diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-07-27 14:44:24 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-10 13:56:08 +0200 |
commit | 428db8a58c0c149d5efccc6d788f70916c1d34d7 (patch) | |
tree | 531147790cdabf2d81b56915bed7e3e29d878efe /src | |
parent | 40b2be4f4312470044cdef460b02b66003f5c85f (diff) | |
download | sssd-428db8a58c0c149d5efccc6d788f70916c1d34d7.tar.gz sssd-428db8a58c0c149d5efccc6d788f70916c1d34d7.tar.xz sssd-428db8a58c0c149d5efccc6d788f70916c1d34d7.zip |
TESTS: Add a test to change user IDs
Adds a unit test using the nss_wrapper and uid_wrapper libraries that
exercises the ability to become another user.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/tests/cwrap/Makefile.am | 47 | ||||
-rwxr-xr-x | src/tests/cwrap/cwrap_test_setup.sh | 17 | ||||
-rw-r--r-- | src/tests/cwrap/group | 1 | ||||
-rw-r--r-- | src/tests/cwrap/passwd | 1 | ||||
-rw-r--r-- | src/tests/cwrap/test_become_user.c | 156 |
5 files changed, 222 insertions, 0 deletions
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am new file mode 100644 index 000000000..34aec92c1 --- /dev/null +++ b/src/tests/cwrap/Makefile.am @@ -0,0 +1,47 @@ +AM_CPPFLAGS = \ + -Wall \ + -I$(top_srcdir)/src \ + -I. \ + $(DBUS_CFLAGS) \ + $(NULL) + +TESTS_ENVIRONMENT = \ + CWRAP_TEST_SRCDIR=$(abs_srcdir) \ + . $(srcdir)/cwrap_test_setup.sh; \ + $(AUX_TESTS_ENVIRONMENT) \ + $(NULL) + +dist_noinst_SCRIPTS = \ + cwrap_test_setup.sh \ + $(NULL) + +dist_noinst_DATA = \ + group \ + passwd \ + $(NULL) + +check_PROGRAMS = +if HAVE_CMOCKA +if HAVE_NSS_WRAPPER +if HAVE_UID_WRAPPER +check_PROGRAMS += become_user-tests +endif # HAVE_UID_WRAPPER +endif # HAVE_NSS_WRAPPER +endif # HAVE_CMOCKA + +TESTS = $(check_PROGRAMS) + +become_user_tests_SOURCES = \ + test_become_user.c \ + $(NULL) +become_user_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +become_user_tests_LDADD = \ + $(POPT_LIBS) \ + $(CMOCKA_LIBS) \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la \ + $(NULL) + +tests: $(check_PROGRAMS) diff --git a/src/tests/cwrap/cwrap_test_setup.sh b/src/tests/cwrap/cwrap_test_setup.sh new file mode 100755 index 000000000..0d35cb7e5 --- /dev/null +++ b/src/tests/cwrap/cwrap_test_setup.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +pkg-config --exists nss_wrapper || exit 1 +pkg-config --exists uid_wrapper || exit 1 + +nss_wrapper=$(pkg-config --libs nss_wrapper) +uid_wrapper=$(pkg-config --libs uid_wrapper) +if [ -z $nss_wrapper -o -z $uid_wrapper ]; then + echo "Cannot locate cwrap libraries" + exit 2 +fi + +export LD_PRELOAD="$nss_wrapper $uid_wrapper" +export NSS_WRAPPER_PASSWD=$CWRAP_TEST_SRCDIR/passwd +export NSS_WRAPPER_GROUP=$CWRAP_TEST_SRCDIR/group +export UID_WRAPPER=1 +export UID_WRAPPER_ROOT=1 diff --git a/src/tests/cwrap/group b/src/tests/cwrap/group new file mode 100644 index 000000000..61e428c41 --- /dev/null +++ b/src/tests/cwrap/group @@ -0,0 +1 @@ +sssd:x:123: diff --git a/src/tests/cwrap/passwd b/src/tests/cwrap/passwd new file mode 100644 index 000000000..aa0a97db5 --- /dev/null +++ b/src/tests/cwrap/passwd @@ -0,0 +1 @@ +sssd:x:123:123:sssd unprivileged user:/:/sbin/nologin