[PATCH 0/1] improvements to acl-ptest

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH 0/1] improvements to acl-ptest
@ 2016-05-18 21:30 Peter Seebach
  2016-05-18 21:30 ` [PATCH 1/1] acl.inc, run-ptest: improve ptest functionality on limited rootfs Peter Seebach
  0 siblings, 1 reply; 2+ messages in thread
From: Peter Seebach @ 2016-05-18 21:30 UTC (permalink / raw)
  To: OE Core mailing list

The acl tests assume that umask is 022 (or similar) by default
for some of the permissions tests. The existing run-ptest script
also assumes availability of gpasswd, which we tend to remove by
default, and that the current filesystem supports ACLs. Fix
this by adding a line to the test script for the umask, and making
run-ptest use direct sed to alter /etc/group (it really does need
to) and use a temporary filesystem. (This creates a requirement for
mkfs.ext3, which may be a problem, but it works in our usual
environment, so I figure I'll leave it that way for now?)

The following changes since commit 2fef37fab6967410aff33744c8843bcae028de56:

  gcc: Security fix CVE-2016-4490 (2016-05-17 14:42:18 +0100)

are available in the git repository at:
  git://git.yoctoproject.org/poky-contrib seebs/aclptest
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=seebs/aclptest

Peter Seebach (1):
  acl.inc, run-ptest: improve ptest functionality on limited rootfs

 meta/recipes-support/attr/acl.inc                  |    1 +
 meta/recipes-support/attr/acl/run-ptest            |   67 ++++++++++++++++++--
 .../attr/acl/test-fix-directory-permissions.patch  |   24 +++++++
 3 files changed, 87 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-support/attr/acl/test-fix-directory-permissions.patch

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH 1/1] acl.inc, run-ptest: improve ptest functionality on limited rootfs
  2016-05-18 21:30 [PATCH 0/1] improvements to acl-ptest Peter Seebach
@ 2016-05-18 21:30 ` Peter Seebach
  0 siblings, 0 replies; 2+ messages in thread
From: Peter Seebach @ 2016-05-18 21:30 UTC (permalink / raw)
  To: OE Core mailing list

ACL's ptest has a handful of failure modes which can be triggered by
a restrictive or small system. First, the ptest requires that daemon
be in the bin group, which run-ptest attempts to do using gpasswd,
but gpasswd is part of shadow, and oe-core removes shadow when it
doesn't think shadow will be needed. Even if, say, a package has
RDEPENDS on it. Whoops. So we manually sed the group file. This
will probably work.

Second, the filesystem used for the test has to support ACLs,
so we create a dummy ext3 filesystem and use that.

Third, the root/permissions test relies on the assumption that
"mkdir d" produces a directory which non-root users can access,
but in a secure product which defaults to umask 077, this doesn't
work. (That fix has been separately reported to upstream acl
through their bug report form.)

(This may prevent the test from running without mkfs.ext3, but it
allows the test to run on targets where root doesn't have ACL
support. Tradeoffs, tradeoffs everywhere.)

Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
---
 meta/recipes-support/attr/acl.inc                  |    1 +
 meta/recipes-support/attr/acl/run-ptest            |   67 ++++++++++++++++++--
 .../attr/acl/test-fix-directory-permissions.patch  |   24 +++++++
 3 files changed, 87 insertions(+), 5 deletions(-)
 create mode 100644 meta/recipes-support/attr/acl/test-fix-directory-permissions.patch

diff --git a/meta/recipes-support/attr/acl.inc b/meta/recipes-support/attr/acl.inc
index 198fb4f..aebebfd 100644
--- a/meta/recipes-support/attr/acl.inc
+++ b/meta/recipes-support/attr/acl.inc
@@ -14,6 +14,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/acl/${BP}.src.tar.gz \
            file://acl-fix-the-order-of-expected-output-of-getfacl.patch \
            file://test-fix-insufficient-quoting-of.patch \
            file://test-fixups-on-SELinux-machines-for-root-testcases.patch \
+           file://test-fix-directory-permissions.patch \
 "
 
 require ea-acl.inc
diff --git a/meta/recipes-support/attr/acl/run-ptest b/meta/recipes-support/attr/acl/run-ptest
index 3b31cc9..a56946d 100644
--- a/meta/recipes-support/attr/acl/run-ptest
+++ b/meta/recipes-support/attr/acl/run-ptest
@@ -1,7 +1,64 @@
 #!/bin/sh
+#
+#This script is used to run acl test suites
 
