 | |
| 61 | int main(int argc, char **argv) |
| 62 | { |
| 63 | if (argc != 2) { |
| 64 | fprintf(stderr, "usage: %s <module-dir>\n", argv[0]); |
| 65 | return 2; |
| 66 | } |
| 67 | if (chdir(argv[1]) < 0) { |
| 68 | perror("chdir"); |
| 69 | return 2; |
| 70 | } |
| 71 | |
| 72 | /* Simulate the daemon-without-chroot deployment that do_chmod_at() |
| 73 | * defends. With am_daemon=0 or am_chrooted=1 the wrapper falls |
| 74 | * through to plain do_chmod() and the symlink-race test would be |
| 75 | * meaningless. */ |
| 76 | am_daemon = 1; |
| 77 | am_chrooted = 0; |
| 78 | |
| 79 | /* Test layout (all inside the directory we just chdir'd to): |
| 80 | * |
| 81 | * ./realdir/sentinel -- regular target file |
| 82 | * ./inside_link -> realdir -- legitimate dir-symlink within the tree |
| 83 | * ./escape_link -> ../trap -- attacker swap, target outside tree |
| 84 | * ../trap/sentinel -- the file the attacker wants to alter |
| 85 | * |
| 86 | * The shell wrapper that calls this helper has set both sentinel |
| 87 | * files to mode 0600 so we have a clean baseline to compare. |
| 88 | */ |
| 89 | |
| 90 | /* Scenario A: legitimate parent dir-symlink, chmod must succeed. */ |
| 91 | int rc = do_chmod_at("inside_link/sentinel", 0640); |
| 92 | check("A: legit dir-symlink within tree", |
| 93 | rc, 1, "realdir/sentinel", 0640); |
| 94 | |
| 95 | /* Scenario B: parent symlink escapes the tree -- chmod must be |
| 96 | * rejected and the outside file's mode must be unchanged. */ |
| 97 | rc = do_chmod_at("escape_link/sentinel", 0666); |
| 98 | check("B: parent symlink escapes tree (the attack)", |
| 99 | rc, 0, "../trap/sentinel", 0600); |
| 100 | |
| 101 | /* Scenario C: plain relative path with no symlink components, |
| 102 | * regression check that the safe wrapper doesn't break the |
| 103 | * normal case. */ |
| 104 | rc = do_chmod_at("realdir/sentinel", 0644); |
| 105 | check("C: plain relative path (regression check)", |
| 106 | rc, 1, "realdir/sentinel", 0644); |
| 107 | |
| 108 | /* Scenario D: top-level file, no parent directory component. |
| 109 | * Falls back to do_chmod(); should succeed. */ |
| 110 | rc = do_chmod_at("topfile", 0640); |
| 111 | check("D: top-level file, no parent component", |
| 112 | rc, 1, "topfile", 0640); |
| 113 | |
| 114 | if (errs) |
| 115 | fprintf(stderr, "%d failure(s)\n", errs); |
| 116 | return errs ? 1 : 0; |
| 117 | } |
nothing calls this directly
no test coverage detected