diff --git a/src/tests/cwrap/test_become_user.c b/src/tests/cwrap/test_become_user.c new file mode 100644 index 000000000..06d3ad425 --- /dev/null +++ b/src/tests/cwrap/test_become_user.c @@ -0,0 +1,156 @@ +/* + Authors: + Jakub Hrozek <jhrozek@redhat.com> + + Copyright (C) 2014 Red Hat + + SSSD tests: User switching + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +/* Yes, a .c file. We need to call static functions during the test */ +#include "../../../src/util/become_user.c" + +#include <popt.h> +#include "util/util.h" +#include "tests/cmocka/common_mock.h" + +void test_become_user(void **state) +{ + struct passwd *sssd; + errno_t ret; + pid_t pid, wpid; + int status; + + /* Must root as root, real or fake */ + assert_int_equal(geteuid(), 0); + + sssd = getpwnam("sssd"); + assert_non_null(sssd); + + pid = fork(); + if (pid == 0) { + /* Change the UID in a child */ + ret = become_user(sssd->pw_uid, sssd->pw_gid); + assert_int_equal(ret, EOK); + + /* Make sure we have the requested UID and GID now and there + * are no supplementary groups + */ + assert_int_equal(geteuid(), sssd->pw_uid); + assert_int_equal(getegid(), sssd->pw_gid); + assert_int_equal(getuid(), sssd->pw_uid); + assert_int_equal(getgid(), sssd->pw_gid); + + /* Another become_user is a no-op */ + ret = become_user(sssd->pw_uid, sssd->pw_gid); + assert_int_equal(ret, EOK); + + assert_int_equal(getgroups(0, NULL), 0); + exit(0); + } + + assert_int_not_equal(pid, -1); + + wpid = waitpid(pid, &status, 0); + assert_int_equal(wpid, pid); + assert_true(WIFEXITED(status)); + assert_int_equal(WEXITSTATUS(status), 0); +} + +void test_switch_user(void **state) +{ + errno_t ret; + struct passwd *sssd; + TALLOC_CTX *tmp_ctx; + struct sss_creds *saved_creds; + + check_leaks_push(global_talloc_context); + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + + /* Must root as root, real or fake */ + assert_int_equal(geteuid(), 0); + + sssd = getpwnam("sssd"); + assert_non_null(sssd); + + check_leaks_push(tmp_ctx); + + ret = switch_creds(tmp_ctx, sssd->pw_uid, sssd->pw_gid, + 0, NULL, &saved_creds); + assert_int_equal(ret, EOK); + assert_int_equal(geteuid(), sssd->pw_uid); + assert_int_equal(getegid(), sssd->pw_gid); + /* Only effective UID is changed.. */ + assert_int_equal(getuid(), 0); + assert_int_equal(getgid(), 0); + + assert_non_null(saved_creds); + assert_int_equal(saved_creds->uid, 0); + assert_int_equal(saved_creds->gid, 0); + + /* restore root */ + ret = restore_creds(saved_creds); + assert_int_equal(ret, EOK); + assert_int_equal(geteuid(), 0); + assert_int_equal(getegid(), 0); + assert_int_equal(getuid(), 0); + assert_int_equal(getgid(), 0); + + talloc_free(saved_creds); + check_leaks_pop(tmp_ctx); + talloc_free(tmp_ctx); + check_leaks_pop(global_talloc_context); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const UnitTest tests[] = { + unit_test(test_become_user), + unit_test(test_switch_user), + }; + + /* Set debug level to invalid value so we can deside if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old db to be sure */ + tests_set_cwd(); + + return run_tests(tests); +} |