summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rw-r--r--regress/Makefile4
-rw-r--r--regress/sftp-perm.sh269
3 files changed, 278 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 732fdc2cb..09ba997fa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
120131018
2 - (djm) OpenBSD CVS Sync
3 - djm@cvs.openbsd.org 2013/10/09 23:44:14
4 [regress/Makefile regress/sftp-perm.sh]
5 regression test for sftp request white/blacklisting and readonly mode.
6
120131017 720131017
2 - (djm) OpenBSD CVS Sync 8 - (djm) OpenBSD CVS Sync
3 - jmc@cvs.openbsd.org 2013/10/15 14:10:25 9 - jmc@cvs.openbsd.org 2013/10/15 14:10:25
diff --git a/regress/Makefile b/regress/Makefile
index ab2a6ae7b..4c64b576f 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -44,6 +44,7 @@ LTESTS= connect \
44 sftp-badcmds \ 44 sftp-badcmds \
45 sftp-batch \ 45 sftp-batch \
46 sftp-glob \ 46 sftp-glob \
47 sftp-perm \
47 reconfigure \ 48 reconfigure \
48 dynamic-forward \ 49 dynamic-forward \
49 forwarding \ 50 forwarding \
@@ -86,7 +87,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
86 authorized_principals_${USER} expect actual ready \ 87 authorized_principals_${USER} expect actual ready \
87 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ 88 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \
88 ssh.log failed-ssh.log sshd.log failed-sshd.log \ 89 ssh.log failed-ssh.log sshd.log failed-sshd.log \
89 regress.log failed-regress.log ssh-log-wrapper.sh 90 regress.log failed-regress.log ssh-log-wrapper.sh \
91 sftp-server.sh sftp-server.log sftp.log
90 92
91SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} 93SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER}
92 94
diff --git a/regress/sftp-perm.sh b/regress/sftp-perm.sh
new file mode 100644
index 000000000..3448740bc
--- /dev/null
+++ b/regress/sftp-perm.sh
@@ -0,0 +1,269 @@
1# $OpenBSD: sftp-perm.sh,v 1.2 2013/10/17 22:00:18 djm Exp $
2# Placed in the Public Domain.
3
4tid="sftp permissions"
5
6SERVER_LOG=${OBJ}/sftp-server.log
7CLIENT_LOG=${OBJ}/sftp.log
8TEST_SFTP_SERVER=${OBJ}/sftp-server.sh
9
10prepare_server() {
11 printf "#!/bin/sh\nexec $SFTPSERVER -el debug3 $* 2>$SERVER_LOG\n" \
12 > $TEST_SFTP_SERVER
13 chmod a+x $TEST_SFTP_SERVER
14}
15
16run_client() {
17 echo "$@" | ${SFTP} -D ${TEST_SFTP_SERVER} -vvvb - >$CLIENT_LOG 2>&1
18}
19
20prepare_files() {
21 _prep="$1"
22 rm -f ${COPY} ${COPY}.1
23 test -d ${COPY}.dd && { rmdir ${COPY}.dd || fatal "rmdir ${COPY}.dd"; }
24 test -z "$_prep" && return
25 sh -c "$_prep" || fail "preparation failed: \"$_prep\""
26}
27
28postcondition() {
29 _title="$1"
30 _check="$2"
31 test -z "$_check" && return
32 sh -c "$_check" || fail "postcondition check failed: $_title"
33}
34
35ro_test() {
36 _desc=$1
37 _cmd="$2"
38 _prep="$3"
39 _expect_success_post="$4"
40 _expect_fail_post="$5"
41 verbose "$tid: read-only $_desc"
42 # Plain (no options, mostly to test that _cmd is good)
43 prepare_files "$_prep"
44 prepare_server
45 run_client "$_cmd" || fail "plain $_desc failed"
46 postcondition "$_desc no-readonly" "$_expect_success_post"
47 # Read-only enabled
48 prepare_files "$_prep"
49 prepare_server -R
50 run_client "$_cmd" && fail "read-only $_desc succeeded"
51 postcondition "$_desc readonly" "$_expect_fail_post"
52}
53
54perm_test() {
55 _op=$1
56 _whitelist_ops=$2
57 _cmd="$3"
58 _prep="$4"
59 _expect_success_post="$5"
60 _expect_fail_post="$6"
61 verbose "$tid: explicit $_op"
62 # Plain (no options, mostly to test that _cmd is good)
63 prepare_files "$_prep"
64 prepare_server
65 run_client "$_cmd" || fail "plain $_op failed"
66 postcondition "$_op no white/blacklists" "$_expect_success_post"
67 # Whitelist
68 prepare_files "$_prep"
69 prepare_server -p $_op,$_whitelist_ops
70 run_client "$_cmd" || fail "whitelisted $_op failed"
71 postcondition "$_op whitelisted" "$_expect_success_post"
72 # Blacklist
73 prepare_files "$_prep"
74 prepare_server -P $_op
75 run_client "$_cmd" && fail "blacklisted $_op succeeded"
76 postcondition "$_op blacklisted" "$_expect_fail_post"
77 # Whitelist with op missing.
78 prepare_files "$_prep"
79 prepare_server -p $_whitelist_ops
80 run_client "$_cmd" && fail "no whitelist $_op succeeded"
81 postcondition "$_op not in whitelist" "$_expect_fail_post"
82}
83
84ro_test \
85 "upload" \
86 "put $DATA $COPY" \
87 "" \
88 "cmp $DATA $COPY" \
89 "test ! -f $COPY"
90
91ro_test \
92 "setstat" \
93 "chmod 0700 $COPY" \
94 "touch $COPY; chmod 0400 $COPY" \
95 "test -x $COPY" \
96 "test ! -x $COPY"
97
98ro_test \
99 "rm" \
100 "rm $COPY" \
101 "touch $COPY" \
102 "test ! -f $COPY" \
103 "test -f $COPY"
104
105ro_test \
106 "mkdir" \
107 "mkdir ${COPY}.dd" \
108 "" \
109 "test -d ${COPY}.dd" \
110 "test ! -d ${COPY}.dd"
111
112ro_test \
113 "rmdir" \
114 "rmdir ${COPY}.dd" \
115 "mkdir ${COPY}.dd" \
116 "test ! -d ${COPY}.dd" \
117 "test -d ${COPY}.dd"
118
119ro_test \
120 "posix-rename" \
121 "rename $COPY ${COPY}.1" \
122 "touch $COPY" \
123 "test -f ${COPY}.1 -a ! -f $COPY" \
124 "test -f $COPY -a ! -f ${COPY}.1"
125
126ro_test \
127 "oldrename" \
128 "rename -l $COPY ${COPY}.1" \
129 "touch $COPY" \
130 "test -f ${COPY}.1 -a ! -f $COPY" \
131 "test -f $COPY -a ! -f ${COPY}.1"
132
133ro_test \
134 "symlink" \
135 "ln -s $COPY ${COPY}.1" \
136 "touch $COPY" \
137 "test -h ${COPY}.1" \
138 "test ! -h ${COPY}.1"
139
140ro_test \
141 "hardlink" \
142 "ln $COPY ${COPY}.1" \
143 "touch $COPY" \
144 "test -f ${COPY}.1" \
145 "test ! -f ${COPY}.1"
146
147# Test explicit permissions
148
149perm_test \
150 "open" \
151 "realpath,stat,lstat,read,close" \
152 "get $DATA $COPY" \
153 "" \
154 "cmp $DATA $COPY" \
155 "! cmp $DATA $COPY 2>/dev/null"
156
157perm_test \
158 "read" \
159 "realpath,stat,lstat,open,close" \
160 "get $DATA $COPY" \
161 "" \
162 "cmp $DATA $COPY" \
163 "! cmp $DATA $COPY 2>/dev/null"
164
165perm_test \
166 "write" \
167 "realpath,stat,lstat,open,close" \
168 "put $DATA $COPY" \
169 "" \
170 "cmp $DATA $COPY" \
171 "! cmp $DATA $COPY 2>/dev/null"
172
173perm_test \
174 "lstat" \
175 "realpath,stat,open,read,close" \
176 "get $DATA $COPY" \
177 "" \
178 "cmp $DATA $COPY" \
179 "! cmp $DATA $COPY 2>/dev/null"
180
181perm_test \
182 "opendir" \
183 "realpath,readdir,stat,lstat" \
184 "ls -ln $OBJ"
185
186perm_test \
187 "readdir" \
188 "realpath,opendir,stat,lstat" \
189 "ls -ln $OBJ"
190
191perm_test \
192 "setstat" \
193 "realpath,stat,lstat" \
194 "chmod 0700 $COPY" \
195 "touch $COPY; chmod 0400 $COPY" \
196 "test -x $COPY" \
197 "test ! -x $COPY"
198
199perm_test \
200 "remove" \
201 "realpath,stat,lstat" \
202 "rm $COPY" \
203 "touch $COPY" \
204 "test ! -f $COPY" \
205 "test -f $COPY"
206
207perm_test \
208 "mkdir" \
209 "realpath,stat,lstat" \
210 "mkdir ${COPY}.dd" \
211 "" \
212 "test -d ${COPY}.dd" \
213 "test ! -d ${COPY}.dd"
214
215perm_test \
216 "rmdir" \
217 "realpath,stat,lstat" \
218 "rmdir ${COPY}.dd" \
219 "mkdir ${COPY}.dd" \
220 "test ! -d ${COPY}.dd" \
221 "test -d ${COPY}.dd"
222
223perm_test \
224 "posix-rename" \
225 "realpath,stat,lstat" \
226 "rename $COPY ${COPY}.1" \
227 "touch $COPY" \
228 "test -f ${COPY}.1 -a ! -f $COPY" \
229 "test -f $COPY -a ! -f ${COPY}.1"
230
231perm_test \
232 "rename" \
233 "realpath,stat,lstat" \
234 "rename -l $COPY ${COPY}.1" \
235 "touch $COPY" \
236 "test -f ${COPY}.1 -a ! -f $COPY" \
237 "test -f $COPY -a ! -f ${COPY}.1"
238
239perm_test \
240 "symlink" \
241 "realpath,stat,lstat" \
242 "ln -s $COPY ${COPY}.1" \
243 "touch $COPY" \
244 "test -h ${COPY}.1" \
245 "test ! -h ${COPY}.1"
246
247perm_test \
248 "hardlink" \
249 "realpath,stat,lstat" \
250 "ln $COPY ${COPY}.1" \
251 "touch $COPY" \
252 "test -f ${COPY}.1" \
253 "test ! -f ${COPY}.1"
254
255perm_test \
256 "statvfs" \
257 "realpath,stat,lstat" \
258 "df /"
259
260# XXX need good tests for:
261# fstat
262# fsetstat
263# realpath
264# stat
265# readlink
266# fstatvfs
267
268rm -rf ${COPY} ${COPY}.1 ${COPY}.dd
269