1172106Srwatson/*- 2172106Srwatson * Copyright (c) 2007 Robert M. M. Watson 3172106Srwatson * All rights reserved. 4172106Srwatson * 5172106Srwatson * This software was developed by Robert N. M. Watson for the TrustedBSD 6172106Srwatson * Project. 7172106Srwatson * 8172106Srwatson * Redistribution and use in source and binary forms, with or without 9172106Srwatson * modification, are permitted provided that the following conditions 10172106Srwatson * are met: 11172106Srwatson * 1. Redistributions of source code must retain the above copyright 12172106Srwatson * notice, this list of conditions and the following disclaimer. 13172106Srwatson * 2. Redistributions in binary form must reproduce the above copyright 14172106Srwatson * notice, this list of conditions and the following disclaimer in the 15172106Srwatson * documentation and/or other materials provided with the distribution. 16172106Srwatson * 17172106Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18172106Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19172106Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20172106Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY, 21172106Srwatson * INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 22172106Srwatson * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 23172106Srwatson * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 24172106Srwatson * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 25172106Srwatson * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 26172106Srwatson * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27172106Srwatson * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28172106Srwatson * 29172106Srwatson * $FreeBSD$ 30172106Srwatson */ 31172106Srwatson 32172106Srwatson/* 33172106Srwatson * Confirm that various UID/GID/etc-related system calls require root 34228975Suqs * privilege in the absence of any saved/real/etc variations in the 35172106Srwatson * credential. It would be nice to also check cases where those bits of the 36172106Srwatson * credential are more interesting. 37172106Srwatson * 38172106Srwatson * XXXRW: Add support for testing more diverse real/saved scenarios. 39172106Srwatson */ 40172106Srwatson 41172106Srwatson#include <sys/types.h> 42172106Srwatson 43172106Srwatson#include <err.h> 44172106Srwatson#include <errno.h> 45172106Srwatson#include <stdio.h> 46172106Srwatson#include <unistd.h> 47172106Srwatson 48172106Srwatson#include "main.h" 49172106Srwatson 50172106Srwatsonint 51172106Srwatsonpriv_cred_setup(int asroot, int injail, struct test *test) 52172106Srwatson{ 53172106Srwatson 54172106Srwatson return (0); 55172106Srwatson} 56172106Srwatson 57172106Srwatsonvoid 58172106Srwatsonpriv_cred_setuid(int asroot, int injail, struct test *test) 59172106Srwatson{ 60172106Srwatson int error; 61172106Srwatson 62172106Srwatson error = setuid(UID_OTHER); 63172106Srwatson if (asroot && injail) 64172106Srwatson expect("priv_setuid(asroot, injail)", error, 0, 0); 65172106Srwatson if (asroot && !injail) 66172106Srwatson expect("priv_setuid(asroot, !injail)", error, 0, 0); 67172106Srwatson if (!asroot && injail) 68172106Srwatson expect("priv_setuid(!asroot, injail)", error, -1, EPERM); 69172106Srwatson if (!asroot && !injail) 70172106Srwatson expect("priv_setuid(!asroot, !injail)", error, -1, EPERM); 71172106Srwatson} 72172106Srwatson 73172106Srwatsonvoid 74172106Srwatsonpriv_cred_seteuid(int asroot, int injail, struct test *test) 75172106Srwatson{ 76172106Srwatson int error; 77172106Srwatson 78172106Srwatson error = seteuid(UID_OTHER); 79172106Srwatson if (asroot && injail) 80172106Srwatson expect("priv_seteuid(asroot, injail)", error, 0, 0); 81172106Srwatson if (asroot && !injail) 82172106Srwatson expect("priv_seteuid(asroot, !injail)", error, 0, 0); 83172106Srwatson if (!asroot && injail) 84172106Srwatson expect("priv_seteuid(!asroot, injail)", error, -1, EPERM); 85172106Srwatson if (!asroot && !injail) 86172106Srwatson expect("priv_seteuid(!asroot, !injail)", error, -1, EPERM); 87172106Srwatson} 88172106Srwatson 89172106Srwatsonvoid 90172106Srwatsonpriv_cred_setgid(int asroot, int injail, struct test *test) 91172106Srwatson{ 92172106Srwatson int error; 93172106Srwatson 94172106Srwatson error = setgid(GID_OTHER); 95172106Srwatson if (asroot && injail) 96172106Srwatson expect("priv_setgid(asroot, injail)", error, 0, 0); 97172106Srwatson if (asroot && !injail) 98172106Srwatson expect("priv_setgid(asroot, !injail)", error, 0, 0); 99172106Srwatson if (!asroot && injail) 100172106Srwatson expect("priv_setgid(!asroot, injail)", error, -1, EPERM); 101172106Srwatson if (!asroot && !injail) 102172106Srwatson expect("priv_setgid(!asroot, !injail)", error, -1, EPERM); 103172106Srwatson} 104172106Srwatson 105172106Srwatsonvoid 106172106Srwatsonpriv_cred_setegid(int asroot, int injail, struct test *test) 107172106Srwatson{ 108172106Srwatson int error; 109172106Srwatson 110172106Srwatson error = setegid(GID_OTHER); 111172106Srwatson if (asroot && injail) 112172106Srwatson expect("priv_setegid(asroot, injail)", error, 0, 0); 113172106Srwatson if (asroot && !injail) 114172106Srwatson expect("priv_setegid(asroot, !injail)", error, 0, 0); 115172106Srwatson if (!asroot && injail) 116172106Srwatson expect("priv_setegd(!asroot, injail)", error, -1, EPERM); 117172106Srwatson if (!asroot && !injail) 118172106Srwatson expect("priv_setegid(!asroot, !injail)", error, -1, EPERM); 119172106Srwatson} 120172106Srwatson 121172106Srwatsonstatic const gid_t gidset[] = {GID_WHEEL, GID_OTHER}; 122172106Srwatsonstatic const int gidset_len = sizeof(gidset) / sizeof(gid_t); 123172106Srwatson 124172106Srwatsonvoid 125172106Srwatsonpriv_cred_setgroups(int asroot, int injail, struct test *test) 126172106Srwatson{ 127172106Srwatson int error; 128172106Srwatson 129172106Srwatson error = setgroups(gidset_len, gidset); 130172106Srwatson if (asroot && injail) 131172106Srwatson expect("priv_setgroups(asroot, injail)", error, 0, 0); 132172106Srwatson if (asroot && !injail) 133172106Srwatson expect("priv_setgroups(asroot, !injail)", error, 0, 0); 134172106Srwatson if (!asroot && injail) 135172106Srwatson expect("priv_setgroups(!asroot, injail)", error, -1, EPERM); 136172106Srwatson if (!asroot && !injail) 137172106Srwatson expect("priv_setgroups(!asroot, !injail)", error, -1, EPERM); 138172106Srwatson} 139172106Srwatson 140172106Srwatsonvoid 141172106Srwatsonpriv_cred_setreuid(int asroot, int injail, struct test *test) 142172106Srwatson{ 143172106Srwatson int error; 144172106Srwatson 145172106Srwatson error = setreuid(UID_OTHER, UID_OTHER); 146172106Srwatson if (asroot && injail) 147172106Srwatson expect("priv_setreuid(asroot, injail)", error, 0, 0); 148172106Srwatson if (asroot && !injail) 149172106Srwatson expect("priv_setreuid(asroot, !injail)", error, 0, 0); 150172106Srwatson if (!asroot && injail) 151172106Srwatson expect("priv_setreuid(!asroot, injail)", error, -1, EPERM); 152172106Srwatson if (!asroot && !injail) 153172106Srwatson expect("priv_setreuid(!asroot, !injail)", error, -1, EPERM); 154172106Srwatson} 155172106Srwatson 156172106Srwatsonvoid 157172106Srwatsonpriv_cred_setregid(int asroot, int injail, struct test *test) 158172106Srwatson{ 159172106Srwatson int error; 160172106Srwatson 161172106Srwatson error = setregid(GID_OTHER, GID_OTHER); 162172106Srwatson if (asroot && injail) 163172106Srwatson expect("priv_setregid(asroot, injail)", error, 0, 0); 164172106Srwatson if (asroot && !injail) 165172106Srwatson expect("priv_setregid(asroot, !injail)", error, 0, 0); 166172106Srwatson if (!asroot && injail) 167172106Srwatson expect("priv_setregid(!asroot, injail)", error, -1, EPERM); 168172106Srwatson if (!asroot && !injail) 169172106Srwatson expect("priv_setregid(!asroot, !injail)", error, -1, EPERM); 170172106Srwatson} 171172106Srwatson 172172106Srwatsonvoid 173172106Srwatsonpriv_cred_setresuid(int asroot, int injail, struct test *test) 174172106Srwatson{ 175172106Srwatson int error; 176172106Srwatson 177172106Srwatson error = setresuid(UID_OTHER, UID_OTHER, UID_OTHER); 178172106Srwatson if (asroot && injail) 179172106Srwatson expect("priv_setresuid(asroot, injail)", error, 0, 0); 180172106Srwatson if (asroot && !injail) 181172106Srwatson expect("priv_setresuid(asroot, !injail)", error, 0, 0); 182172106Srwatson if (!asroot && injail) 183172106Srwatson expect("priv_setresuid(!asroot, injail)", error, -1, EPERM); 184172106Srwatson if (!asroot && !injail) 185172106Srwatson expect("priv_setresuid(!asroot, !injail)", error, -1, EPERM); 186172106Srwatson} 187172106Srwatson 188172106Srwatsonvoid 189172106Srwatsonpriv_cred_setresgid(int asroot, int injail, struct test *test) 190172106Srwatson{ 191172106Srwatson int error; 192172106Srwatson 193172106Srwatson error = setresgid(GID_OTHER, GID_OTHER, GID_OTHER); 194172106Srwatson if (asroot && injail) 195172106Srwatson expect("priv_setresgid(asroot, injail)", error, 0, 0); 196172106Srwatson if (asroot && !injail) 197172106Srwatson expect("priv_setresgid(asroot, !injail)", error, 0, 0); 198172106Srwatson if (!asroot && injail) 199172106Srwatson expect("priv_setresgid(!asroot, injail)", error, -1, EPERM); 200172106Srwatson if (!asroot && !injail) 201172106Srwatson expect("priv_setresgid(!asroot, !injail)", error, -1, EPERM); 202172106Srwatson} 203172106Srwatson 204172106Srwatsonvoid 205172106Srwatsonpriv_cred_cleanup(int asroot, int injail, struct test *test) 206172106Srwatson{ 207172106Srwatson 208172106Srwatson} 209