mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Add tests for sudoers mode, owner and group checks.

Browse Source
This commit is contained in:
Todd C. Miller 2012-05-21 15:39:24 -04:00
parent 0d82c4c7ee
commit ca9331d498
10 changed files with 107 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/sudoers/Makefile.in
View File

@ -355,7 +355,7 @@ check: $(TEST_PROGS) visudo testsudoers
rval=`expr $$rval + $$failed`; exit $$rval rval=`expr $$rval + $$failed`; exit $$rval
clean: clean:
-$(LIBTOOL) --mode=clean rm -f $(PROGS) $(TEST_PROGS) *.lo *.o *.la *.a stamp-* core *.core core.* *.out *.toke *.err -$(LIBTOOL) --mode=clean rm -f $(PROGS) $(TEST_PROGS) *.lo *.o *.la *.a stamp-* core *.core core.* *.out *.toke *.err *.inc
mostlyclean: clean mostlyclean: clean

1
plugins/sudoers/regress/testsudoers/test1.sh
View File

@ -5,6 +5,7 @@
# This is RedHat bug Bug 667103. # This is RedHat bug Bug 667103.
# #
exec 2>&1
./testsudoers -g bin root id <<EOF ./testsudoers -g bin root id <<EOF
root ALL = ALL root ALL = ALL
EOF EOF

5
plugins/sudoers/regress/testsudoers/test2.sh
View File

@ -3,6 +3,9 @@
# Test #include facility # Test #include facility
# #
./testsudoers root id <<EOF USER=`\ls -l $TESTDIR/test2.inc | awk '{print $3}'`
UID=`id -u $USER`
exec 2>&1
./testsudoers -U $UID root id <<EOF
#include $TESTDIR/test2.inc #include $TESTDIR/test2.inc
EOF EOF

5
plugins/sudoers/regress/testsudoers/test3.sh
View File

@ -3,6 +3,9 @@
# Test #include facility # Test #include facility
# #
./testsudoers -U `id -u` root id <<EOF USER=`\ls -l $TESTDIR/test2.inc | awk '{print $3}'`
UID=`id -u $USER`
exec 2>&1
./testsudoers -U $UID root id <<EOF
#includedir $TESTDIR/test3.d #includedir $TESTDIR/test3.d
EOF EOF

6
plugins/sudoers/regress/testsudoers/test4.out.ok Normal file
View File

@ -0,0 +1,6 @@
testsudoers: test2.inc should be owned by uid 1
Parse error in sudoers near line 1.
Entries for user root:
Command unmatched

9
plugins/sudoers/regress/testsudoers/test4.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/sh
#
# Test sudoers owner check
#
exec 2>&1
./testsudoers -U 1 root id <<EOF
#include $TESTDIR/test2.inc
EOF

1
plugins/sudoers/regress/testsudoers/test5.inc Normal file
View File

@ -0,0 +1 @@
root ALL = ALL

12
plugins/sudoers/regress/testsudoers/test5.out.ok Normal file
View File

@ -0,0 +1,12 @@
testsudoers: test5.inc is world writable
Parse error in sudoers near line 1.
Entries for user root:
Command unmatched
testsudoers: test5.inc should be owned by gid 1
Parse error in sudoers near line 1.
Entries for user root:
Command unmatched

26
plugins/sudoers/regress/testsudoers/test5.sh Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
#
# Test sudoers file mode check
#
# Create test file
TESTFILE=`pwd`/test5.inc
cat >$TESTFILE <<EOF
root ALL = ALL
EOF
USER=`\ls -l $TESTFILE | awk '{print $3}'`
UID=`id -u $USER`
exec 2>&1
# Test world writable
chmod 666 $TESTFILE
./testsudoers -U $UID root id <<EOF
#include $TESTFILE
EOF
# Test group writable
chmod 664 $TESTFILE
./testsudoers -U $UID -G 1 root id <<EOF
#include $TESTFILE
EOF

49
plugins/sudoers/testsudoers.c
View File

@ -69,6 +69,7 @@
#include "interfaces.h" #include "interfaces.h"
#include "parse.h" #include "parse.h"
#include "sudo_conf.h" #include "sudo_conf.h"
#include "secure_path.h"
#include <gram.h> #include <gram.h>
/* /*
@ -160,7 +161,7 @@ main(int argc, char *argv[])
dflag = 0; dflag = 0;
grfile = pwfile = NULL; grfile = pwfile = NULL;
while ((ch = getopt(argc, argv, "dg:G:h:p:tu:U:")) != -1) { while ((ch = getopt(argc, argv, "dg:G:h:P:p:tu:U:")) != -1) {
switch (ch) { switch (ch) {
case 'd': case 'd':
dflag = 1; dflag = 1;
@ -169,7 +170,7 @@ main(int argc, char *argv[])
user_host = optarg; user_host = optarg;
break; break;
case 'G': case 'G':
grfile = optarg; sudoers_gid = (gid_t)atoi(optarg);
break; break;
case 'g': case 'g':
runas_group = optarg; runas_group = optarg;
@ -177,11 +178,14 @@ main(int argc, char *argv[])
case 'p': case 'p':
pwfile = optarg; pwfile = optarg;
break; break;
case 'P':
grfile = optarg;
break;
case 't': case 't':
trace_print = testsudoers_print; trace_print = testsudoers_print;
break; break;
case 'U': case 'U':
sudoers_uid = atoi(optarg); sudoers_uid = (uid_t)atoi(optarg);
break; break;
case 'u': case 'u':
runas_user = optarg; runas_user = optarg;
@ -417,11 +421,44 @@ set_fqdn(void)
} }
FILE * FILE *
open_sudoers(const char *path, bool doedit, bool *keepopen) open_sudoers(const char *sudoers, bool doedit, bool *keepopen)
{ {
struct stat sb;
FILE *fp = NULL;
char *sudoers_base;
debug_decl(open_sudoers, SUDO_DEBUG_UTIL) debug_decl(open_sudoers, SUDO_DEBUG_UTIL)
debug_return_ptr(fopen(path, "r")); sudoers_base = strrchr(sudoers, '/');
if (sudoers_base != NULL)
sudoers_base++;
switch (sudo_secure_file(sudoers, sudoers_uid, sudoers_gid, &sb)) {
case SUDO_PATH_SECURE:
fp = fopen(sudoers, "r");
break;
case SUDO_PATH_MISSING:
warning("unable to stat %s", sudoers_base);
break;
case SUDO_PATH_BAD_TYPE:
warningx("%s is not a regular file", sudoers_base);
break;
case SUDO_PATH_WRONG_OWNER:
warningx("%s should be owned by uid %u",
sudoers_base, (unsigned int) sudoers_uid);
break;
case SUDO_PATH_WORLD_WRITABLE:
warningx("%s is world writable", sudoers_base);
break;
case SUDO_PATH_GROUP_WRITABLE:
warningx("%s should be owned by gid %u",
sudoers_base, (unsigned int) sudoers_gid);
break;
default:
/* NOTREACHED */
break;
}
debug_return_ptr(fp);
} }
void void
@ -680,6 +717,6 @@ static int testsudoers_print(const char *msg)
void void
usage(void) usage(void)
{ {
(void) fprintf(stderr, "usage: %s [-dt] [-G grfile] [-g group] [-h host] [-p pwfile] [-U sudoers_uid] [-u user] <user> <command> [args]\n", getprogname()); (void) fprintf(stderr, "usage: %s [-dt] [-G sudoers_gid] [-g group] [-h host] [-p grfile] [-p pwfile] [-U sudoers_uid] [-u user] <user> <command> [args]\n", getprogname());
exit(1); exit(1);
} }