bug-coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#8292: COREUTILS-8.9: Potential bug in tests/cp/preserve-gid


From: gmail
Subject: bug#8292: COREUTILS-8.9: Potential bug in tests/cp/preserve-gid
Date: Sun, 20 Mar 2011 18:10:48 +0100
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9

Le 20/03/2011 15:37, Jim Meyering a écrit :
gmail wrote:
...
Normally setuidgid MUST take the parent shell environment, so i
finally add a strace in the test to the original source :
Thanks for investigating.

--- tests/cp/preserve-gid       2011-03-20 13:34:52.000000000 +0100
+++ tests/cp/preserve-gid.orig  2011-01-01 22:19:23.000000000 +0100
@@ -38,7 +38,7 @@
    u=$1; shift
    g=$1; shift
    rm -f b || exit 1
-  strace -o ../../trace.txt "$@" "$f" b || exit 1
+  "$@" "$f" b || exit 1
    s=`stat -c '%u %g' b`
    if test "x$s" != "x$u $g"; then
      # Allow the actual group to match that of the parent directory

And got this .... :
...
  execve("/usr/src/coreutils-8.9_build3/src/cp", ["cp", "-p", "c1",
"b"], [/* 72 vars */]) = -1 EACCES (Permission denied)
...
The setuidgid has the PATH, but this is an absolute PATH and PATH
traversal with the test uid/gid  fail.
But why is that?  I.e., it implies that NON_ROOT_USERNAME (your
"cedric" user) cannot run that program, yet the README instructions
regarding how to run root tests suggest that NON_ROOT_USERNAME must
have access to the sources and built programs.

Can you reproduce the failure if you follow these guidelines from
the README file?

     I find that it is best to unpack and build as a non-privileged
     user, and then to run the following command as that user in order
     to run the privilege-requiring tests:

       sudo env PATH="$PATH" NON_ROOT_USERNAME=$USER make -k check-root

it seems i have not been enough precise, to be clear, "cedric" user HAS full read/write access to the source and the build :


address@hidden # su cedric

address@hidden find /usr/src/coreutils-8.9 -name preserve-gid

/usr/src/coreutils-8.9/tests/cp/preserve-gid

address@hidden find /usr/src/coreutils-8.9_build -name preserve-gid.log

/usr/src/coreutils-8.9_build/tests/cp/preserve-gid.log

address@hidden touch /usr/src/coreutils-8.9_build3/writing

address@hidden touch /usr/src/coreutils-8.9/writing

address@hidden



And the test fail anyway as root :


    FAIL: cp/preserve-gid (exit: 1)
    ===============================

    ++ initial_cwd_=/usr/src/coreutils-8.9_build3/tests
    ++ fail=0
    +++ testdir_prefix_
    +++ printf gt
    ++ pfx_=gt
    +++ mktempd_ /usr/src/coreutils-8.9_build3/tests gt-preserve-gid.XXXX
    +++ destdir_=/usr/src/coreutils-8.9_build3/tests
    +++ template_=gt-preserve-gid.XXXX
    +++ MAX_TRIES_=4
    ++++ unset TMPDIR
++++ mktemp -d -t -p /usr/src/coreutils-8.9_build3/tests gt-preserve-gid.XXXX
    +++ d=/usr/src/coreutils-8.9_build3/tests/gt-preserve-gid.l7ug
    +++ test -d /usr/src/coreutils-8.9_build3/tests/gt-preserve-gid.l7ug
    ++++ tr S -
    ++++ ls -dgo /usr/src/coreutils-8.9_build3/tests/gt-preserve-gid.l7ug
+++ perms=drwx------ 2 4096 Mar 20 17:31 /usr/src/coreutils-8.9_build3/tests/gt-preserve-gid.l7ug
    +++ test 0 = 0
    +++ echo /usr/src/coreutils-8.9_build3/tests/gt-preserve-gid.l7ug
    +++ return
    ++ test_dir_=/usr/src/coreutils-8.9_build3/tests/gt-preserve-gid.l7ug
    ++ cd /usr/src/coreutils-8.9_build3/tests/gt-preserve-gid.l7ug
    ++ gl_init_sh_nl_=

    ++ IFS=

    +++ expr 1 + 128
    ++ eval 'trap '\''Exit 129'\'' 1'
    +++ trap 'Exit 129' 1
    +++ expr 2 + 128
    ++ eval 'trap '\''Exit 130'\'' 2'
    +++ trap 'Exit 130' 2

    ....

    + t0 c1 1000 1001 setuidgid -g 1000,1001 1000 cp -p
    + f=c1
    + shift
    + u=1000
    + shift
    + g=1001
    + shift
    + rm -f b
    + setuidgid -g 1000,1001 1000 cp -p c1 b
    ++ stat -c '%u %g' b
    + s=1000 1000
    + test 'x1000 1000' '!=' 'x1000 1001'
    + test 'x1000 1000' = 'x1000 0'
+ echo '../../coreutils-8.9/tests/cp/preserve-gid: setuidgid -g 1000,1001 1000 cp -p c1 b: 1000 1001 != 1000 1000' ../../coreutils-8.9/tests/cp/preserve-gid: setuidgid -g 1000,1001 1000 cp -p c1 b: 1000 1001 != 1000 1000
    + Exit 1
    + set +e
    + exit 1
    + exit 1
    + remove_tmp_
    + __st=1
    + cleanup_
    + :
    + cd /usr/src/coreutils-8.9_build3/tests
+ chmod -R u+rwx /usr/src/coreutils-8.9_build3/tests/gt-preserve-gid.l7ug
    + rm -rf /usr/src/coreutils-8.9_build3/tests/gt-preserve-gid.l7ug
    + exit 1

The user '1000', gid '1001' used for the gt-preserve-gid test no access to the /usr/src root, and i see nothing in the guideline requiring to give unrestricted source and build access to anyone. This is under this uid account that the setuigid try to launch the builded cp and fail, due to the fact that the PATH variable has a full path refering to /usr/src/coreutils-8.9_build3/src, implying a path traversal with uid 1000 :

+ PATH=/usr/src/coreutils-8.9_build3/src:/usr/src/coreutils-8.9_build3/src:.:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin


This patch is a way to solve  this problem :

--- tests/cp/preserve-gid.orig  2011-01-01 22:19:23.000000000 +0100
+++ tests/cp/preserve-gid.cea   2011-03-20 14:05:19.000000000 +0100
@@ -56,7 +56,8 @@
   f=$1; shift
   u=$1; shift
   g=$1; shift
-  t0 "$f" "$u" "$g" setuidgid -g "$nameless_gid1,$nameless_gid2" \
+  t0 "$f" "$u" "$g" env PATH="../../src:$PATH" \
+      setuidgid -g "$nameless_gid1,$nameless_gid2" \
       "$nameless_uid" "$@"
 }


An other way could be to check if the PATH variable could have a relative path instead of a full path, which need far more work.

There could be other problems of this kind in other tests using uid/gid change too, but the gt-preserve-gid was the only test that fail in my build.

Regards, Cedric.







reply via email to

[Prev in Thread] Current Thread [Next in Thread]