-gpasswd -a daemon bin
-make -C test -k tests root-tests |sed \
- -e 's|^\[.*\] \(.*\) -- ok$|PASS: \1|' \
- -e 's|^\[.*\] \(.*\) -- failed|FAIL: \1|'
-gpasswd -d daemon bin
+#umask 077
+
+EXT3_IMAGE=ext3.img
+EXT3_MOUNT_POINT=/mnt/ext3
+
+trap 'rm -f ${EXT3_IMAGE}' EXIT
+
+dd if=/dev/zero of=${EXT3_IMAGE} bs=1M count=1
+if [ "$?" -eq 0 ]; then
+	echo "PASS: dump ext3.img"
+else
+	echo "FAIL: dump ext3.img"
+	exit 1
+fi
+
+mkfs.ext3 -F ${EXT3_IMAGE}
+if [ "$?" -eq 0 ]; then
+	echo "PASS: mkfs.ext3 -F ext3.img"
+else
+	echo "FAIL: mkfs.ext3 -F ext3.img"
+	exit 1
+fi
+
+if [ -d $EXT3_MOUNT_POINT ]; then
+	echo "mount point exist"
+else
+	mkdir -p $EXT3_MOUNT_POINT
+fi
+
+
+mount -o loop,rw,acl  ${EXT3_IMAGE} $EXT3_MOUNT_POINT
+if [ "$?" -eq 0 ]; then
+	echo "PASS: mount ext3.img"
+else
+	echo "FAIL: mount ext3.img"
+	exit 1
+fi
+
+cp -rf ./test/ $EXT3_MOUNT_POINT
+
+cd $EXT3_MOUNT_POINT/test/
+
+if	sed -e 's!^bin:x:2:$!bin:x:2:daemon!' < /etc/group > gtmp
+then	if	cp /etc/group group.orig;
+	then	cp gtmp /etc/group
+		make  -k tests root-tests | sed \
+			-e 's|^\[.*\] \(.*\) -- ok$|PASS: \1|' \
+	  		-e 's|^\[.*\] \(.*\) -- failed|FAIL: \1|'
+		cp group.orig /etc/group
+	else	echo "FAIL: couldn't save original group file."
+		exit 1
+	fi
+else	echo "FAIL: couldn't create modified group file."
+	exit 1
+fi
+
+cd -
+umount $EXT3_MOUNT_POINT
+rm -rf $EXT3_MOUNT_POINT
+rm $EXT3_IMAGE
diff --git a/meta/recipes-support/attr/acl/test-fix-directory-permissions.patch b/meta/recipes-support/attr/acl/test-fix-directory-permissions.patch
new file mode 100644
index 0000000..cd4510c
--- /dev/null
+++ b/meta/recipes-support/attr/acl/test-fix-directory-permissions.patch
@@ -0,0 +1,24 @@
+commit c45bae84817a70fef6c2b661a07a492a0d23ae85
+Author: Peter Seebach <peter.seebach@windriver.com>
+Date:   Wed May 11 15:16:06 2016 -0500
+
+    Fix permissions on temporary directory
+
+    The temporary directory's permissions have to allow other users to
+    view the directory. A default umask of 022 is common, but not mandatory,
+    and secure systems may have more restrictive defaults.
+
+    Signed-off-by: Peter Seebach <peter.seebach@windriver.com>
+
+diff --git a/test/root/permissions.test b/test/root/permissions.test
+index 42615f5..098b52a 100644
+--- a/test/root/permissions.test
++++ b/test/root/permissions.test
+@@ -16,6 +16,7 @@ Cry immediately if we are not running as root.
+ First, set up a temporary directory and create a regular file with
+ defined permissions.
+ 
++	$ umask 022
+ 	$ mkdir d
+ 	$ cd d
+ 	$ umask 027
-- 
1.7.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-05-18 21:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-18 21:30 [PATCH 0/1] improvements to acl-ptest Peter Seebach
2016-05-18 21:30 ` [PATCH 1/1] acl.inc, run-ptest: improve ptest functionality on limited rootfs Peter Seebach

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox