Re: [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests.

Tarantool development patches archive
 help / color / mirror / Atom feed

From: "Alexander Tikhonov" <avtikhon@tarantool.org>
To: "Oleg Piskunov" <o.piskunov@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Subject: Re: [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests.
Date: Fri, 27 Mar 2020 12:06:21 +0300	[thread overview]
Message-ID: <1585299981.780275216@f187.i.mail.ru> (raw)
In-Reply-To: <20200324081235.GB37444@pony.bronevichok.ru>

[-- Attachment #1: Type: text/plain, Size: 15564 bytes --]


Hi Oleg, LGTM, please proceed to Kirill to push.

  
>Вторник, 24 марта 2020, 11:12 +03:00 от Sergey Bronnikov <sergeyb@tarantool.org>:
> 
>LGTM.
>
>On 13:00 Mon 23 Mar , Oleg Piskunov wrote:
>>
>> Splitted single access_escalation.test.lua to a set of small independent tests.
>>
>> Github:  https://github.com/tarantool/tarantool/tree/opiskunov/access_escal_test_split
>>
>> ---
>> test/box/access_de_escalation.result | 90 ++++++++++++++++++
>> test/box/access_de_escalation.test.lua | 50 ++++++++++
>> test/box/access_escalation.result | 144 -----------------------------
>> test/box/access_escalation.test.lua | 89 ------------------
>> test/box/access_escalation_gh-617.result | 70 ++++++++++++++
>> test/box/access_escalation_gh-617.test.lua | 48 ++++++++++
>> 6 files changed, 258 insertions(+), 233 deletions(-)
>> create mode 100644 test/box/access_de_escalation.result
>> create mode 100644 test/box/access_de_escalation.test.lua
>> delete mode 100644 test/box/access_escalation.result
>> delete mode 100644 test/box/access_escalation.test.lua
>> create mode 100644 test/box/access_escalation_gh-617.result
>> create mode 100644 test/box/access_escalation_gh-617.test.lua
>>
>> diff --git a/test/box/access_de_escalation.result b/test/box/access_de_escalation.result
>> new file mode 100644
>> index 0000000..799ed1c
>> --- /dev/null
>> +++ b/test/box/access_de_escalation.result
>> @@ -0,0 +1,90 @@
>> +fiber = require('fiber')
>> +---
>> +...
>> +net = require('net.box')
>> +---
>> +...
>> +os = require('os')
>> +---
>> +...
>> +-- Test for privilege de-escalation
>> +-- --------------------------------
>> +--
>> +-- * create a setuid function which runs under a deprived user
>> +-- * invoke the function, let it sleep
>> +-- * invoke a function which should have privileges
>> +--
>> +-- define functions
>> +channel = fiber.channel(1)
>> +---
>> +...
>> +function setuid() channel:get() end
>> +---
>> +...
>> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> +---
>> +...
>> +-- create a deprived user
>> +box.schema.user.create('underprivileged')
>> +---
>> +...
>> +box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
>> +---
>> +...
>> +box.schema.user.grant('underprivileged', 'create', 'function')
>> +---
>> +...
>> +box.session.su('underprivileged')
>> +---
>> +...
>> +box.schema.func.create('setuid', {setuid=true})
>> +---
>> +...
>> +box.session.su('admin')
>> +---
>> +...
>> +--
>> +-- create a deprived function
>> +--
>> +box.schema.func.create('escalation')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'read', 'space', '_space')
>> +---
>> +...
>> +connection = net:connect(os.getenv("LISTEN"))
>> +---
>> +...
>> +background = fiber.create(function() connection:call("setuid") end)
>> +---
>> +...
>> +connection:call("escalation")
>> +---
>> +- true
>> +...
>> +channel:put(true)
>> +---
>> +- true
>> +...
>> +-- tear down
>> +box.schema.func.drop('setuid')
>> +---
>> +...
>> +box.schema.user.drop('underprivileged')
>> +---
>> +...
>> +box.schema.func.drop('escalation')
>> +---
>> +...
>> +box.schema.user.revoke('guest', 'read', 'space', '_space')
>> +---
>> +...
>> +connection:close()
>> +---
>> +...
>> diff --git a/test/box/access_de_escalation.test.lua b/test/box/access_de_escalation.test.lua
>> new file mode 100644
>> index 0000000..e621fd0
>> --- /dev/null
