From: Tim Beale <timbeale@catalyst.net.nz>
Date: Fri, 15 Mar 2019 00:52:50 +0000 (+1300)
Subject: CVE-2019-3870 tests: Add test to check file-permissions are correct after provision
X-Git-Tag: samba-4.11.0rc1~1378
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;ds=sidebyside;h=0c8ad9c9dbeac1ad0ca3553a19d7bbf652bb650d;p=samba.git

CVE-2019-3870 tests: Add test to check file-permissions are correct after provision

This provisions a new DC and checks there are no world-writable
files in the new DC's private directory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/selftest/knownfail.d/provision_fileperms b/selftest/knownfail.d/provision_fileperms
new file mode 100644
index 00000000000..88b1585fd19
--- /dev/null
+++ b/selftest/knownfail.d/provision_fileperms
@@ -0,0 +1 @@
+samba4.blackbox.provision_fileperms.provision-fileperms\(none\)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 76655d768f0..f74678fb90b 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -948,6 +948,7 @@ plantestsuite_loadlist("samba4.deletetest.python(ad_dc_default)", "ad_dc_default
 plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")])
 plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision'])
 plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision'])
+plantestsuite("samba4.blackbox.provision_fileperms", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/provision_fileperms.sh"), '$PREFIX/provision'])
 plantestsuite("samba4.blackbox.supported_features", "none",
               ["PYTHON=%s" % python,
                os.path.join(samba4srcdir,
diff --git a/source4/setup/tests/provision_fileperms.sh b/source4/setup/tests/provision_fileperms.sh
new file mode 100755
index 00000000000..0b3ef0321fb
--- /dev/null
+++ b/source4/setup/tests/provision_fileperms.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: $0 PREFIX
+EOF
+exit 1;
+fi
+
+PREFIX="$1"
+shift 1
+
+. `dirname $0`/../../../testprogs/blackbox/subunit.sh
+
+# selftest sets the umask to zero. Explicitly set it to 022 here,
+# which should mean files should never be writable for anyone else
+ORIG_UMASK=`umask`
+umask 0022
+
+# checks that the files in the 'private' directory created are not
+# world-writable
+check_private_file_perms()
+{
+    target_dir="$1/private"
+    result=0
+
+    for file in `ls $target_dir/`
+    do
+        filepath="$target_dir/$file"
+
+        # skip directories/sockets for now
+        if [ ! -f $filepath ] ; then
+            continue;
+        fi
+
+        # use stat to get the file permissions, i.e. -rw-------
+        file_perm=`stat -c "%A" $filepath`
+
+        # then use cut to drop the first 4 chars containing the file type
+        # and owner permissions. What's left is the group and other users
+        global_perm=`echo $file_perm | cut -c4-`
+
+        # check the remainder doesn't have write permissions set
+        if [ -z "${global_perm##*w*}" ] ; then
+            echo "Error: $file has $file_perm permissions"
+            result=1
+        fi
+    done
+    return $result
+}
+
+TARGET_DIR=$PREFIX/basic-dc
+rm -rf $TARGET_DIR
+
+# create a dummy smb.conf - we need to use fake ACLs for the file system here
+# (but passing --option args with spaces in it proved too difficult in bash)
+SMB_CONF=$TARGET_DIR/tmp/smb.conf
+mkdir -p `dirname $SMB_CONF`
+echo "vfs objects = fake_acls xattr_tdb" > $SMB_CONF
+
+# provision a basic DC
+testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF
+
+# check the file permissions in the 'private' directory really are private
+testit "provision-fileperms" check_private_file_perms $TARGET_DIR
+
+rm -rf $TARGET_DIR
+
+umask $ORIG_UMASK
+
+exit $failed