>> +++ b/test/box/access_de_escalation.test.lua
>> @@ -0,0 +1,50 @@
>> +fiber = require('fiber')
>> +net = require('net.box')
>> +os = require('os')
>> +
>> +-- Test for privilege de-escalation
>> +-- --------------------------------
>> +
>> +--
>> +-- * create a setuid function which runs under a deprived user
>> +-- * invoke the function, let it sleep
>> +-- * invoke a function which should have privileges
>> +--
>> +
>> +-- define functions
>> +
>> +channel = fiber.channel(1)
>> +function setuid() channel:get() end
>> +
>> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> +
>> +-- create a deprived user
>> +
>> +box.schema.user.create('underprivileged')
>> +box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
>> +box.schema.user.grant('underprivileged', 'create', 'function')
>> +box.session.su('underprivileged')
>> +box.schema.func.create('setuid', {setuid=true})
>> +box.session.su('admin')
>> +--
>> +-- create a deprived function
>> +--
>> +
>> +box.schema.func.create('escalation')
>> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> +box.schema.user.grant('guest', 'read', 'space', '_space')
>> +
>> +connection = net:connect(os.getenv("LISTEN"))
>> +
>> +background = fiber.create(function() connection:call("setuid") end)
>> +connection:call("escalation")
>> +channel:put(true)
>> +
>> +-- tear down
>> +
>> +box.schema.func.drop('setuid')
>> +box.schema.user.drop('underprivileged')
>> +box.schema.func.drop('escalation')
>> +box.schema.user.revoke('guest', 'read', 'space', '_space')
>> +connection:close()
>> diff --git a/test/box/access_escalation.result b/test/box/access_escalation.result
>> deleted file mode 100644
>> index df8a947..0000000
>> --- a/test/box/access_escalation.result
>> +++ /dev/null
>> @@ -1,144 +0,0 @@
>> -fiber = require('fiber')
>> ----
>> -...
>> -net = require('net.box')
>> ----
>> -...
>> -log = require('log')
>> ----
>> -...
>> -json = require('json')
>> ----
>> -...
>> -os = require('os')
>> ----
>> -...
>> --- gh-617: guest access denied because of setuid
>> --- function invocation.
>> --- Test for privilege escalation
>> --- -----------------------------
>> --- * create a setuid function which changes effective id
>> --- to superuser
>> --- * invoke it via the binary protocol
>> --- * while the function is running, invoke a non-setuid function
>> --- which reads a system space.
>> ---
>> --- The invoked function should get "Access denied" error,
>> --- there should be no privilege escalation.
>> --- define functions
>> -channel = fiber.channel(1)
>> ----
>> -...
>> -function setuid() channel:get() end
>> ----
>> -...
>> -function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> ----
>> -...
>> --- set up grants
>> -box.schema.func.create('setuid', {setuid=true})
>> ----
>> -...
>> -box.schema.func.create('escalation')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> ----
>> -...
>> -connection = net:connect(os.getenv("LISTEN"))
>> ----
>> -...
>> -background = fiber.create(function() connection:call("setuid") end)
>> ----
>> -...
>> -connection:call("escalation")
>> ----
>> -- error: Read access to space '_space' is denied for user 'guest'
>> -...
>> -channel:put(true)
>> ----
>> -- true
>> -...
>> ---
>> --- tear down the functions; the grants are dropped recursively
>> ---
>> -box.schema.func.drop('setuid')
>> ----
>> -...
>> -box.schema.func.drop('escalation')
>> ----
>> -...
>> -connection:close()
>> ----
>> -...
>> --- Test for privilege de-escalation
>> --- --------------------------------
>> ---
>> --- * create a setuid function which runs under a deprived user
>> --- * invoke the function, let it sleep
>> --- * invoke a function which should have privileges
>> ---
>> --- create a deprived user
>> -box.schema.user.create('underprivileged')
>> ----
>> -...
>> -box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
>> ----
>> -...
>> -box.schema.user.grant('underprivileged', 'create', 'function')
>> ----
>> -...
>> -box.session.su('underprivileged')
>> ----
>> -...
>> -box.schema.func.create('setuid', {setuid=true})
>> ----
>> -...
>> -box.session.su('admin')
>> ----
>> -...
>> ---
>> --- create a deprived function
>> ---
>> -box.schema.func.create('escalation')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'read', 'space', '_space')
>> ----
>> -...
>> -connection = net:connect(os.getenv("LISTEN"))
>> ----
>> -...
>> -background = fiber.create(function() connection:call("setuid") end)
>> ----
>> -...
>> -connection:call("escalation")
>> ----
>> -- true
>> -...
>> -channel:put(true)
>> ----
>> -- true
>> -...
>> --- tear down
>> -box.schema.user.drop('underprivileged')
>> ----
>> -...
>> -box.schema.func.drop('escalation')
>> ----
>> -...
>> -box.schema.user.revoke('guest', 'read', 'space', '_space')
>> ----
>> -...
>> -connection:close()
>> ----
>> -...
>> diff --git a/test/box/access_escalation.test.lua b/test/box/access_escalation.test.lua
>> deleted file mode 100644
>> index 9f35f21..0000000
>> --- a/test/box/access_escalation.test.lua
>> +++ /dev/null
>> @@ -1,89 +0,0 @@
>> -fiber = require('fiber')
>> -net = require('net.box')
>> -log = require('log')
>> -json = require('json')
>> -os = require('os')
>> -
>> --- gh-617: guest access denied because of setuid
>> --- function invocation.
>> -
>> --- Test for privilege escalation
>> --- -----------------------------
>> --- * create a setuid function which changes effective id
>> --- to superuser
>> --- * invoke it via the binary protocol
>> --- * while the function is running, invoke a non-setuid function
>> --- which reads a system space.
>> ---
>> --- The invoked function should get "Access denied" error,
>> --- there should be no privilege escalation.
>> -
>> --- define functions
>> -
>> -channel = fiber.channel(1)
>> -function setuid() channel:get() end
>> -
>> -function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> -
>> --- set up grants
>> -
>> -box.schema.func.create('setuid', {setuid=true})
>> -box.schema.func.create('escalation')
>> -
>> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> -
>> -
>> -connection = net:connect(os.getenv("LISTEN"))
>> -
>> -background = fiber.create(function() connection:call("setuid") end)
>> -connection:call("escalation")
>> -channel:put(true)
>> -
>> ---
>> --- tear down the functions; the grants are dropped recursively
>> ---
>> -
>> -box.schema.func.drop('setuid')
>> -box.schema.func.drop('escalation')
>> -
>> -connection:close()
>> -
>> --- Test for privilege de-escalation
>> --- --------------------------------
>> -
>> ---
>> --- * create a setuid function which runs under a deprived user
>> --- * invoke the function, let it sleep
>> --- * invoke a function which should have privileges
>> ---
>> -
>> --- create a deprived user
>> -
>> -box.schema.user.create('underprivileged')
>> -box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
>> -box.schema.user.grant('underprivileged', 'create', 'function')
>> -box.session.su('underprivileged')
>> -box.schema.func.create('setuid', {setuid=true})
>> -box.session.su('admin')
>> ---
>> --- create a deprived function
>> ---
>> -
>> -box.schema.func.create('escalation')
>> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> -box.schema.user.grant('guest', 'read', 'space', '_space')
>> -
>> -connection = net:connect(os.getenv("LISTEN"))
>> -
>> -background = fiber.create(function() connection:call("setuid") end)
>> -connection:call("escalation")
>> -channel:put(true)
>> -
>> --- tear down
>> -
>> -box.schema.user.drop('underprivileged')
>> -box.schema.func.drop('escalation')
>> -box.schema.user.revoke('guest', 'read', 'space', '_space')
>> -connection:close()
>> diff --git a/test/box/access_escalation_gh-617.result b/test/box/access_escalation_gh-617.result
>> new file mode 100644
>> index 0000000..bf9c93f
>> --- /dev/null
>> +++ b/test/box/access_escalation_gh-617.result
>> @@ -0,0 +1,70 @@
>> +fiber = require('fiber')
>> +---
>> +...
>> +net = require('net.box')
>> +---
>> +...
>> +os = require('os')
>> +---
>> +...
>> +-- gh-617: guest access denied because of setuid
>> +-- function invocation.
>> +-- Test for privilege escalation
>> +-- -----------------------------
>> +-- * create a setuid function which changes effective id
>> +-- to superuser
>> +-- * invoke it via the binary protocol
>> +-- * while the function is running, invoke a non-setuid function
>> +-- which reads a system space.
>> +--
>> +-- The invoked function should get "Access denied" error,
>> +-- there should be no privilege escalation.
>> +-- define functions
>> +channel = fiber.channel(1)
>> +---
>> +...
>> +function setuid() channel:get() end
>> +---
>> +...
>> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> +---
>> +...
>> +-- set up grants
>> +box.schema.func.create('setuid', {setuid=true})
>> +---
>> +...
>> +box.schema.func.create('escalation')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> +---
>> +...
>> +connection = net:connect(os.getenv("LISTEN"))
>> +---
>> +...
>> +background = fiber.create(function() connection:call("setuid") end)
>> +---
>> +...
>> +connection:call("escalation")
>> +---
>> +- error: Read access to space '_space' is denied for user 'guest'
>> +...
>> +channel:put(true)
>> +---
>> +- true
>> +...
>> +--
>> +-- tear down the functions; the grants are dropped recursively
>> +--
>> +box.schema.func.drop('setuid')
>> +---
>> +...
>> +box.schema.func.drop('escalation')
>> +---
>> +...
>> +connection:close()
>> +---
>> +...
>> diff --git a/test/box/access_escalation_gh-617.test.lua b/test/box/access_escalation_gh-617.test.lua
>> new file mode 100644
>> index 0000000..2c7b40f
>> --- /dev/null
>> +++ b/test/box/access_escalation_gh-617.test.lua
>> @@ -0,0 +1,48 @@
>> +fiber = require('fiber')
>> +net = require('net.box')
>> +os = require('os')
>> +
>> +-- gh-617: guest access denied because of setuid
>> +-- function invocation.
>> +
>> +-- Test for privilege escalation
>> +-- -----------------------------
>> +-- * create a setuid function which changes effective id
>> +-- to superuser
>> +-- * invoke it via the binary protocol
>> +-- * while the function is running, invoke a non-setuid function
>> +-- which reads a system space.
>> +--
>> +-- The invoked function should get "Access denied" error,
>> +-- there should be no privilege escalation.
>> +
>> +-- define functions
>> +
>> +channel = fiber.channel(1)
>> +function setuid() channel:get() end
>> +
>> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> +
>> +-- set up grants
>> +
>> +box.schema.func.create('setuid', {setuid=true})
>> +box.schema.func.create('escalation')
>> +
>> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> +
>> +
>> +connection = net:connect(os.getenv("LISTEN"))
>> +
>> +background = fiber.create(function() connection:call("setuid") end)
>> +connection:call("escalation")
>> +channel:put(true)
>> +
>> +--
>> +-- tear down the functions; the grants are dropped recursively
>> +--
>> +
>> +box.schema.func.drop('setuid')
>> +box.schema.func.drop('escalation')
>> +
>> +connection:close()
>> --
>> 1.8.3.1
>>
>--
>sergeyb@ 
 
 
--
Alexander Tikhonov
 

[-- Attachment #2: Type: text/html, Size: 18898 bytes --]

     prev parent reply	other threads:[~2020-03-27  9:06 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1584957603-30607-1-git-send-email-o.piskunov@tarantool.org>
2020-03-24  8:12 ` Sergey Bronnikov
2020-03-27  9:06   ` Alexander Tikhonov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1585299981.780275216@f187.i.mail.ru \
    --to=avtikhon@tarantool.org \
    --cc=o.piskunov@tarantool.org \
    --cc=tarantool-patches@dev.tarantool.org \
    --subject='Re: [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests.' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox